diff options
Diffstat (limited to 'todo.org')
| -rw-r--r-- | todo.org | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -634,8 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow -** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: -Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. +** DONE [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +CLOSED: [2026-06-24 Wed] +Done 2026-06-24: the openssh block (=archsetup:1271-1277=) now writes =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password= and reloads sshd, right after starting the service. =PasswordAuthentication= left untouched so ssh-copy-id to the user still works. Makes the posture intentional rather than dependent on the upstream default. Velox and ratio (which carried an explicit =PermitRootLogin yes= at =sshd_config:33= from earlier provisioning) were already fixed by hand 2026-06-23. Verified =bash -n= + =shellcheck -S error= clean; full drop-in-on-fresh-install confirmation is VM-deferred (the unit harness covers helpers, not inline install steps). ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: |