From 3c4f7647b9a8117398414bc62c84d2891ff97f54 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Wed, 24 Jun 2026 00:15:25 -0400 Subject: feat(archsetup): harden sshd with a prohibit-password drop-in The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id. This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand. --- archsetup | 8 ++++++++ todo.org | 5 +++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/archsetup b/archsetup index 68ae5b8..4d70f06 100755 --- a/archsetup +++ b/archsetup @@ -1268,6 +1268,14 @@ EOF action="starting the openssh service" && display "task" "$action" systemctl start sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + action="hardening sshd (root login by key only)" && display "task" "$action" + cat << 'EOF' > /etc/ssh/sshd_config.d/10-hardening.conf +# Root may log in by key only, never by password. PasswordAuthentication is +# left at the default so a normal user can still bootstrap a key via ssh-copy-id. +PermitRootLogin prohibit-password +EOF + systemctl reload sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" + # SSH Brute Force Protection display "subtitle" "SSH Brute Force Protection" diff --git a/todo.org b/todo.org index 89ec5b9..38b41a8 100644 --- a/todo.org +++ b/todo.org @@ -634,8 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403= :END: Ensure new tools integrate with DWM environment and don't break workflow -** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo: -Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work. +** DONE [#C] Harden sshd in the installer (explicit prohibit-password) :solo: +CLOSED: [2026-06-24 Wed] +Done 2026-06-24: the openssh block (=archsetup:1271-1277=) now writes =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password= and reloads sshd, right after starting the service. =PasswordAuthentication= left untouched so ssh-copy-id to the user still works. Makes the posture intentional rather than dependent on the upstream default. Velox and ratio (which carried an explicit =PermitRootLogin yes= at =sshd_config:33= from earlier provisioning) were already fixed by hand 2026-06-23. Verified =bash -n= + =shellcheck -S error= clean; full drop-in-on-fresh-install confirmation is VM-deferred (the unit harness covers helpers, not inline install steps). ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: -- cgit v1.2.3