From cff6d9d339fcc5a933a0e3a3fcf5fc2faa62b998 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Wed, 24 Jun 2026 00:04:18 -0400
Subject: docs(todo): file installer sshd-hardening follow-up from security
 work

---
 todo.org | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'todo.org')

diff --git a/todo.org b/todo.org
index ec4ea02..89ec5b9 100644
--- a/todo.org
+++ b/todo.org
@@ -634,6 +634,9 @@ One real integrity bypass exists, and it is not =--noconfirm=: =archsetup:2403=
 :END:
 Ensure new tools integrate with DWM environment and don't break workflow
 
+** TODO [#C] Harden sshd in the installer (explicit prohibit-password) :solo:
+Fresh installs already get Arch's safe default (=PermitRootLogin prohibit-password= is the commented stock value) and archsetup doesn't set it — but velox and ratio both carried an explicit =PermitRootLogin yes= at =/etc/ssh/sshd_config:33= from some earlier provisioning, fixed by hand 2026-06-23 (root is now key-only on both; =PasswordAuthentication= left on so ssh-copy-id to the user still works). Make the posture intentional rather than dependent on the upstream default: in the openssh block (=archsetup= ~1265, after =systemctl enable sshd=), write =/etc/ssh/sshd_config.d/10-hardening.conf= with =PermitRootLogin prohibit-password=. Leave =PasswordAuthentication= alone. Surfaced by the 2026-06-23 security-status work.
+
 ** TODO [#B] Add NVIDIA preflight check for Hyprland
 :PROPERTIES:
 :LAST_REVIEWED: 2026-05-21
-- 
cgit v1.2.3