Harden SSH configuration completely

- Disable root login
- Disable password authentication entirely
- Disable PAM authentication
- Only allow specific user via AllowUsers
- Add clear status messages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

post-install.sh

@@ -377,9 +377,24 @@ echo "[+] Enabling services..."
 # systemctl enable stratisd  # Not needed without Stratis
 systemctl enable sshd
 
-# Disable root login
+# Secure SSH configuration
 echo "[+] Securing SSH..."
-sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+{
+    # Disable root login
+    sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+    
+    # Only allow SSH key authentication
+    sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+    sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
+    sed -i 's/^#*UsePAM.*/UsePAM no/' /etc/ssh/sshd_config
+    
+    # Only allow specific user
+    echo "AllowUsers ${ALMA_USER}" >> /etc/ssh/sshd_config
+    
+    echo "  - Root login disabled"
+    echo "  - Password authentication disabled"
+    echo "  - Only user '${ALMA_USER}' allowed"
+}
 
 # Set SELinux to enforcing
 echo "[+] Setting SELinux to enforcing..."