From 9739367f385ae7d1f5d1fa609c6cb91b250c500a Mon Sep 17 00:00:00 2001
From: Dominik Roth <mail@dominik-roth.eu>
Date: Mon, 18 Aug 2025 21:09:55 +0200
Subject: [PATCH] Harden SSH configuration completely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Disable root login
- Disable password authentication entirely
- Disable PAM authentication
- Only allow specific user via AllowUsers
- Add clear status messages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 post-install.sh | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/post-install.sh b/post-install.sh
index 639ff92..94a78af 100755
--- a/post-install.sh
+++ b/post-install.sh
@@ -377,9 +377,24 @@ echo "[+] Enabling services..."
 # systemctl enable stratisd  # Not needed without Stratis
 systemctl enable sshd
 
-# Disable root login
+# Secure SSH configuration
 echo "[+] Securing SSH..."
-sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+{
+    # Disable root login
+    sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+    
+    # Only allow SSH key authentication
+    sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+    sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
+    sed -i 's/^#*UsePAM.*/UsePAM no/' /etc/ssh/sshd_config
+    
+    # Only allow specific user
+    echo "AllowUsers ${ALMA_USER}" >> /etc/ssh/sshd_config
+    
+    echo "  - Root login disabled"
+    echo "  - Password authentication disabled"
+    echo "  - Only user '${ALMA_USER}' allowed"
+}
 
 # Set SELinux to enforcing
 echo "[+] Setting SELinux to enforcing..."