production-deb/shared/post-install/20-ssh.sh

#!/bin/sh
# 20-ssh.sh — harden sshd: pubkey only, no root login, no password auth.
# authorized_keys was already placed by preseed late_command.
set -eu

if [ ! -f /etc/ssh/sshd_config ]; then
  echo "[20] sshd not installed, skipping"
  exit 0
fi

cat > /etc/ssh/sshd_config.d/00-s8n.conf <<'SSHD'
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding no
PermitEmptyPasswords no
LoginGraceTime 30
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
SSHD

# Fail2ban gets enabled by 00-base.sh, but the default jail covers sshd.
echo "[20] sshd hardened. authorized_keys placed by preseed."
systemctl enable ssh || true
fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant Server-only canonical production Debian build. Drops laptop/vanilla variants. Interactive LUKS + hostname at install. user/123 forced rotate. DVD-1 offline base. S8N_LOGS log-capture partition. Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f. 2026-05-08 13:53:38 +01:00			`#!/bin/sh`
			`# 20-ssh.sh — harden sshd: pubkey only, no root login, no password auth.`
			`# authorized_keys was already placed by preseed late_command.`
			`set -eu`

			`if [ ! -f /etc/ssh/sshd_config ]; then`
			`echo "[20] sshd not installed, skipping"`
			`exit 0`
			`fi`

			`cat > /etc/ssh/sshd_config.d/00-s8n.conf <<'SSHD'`
			`PermitRootLogin no`
			`PasswordAuthentication no`
			`PubkeyAuthentication yes`
			`ChallengeResponseAuthentication no`
			`KbdInteractiveAuthentication no`
			`UsePAM yes`
			`X11Forwarding no`
			`PermitEmptyPasswords no`
			`LoginGraceTime 30`
			`MaxAuthTries 3`
			`ClientAliveInterval 300`
			`ClientAliveCountMax 2`
			`SSHD`

			`# Fail2ban gets enabled by 00-base.sh, but the default jail covers sshd.`
			`echo "[20] sshd hardened. authorized_keys placed by preseed."`
			`systemctl enable ssh \|\| true`