#!/bin/sh
# 20-ssh.sh — harden sshd: pubkey only, no root login, no password auth.
# authorized_keys was already placed by preseed late_command.
set -eu

if [ ! -f /etc/ssh/sshd_config ]; then
  echo "[20] sshd not installed, skipping"
  exit 0
fi

cat > /etc/ssh/sshd_config.d/00-s8n.conf <<'SSHD'
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding no
PermitEmptyPasswords no
LoginGraceTime 30
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
SSHD

# Fail2ban gets enabled by 00-base.sh, but the default jail covers sshd.
echo "[20] sshd hardened. authorized_keys placed by preseed."
systemctl enable ssh || true