[GH-ISSUE #101] Fallback option for ssh hardening #7

New issue

Closed

opened 2026-03-02 02:59:18 +03:00 by kerem · 0 comments

kerem commented 2026-03-02 02:59:18 +03:00

Owner

Copy link

Originally created by @buildplan on GitHub (Feb 28, 2026).
Original GitHub issue: https://github.com/buildplan/du_setup/issues/101

Discussed in https://github.com/buildplan/du_setup/discussions/100

^{Originally posted by avetere February 27, 2026}
Hi there!

Thanks for this very nice script!

I have two suggestions for further improvement:

• Implement a fallback security net with a timeout of e.g. 5min when changing ssh config/hardening
  This would be to revert everything in case the user does not confirm possibility to login in time, e.g. due to a disconnect from the active session. The same could apply for 2fa setup
• Implement a check for a validated ssh key for the sudo user before revoking root access and password authentication during ssh hardening
  In caase of an existing user - as far as I have seen - there is no additional check, if a ssh key actually exists and is working.

And a small thing to think about:
Might it be beneficial to actually perform changes to sshd config in a low-lexical-order file in sshd_config.d altogether, instead of changing the default config? So as to avoid the first-mention-wins problem?

Cheers
AV

Originally created by @buildplan on GitHub (Feb 28, 2026). Original GitHub issue: https://github.com/buildplan/du_setup/issues/101 ### Discussed in https://github.com/buildplan/du_setup/discussions/100 <div type='discussions-op-text'> ^{Originally posted by **avetere** February 27, 2026} Hi there! Thanks for this very nice script! I have two suggestions for further improvement: - Implement a fallback security net with a timeout of e.g. 5min when changing ssh config/hardening This would be to revert everything in case the user does not confirm possibility to login in time, e.g. due to a disconnect from the active session. The same could apply for 2fa setup - Implement a check for a validated ssh key for the sudo user before revoking root access and password authentication during ssh hardening In caase of an existing user - as far as I have seen - there is no additional check, if a ssh key actually exists and is working. And a small thing to think about: Might it be beneficial to actually perform changes to sshd config in a low-lexical-order file in sshd_config.d altogether, instead of changing the default config? So as to avoid the first-mention-wins problem? Cheers AV</div>

kerem 2026-03-02 02:59:18 +03:00

• closed this issue
• added the
  bug
  enhancement
  labels

kerem referenced this issue 2026-03-02 02:59:23 +03:00

[PR #8] [MERGED] chore #14

kerem referenced this issue 2026-03-02 02:59:23 +03:00

[PR #7] [MERGED] sync test branch #15

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

modular_wip

v0.80.5

v0.80.4

v0.80.3

v0.80.2

v0.80.1

v0.80.0

v0.79.1

v0.79.0

v0.78.5

v0.78.4

v0.78.3

v0.78.2

v0.78.1

v0.78

v0.77.2

v0.77.1

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70.1

v0.70

v0.69

v0.68

v0.67

v0.66

v0.65

v0.64

v0.63

v0.62

v0.61

v0.60

v0.59

v0.58

v0.57

v0.56

v0.55

v0.54

v0.53

0.53

v0.52

v0.51

v0.50

v4.3

v4.2

v4.1

v4.0

v3.13

v3.12

v3.11

v3.10

v3.9

Labels

Clear labels   

bug

  

enhancement

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

enhancement

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/du_setup#7

No description provided.