use /run/ssh subdir + harden openssh config a bit

edgelesssys · Jan 2, 2025 · 05eef85 · 05eef85
1 parent 28da57c
commit 05eef85
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service
@@ -4,7 +4,7 @@ Before=sshd.service
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key"
+ExecStart=/bin/bash -c "mkdir -p /run/ssh; ssh-keygen -t ecdsa -q -N '' -f /run/ssh/ssh_host_ecdsa_key"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config
@@ -1,3 +1,5 @@
-HostKey /run/ssh_host_ecdsa_key
-TrustedUserCAKeys /run/ssh_ca.pub
+HostKey /run/ssh/ssh_host_ecdsa_key
+TrustedUserCAKeys /run/ssh/ssh_ca.pub
 PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthorizedKeysFile /dev/null