From 6f8d11c8e591da4510eacfee9d52e8f99bc7d8f3 Mon Sep 17 00:00:00 2001
From: miampf <miampf@proton.me>
Date: Thu, 2 Jan 2025 14:36:41 +0100
Subject: [PATCH] use `/run/ssh` subdir + harden openssh config a bit

---
 .../usr/lib/systemd/system/create-host-ssh-key.service      | 2 +-
 image/sysroot-tree/etc/ssh/sshd_config                      | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service
index b34d802db..f1ed3e341 100644
--- a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service
+++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service
@@ -4,7 +4,7 @@ Before=sshd.service
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key"
+ExecStart=/bin/bash -c "mkdir -p /run/ssh; ssh-keygen -t ecdsa -q -N '' -f /run/ssh/ssh_host_ecdsa_key"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config
index 2b1060c4a..507c3cde5 100644
--- a/image/sysroot-tree/etc/ssh/sshd_config
+++ b/image/sysroot-tree/etc/ssh/sshd_config
@@ -1,3 +1,5 @@
-HostKey /run/ssh_host_ecdsa_key
-TrustedUserCAKeys /run/ssh_ca.pub
+HostKey /run/ssh/ssh_host_ecdsa_key
+TrustedUserCAKeys /run/ssh/ssh_ca.pub
 PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthorizedKeysFile /dev/null