From 10b0f122e162d7e04365f1b1a2288015a3c8154f Mon Sep 17 00:00:00 2001
From: elAgala <julian@benitez.com.ar>
Date: Tue, 8 Jul 2025 23:31:43 -0300
Subject: [PATCH] fix: disable password auth on ssh connections + avoid
 replacing main sshd file

---
 user/ssh_config.sh | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/user/ssh_config.sh b/user/ssh_config.sh
index 99a099e..1679535 100644
--- a/user/ssh_config.sh
+++ b/user/ssh_config.sh
@@ -23,17 +23,33 @@ function config_ssh() {
     echo "[ SSH ]: No public key provided, skipping..."
   fi
 
-  echo "[ SSH ]: Disabling root login"
-  sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
-  echo "[ SSH ]: Root login disabled"
+  # Create SSH configuration file instead of modifying main sshd_config
+  config_file="/etc/ssh/sshd_config.d/server-initializer.conf"
 
-  echo "[ SSH ]: Adding $username to allowed users"
-  if grep -q "^AllowUsers" /etc/ssh/sshd_config; then
-    sudo sed -i "s/^AllowUsers.*/& $username/" /etc/ssh/sshd_config
-  else
-    echo "AllowUsers $username" | sudo tee -a /etc/ssh/sshd_config >/dev/null
-  fi
-  echo "[ SSH ]: User added to allowed users"
+  echo "[ SSH ]: Creating SSH configuration file"
+  sudo mkdir -p /etc/ssh/sshd_config.d
+
+  # Create the configuration file with security settings
+  sudo tee "$config_file" >/dev/null <<EOF
+# Server Initializer SSH Configuration
+# This file is managed by @elAgala/server-initializer
+
+# Disable root login
+PermitRootLogin no
+
+# Disable password authentication
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM no
+
+# Only allow specific users
+AllowUsers $username
+EOF
+
+  echo "[ SSH ]: SSH configuration file created at $config_file"
+  echo "[ SSH ]: Root login disabled"
+  echo "[ SSH ]: Password authentication disabled"
+  echo "[ SSH ]: User $username added to allowed users"
 
   sudo systemctl restart sshd
   echo "[ SSH ]: Finished succesfully!"