hardened the ssh and no remote root login

[shubhayu-dev]

Summary by CodeRabbit

• New Features

  • Added new system services to automatically enable and start the SSH daemon and generate SSH host keys during system startup.
  • Introduced enhanced SSH configuration with stricter security settings, including disabling root login and password authentication, restricting access to a specific user, and disabling X11 forwarding.

• Refactor

  • Simplified command aliases by shortening their names and removing comments for a cleaner user experience.

• Security

  • Updated SSH configurations to disallow root login and enforce stronger authentication policies.

[coderabbitai]

Walkthrough

Several configuration and service files were added or modified to enhance SSH security and streamline system management. SSH root login is now disabled, stricter authentication rules are enforced, and new systemd service units ensure SSH services and key generation run at startup. Shell aliases were also simplified for easier command usage.

Changes

File(s)	Change Summary
configs/airootfs/etc/profile.d/pit-aliases.sh	Simplified the script by removing comments and the shebang; renamed aliases from pit-* to shorter, generic names.
configs/airootfs/etc/ssh/sshd_config.d/10-archiso.conf	Modified SSH config to disallow root login by setting PermitRootLogin to no.
configs/releng/airootfs/etc/ssh/sshd_config	Added new SSH daemon config: disables root login, disables password authentication, restricts users, tightens security.
configs/releng/airootfs/etc/systemd/system-preset/99-ferrari.preset	Added systemd preset to enable sshd.service and sshdgenkeys.service by default.
configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service	Added systemd unit for SSH daemon, ensuring it starts after networking and restarts on failure.
configs/releng/airootfs/etc/systemd/system/sshdgenkeys.service	Added systemd unit to generate SSH host keys before starting the SSH daemon.

Sequence Diagram(s)

sequenceDiagram
    participant Systemd
    participant SshdGenKeys as sshdgenkeys.service
    participant Sshd as sshd.service

    Systemd->>SshdGenKeys: Start at boot (multi-user.target)
    SshdGenKeys->>Systemd: Generate SSH host keys (ssh-keygen -A)
    Systemd->>Sshd: Start SSH daemon (after keys generated)
    Sshd->>Systemd: SSH daemon runs and listens for connections

Loading

Poem

In the warren of code, new changes appear,
SSH locks its doors, root logins disappear.
Aliases trimmed, now short and sweet,
Services enabled so connections can meet.
With keys forged anew before dawn’s first light,
The system hops forward—secure and bright!
🐇🔐✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Welcome to Ferrari-OS!!, congrats on your first PR

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

configs/airootfs/etc/ssh/sshd_config.d/10-archiso.conf (1)

1-1: Update misleading comment to reflect root login being disabled.

The comment on line 1 still reads “Allow root login using password authentication” even though PermitRootLogin no disallows root login. Adjust the comment to accurately describe the intent, for example:

-# Allow root login using password authentication
+# Disallow root login while allowing other users to authenticate with a password

configs/releng/airootfs/etc/ssh/sshd_config (1)

1-7: Consider explicitly enforcing public-key authentication.

Although password auth is disabled, adding the following lines can make the intent clearer and harder to override:

 PermitRootLogin no
 PasswordAuthentication no
+PubkeyAuthentication yes
+AuthenticationMethods publickey
 AllowUsers yourusername
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 X11Forwarding no

configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service (2)

1-4: Use network-online.target to ensure network readiness.

Replace After=network.target with:

 [Unit]
-After=network.target
+Wants=network-online.target
+After=network-online.target

so SSH starts only once the network is fully up.

---

5-10: Add service sandboxing and hardening options.

To reduce the attack surface of the SSH daemon, consider adding:

 [Service]
 ExecStart=/usr/bin/sshd -D
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 User=root
+PrivateTmp=yes
+ProtectSystem=full
+NoNewPrivileges=yes

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 525541f and 9b1457d.

📒 Files selected for processing (6)

• configs/airootfs/etc/profile.d/pit-aliases.sh (1 hunks)
• configs/airootfs/etc/ssh/sshd_config.d/10-archiso.conf (1 hunks)
• configs/releng/airootfs/etc/ssh/sshd_config (1 hunks)
• configs/releng/airootfs/etc/systemd/system-preset/99-ferrari.preset (1 hunks)
• configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service (1 hunks)
• configs/releng/airootfs/etc/systemd/system/sshdgenkeys.service (1 hunks)

🔇 Additional comments (3)

configs/releng/airootfs/etc/systemd/system-preset/99-ferrari.preset (1)

1-2: Systemd preset file enabling SSH services is correctly configured.

The directives enable sshd.service and enable sshdgenkeys.service will ensure both units are enabled by default.

configs/releng/airootfs/etc/systemd/system/sshdgenkeys.service (1)

1-10: New SSH host key generation service unit looks good.

The Type=oneshot unit running ssh-keygen -A before sshd.service and enabled for multi-user.target is correctly defined.

configs/releng/airootfs/etc/ssh/sshd_config (1)

3-3: Replace placeholder username in 'AllowUsers' directive.

Line 3 uses AllowUsers yourusername as a placeholder. Ensure this is updated to the actual user account(s) allowed SSH access.

[coderabbitai]

🛠️ Refactor suggestion

Prevent alias collisions and improve naming consistency
Defining generic aliases like update, install, remove, search, clean, info, and packages will shadow common utilities and confuse users. I recommend the following improvements:

1. Prefix aliases (e.g. pit-update, pit-install, …) to avoid collisions.
2. Use consistent verb-based names (e.g. list or list-packages instead of the noun packages).
3. Scope these aliases to interactive shells, wrapping them in a check such as:

+ if [[ $- == *i* ]]; then
-   alias update='pit -Syu'
+   alias pit-update='pit -Syu'
    alias pit-install='pit -S'
    alias pit-remove='pit -R'
    alias pit-search='pit -Ss'
    alias pit-clean='pit -Sc'
    alias pit-info='pit -Si'
-   alias packages='pit -Q'
+   alias pit-list='pit -Q'
+ fi

Committable suggestion skipped: line range outside the PR's diff.