scripts/security/setup-ssh-key-auth.sh

#!/usr/bin/env bash
# Phase 2 Security: SSH key-based auth (disable password). Default: dry-run.
# Usage: ./scripts/security/setup-ssh-key-auth.sh [--dry-run|--apply]
# --apply: run on LOCAL host only. For remote: ssh root@host 'sudo sed -i.bak "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl reload sshd'

set -euo pipefail

DRY_RUN=true
[[ "${1:-}" == "--apply" ]] && DRY_RUN=false

echo "[Phase 2 Security] SSH: disable password auth (DRY_RUN=$DRY_RUN)"
if $DRY_RUN; then
  echo "On each host run: sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd"
  echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
  exit 0
fi
if [[ -f /etc/ssh/sshd_config ]]; then
  sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
  sudo systemctl reload sshd 2>/dev/null || true
  echo "[OK] PasswordAuthentication disabled on this host."
fi
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`#!/usr/bin/env bash`
			`# Phase 2 Security: SSH key-based auth (disable password). Default: dry-run.`
			`# Usage: ./scripts/security/setup-ssh-key-auth.sh [--dry-run\|--apply]`
			`# --apply: run on LOCAL host only. For remote: ssh root@host 'sudo sed -i.bak "s/^#PasswordAuthentication./PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl reload sshd'`

			`set -euo pipefail`

			`DRY_RUN=true`
			`[[ "${1:-}" == "--apply" ]] && DRY_RUN=false`

			`echo "[Phase 2 Security] SSH: disable password auth (DRY_RUN=$DRY_RUN)"`
			`if $DRY_RUN; then`
			`echo "On each host run: sudo sed -i.bak 's/^#PasswordAuthentication./PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd"`
			`echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"`
			`exit 0`
			`fi`
			`if [[ -f /etc/ssh/sshd_config ]]; then`
			`sudo sed -i.bak 's/^#PasswordAuthentication./PasswordAuthentication no/' /etc/ssh/sshd_config`
			`sudo systemctl reload sshd 2>/dev/null \|\| true`
			`echo "[OK] PasswordAuthentication disabled on this host."`
			`fi`