ADR 0006: SSH Hardening and Port Migration

Status

Accepted

Context

The VPS previously used a non-standard SSH port (2222) and relied on Tailscale for access. This caused complexity in automated scripts and potential connectivity issues. Additionally, password authentication was still enabled, posing a security risk.

Decision

1. Migrate SSH back to the standard port 22.
2. Disable PasswordAuthentication and ChallengeResponseAuthentication.
3. Restrict root login to prohibit-password (Keys only).
4. Consolidate authorized keys to only two trusted keys (antigravity and vps_god_mode).

Consequences

• Pros:
  • Simplified connectivity for local scripts and tools.
  • Significantly increased security against brute-force attacks.
  • Reduced complexity by following standard conventions.
• Cons:
  • Requires local SSH keys on all client machines (Windows/Linux).
  • Risk of lockout if keys are lost (mitigated by having a password-protected backup key).