# Break-glass SSH drop-in (redesigned 2026-06-11). Source of truth.
# Deploy to the PVE host with:
#   scp scripts/sshd-10-breakglass.conf root@192.168.1.127:/etc/ssh/sshd_config.d/10-breakglass.conf
#   ssh root@192.168.1.127 'sshd -t && systemctl reload ssh'
#
#   :22    = LAN admin, all of root's keys (default AuthorizedKeysFile).
#   :52222 = WAN-exposed break-glass. The edge router forwards WAN tcp/52222 ->
#            192.168.1.127:52222 (external port MUST equal internal port on the
#            TP-Link AX6000 — it rejects remaps; port 22 itself is reserved).
#            The Match LocalPort block trusts ONLY the dedicated break-glass key
#            (authorized_keys.breakglass), so a leak of any other root key does
#            NOT grant internet access. Rate-limited by the BREAKGLASS iptables
#            chain + fail2ban. No port-knock.
#
# NOTE: the trailing `Match all` is REQUIRED. /etc/ssh/sshd_config has
# `Include sshd_config.d/*.conf` near the top but a global `PermitRootLogin`
# further down; without `Match all` resetting context, that later global
# directive would be swallowed into the `Match LocalPort 52222` condition.
Port 22
Port 52222
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
MaxAuthTries 3
LoginGraceTime 20

Match LocalPort 52222
    AuthorizedKeysFile /root/.ssh/authorized_keys.breakglass
    PermitRootLogin prohibit-password
Match all