From 9c7ec4f5fb1f319a3528fdbd973046d32acc4104 Mon Sep 17 00:00:00 2001
From: Seongmin Lee <git@boltless.me>
Date: Thu, 4 Dec 2025 23:02:57 +0900
Subject: [PATCH] nix/modules/knot: block openssh password authentication
Change-Id: umylwomxnvkvyoovmwkzwvkpszkyxpqq

Signed-off-by: Seongmin Lee <git@boltless.me>
---
 nix/modules/knot.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nix/modules/knot.nix b/nix/modules/knot.nix
index 43fe600a..06a6caba 100644
--- a/nix/modules/knot.nix
+++ b/nix/modules/knot.nix
@@ -195,6 +195,8 @@ in
           Match User ${cfg.gitUser}
               AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
               AuthorizedKeysCommandUser nobody
+              ChallengeResponseAuthentication no
+              PasswordAuthentication no
         '';
       };
 
-- 
2.43.0