You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SSH hardening at install — setup.sh now asks for an SSH public key during installation (before any package install begins); creates a dedicated cipi user as the only SSH entry point; disables root login and password authentication
PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes, AllowUsers cipi, MaxAuthTries 3, LoginGraceTime 20, X11Forwarding no, ExposeAuthInfo yes
cipi user has passwordless sudo for /usr/local/bin/cipi * only
Server-to-server ed25519 keypair auto-generated for sync operations
cipi ssh list — list all authorized SSH keys for the cipi user with fingerprint, comment, and current-session marker (<< current session)
cipi ssh add [key] — add an SSH public key (interactive prompt if no argument); validates format, rejects duplicates; sends email notification via SMTP if configured
cipi ssh remove [n] — remove an SSH key by number (interactive list if no argument); sends email notification via SMTP if configured
Session safety — detects the key used for the current SSH session (via ExposeAuthInfo + SSH_USER_AUTH) and blocks its removal
Last-key safety — prevents removing the last remaining key to avoid lockout
cipi sync pubkey — display this server's sync public key (for server-to-server trust)
cipi sync trust — add a remote server's public key to cipi's authorized_keys, enabling passwordless cipi sync push between servers
SSH key change notifications — email alerts (via existing SMTP) on every key add/remove, including server hostname, IP, key fingerprint, comment, timestamp, and remaining key count
Changed
Sync default user — cipi sync push now connects as cipi (was root); remote commands use sudo cipi for privilege escalation
Sync troubleshooting — updated help messages to reference cipi sync trust and cipi sync pubkey instead of PermitRootLogin yes
Installation summary — now shows SSH access info (login command, root-login disabled, password-auth disabled) and the server sync public key
Sudoers — SSH_USER_AUTH env variable preserved through sudo (env_keep) for session key detection
Nginx default vhost — all requests to the server IP now serve the "Server Up" page instead of returning nginx default 404; custom error_page directive catches all error codes (400–504) and serves /index.html, preventing nginx version leaks in error pages
