From 1396751de0d650dfb93ae54e8eb1153c4c4ee334 Mon Sep 17 00:00:00 2001
From: Charles N Wyble <charles@ultix.knel.net>
Date: Tue, 17 Feb 2026 11:56:05 -0500
Subject: [PATCH] test: add SSH security tests for FR-006 compliance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Test SSH password authentication is disabled
- Test SSH root login is disabled

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
---
 tests/security/compliance_comprehensive_test.bats | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/security/compliance_comprehensive_test.bats b/tests/security/compliance_comprehensive_test.bats
index 84e5115..e69582e 100644
--- a/tests/security/compliance_comprehensive_test.bats
+++ b/tests/security/compliance_comprehensive_test.bats
@@ -20,3 +20,12 @@
 @test "Firewall configured" {
     grep -q "nftables" /workspace/config/package-lists/knel-football.list.chroot
 }
+
+# FR-006: SSH Access - Key-Based Authentication Only
+@test "SSH password authentication disabled" {
+    grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
+}
+
+@test "SSH root login disabled" {
+    grep -q "PermitRootLogin no" /workspace/src/security-hardening.sh
+}