Fallback option for ssh hardening

[buildplan]

Discussed in #100

^{Originally posted by avetere February 27, 2026}
Hi there!

Thanks for this very nice script!

I have two suggestions for further improvement:

• Implement a fallback security net with a timeout of e.g. 5min when changing ssh config/hardening
  This would be to revert everything in case the user does not confirm possibility to login in time, e.g. due to a disconnect from the active session. The same could apply for 2fa setup
• Implement a check for a validated ssh key for the sudo user before revoking root access and password authentication during ssh hardening
  In caase of an existing user - as far as I have seen - there is no additional check, if a ssh key actually exists and is working.

And a small thing to think about:
Might it be beneficial to actually perform changes to sshd config in a low-lexical-order file in sshd_config.d altogether, instead of changing the default config? So as to avoid the first-mention-wins problem?

Cheers
AV