SSH settings fix

imagehost-setup.sh

@@ -187,22 +187,29 @@ path.write_text(text)
 PYEOF
 fi
 
-printf '%s\n' "$SFTP_STANZA" >> "$SSHD_CONFIG"
-
-# Additional SSH hardening (idempotent: only add if not already set)
+# Apply global hardening options FIRST (before the Match block)
 apply_ssh_option() {
     local key="$1" val="$2"
     if grep -qiE "^\s*${key}\s" "$SSHD_CONFIG"; then
         sed -i -E "s|^\s*${key}\s.*|${key} ${val}|i" "$SSHD_CONFIG"
+    else
+        # Insert before the first Match block, or append if no Match block exists
+        if grep -q "^Match " "$SSHD_CONFIG"; then
+            sed -i "/^Match /i ${key} ${val}" "$SSHD_CONFIG"
         else
             echo "${key} ${val}" >> "$SSHD_CONFIG"
         fi
+    fi
 }
+
 apply_ssh_option "PermitRootLogin"        "prohibit-password"
-apply_ssh_option "PasswordAuthentication" "yes"   # needed for SFTP password auth
+apply_ssh_option "PasswordAuthentication" "yes"
 apply_ssh_option "MaxAuthTries"           "4"
 apply_ssh_option "LoginGraceTime"         "30"
 
+# Append the Match block LAST
+printf '%s\n' "$SFTP_STANZA" >> "$SSHD_CONFIG"
+
 sshd -t || die "SSH config test failed — check ${SSHD_CONFIG}"
 systemctl restart sshd
 success "SSH/SFTP configured."