check-ssh-keys: Disable challenge-response and root login

Change-Id: If3ba490641a9089b1e8159c173a563933e40af54
diff --git a/etc/runonce.d/03-check-ssh-keys b/etc/runonce.d/03-check-ssh-keys
index 8ac20ac..05e0097 100755
--- a/etc/runonce.d/03-check-ssh-keys
+++ b/etc/runonce.d/03-check-ssh-keys
@@ -1,5 +1,8 @@
 #!/bin/bash
 
-rm -f /etc/ssh/ssh_host_*
 sed -e's/^#?PasswordAuthentication.*/PasswordAuthentication no/g' -i /etc/ssh/sshd_config
+sed -e's/^#?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/g' -i /etc/ssh/sshd_config
+sed -e's/^#?PermitRootLogin.*/PermitRootLogin no/g' -i /etc/ssh/sshd_config
+
+rm -f /etc/ssh/ssh_host_*
 test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server