So I’ve just had a quick play with this and yes, it works.

@GossiTheDog hi just out of curiosity why would a bios password help / be required? is that only for if pcr7 isn't bound?

@fiore ok nvm i found this and it seems to work very well
https://superuser.com/a/1154084

only needed to change the path to /usr/lib/openssh/sftp-server and ForceCommand to point at where i saved the script

then could run ssh test@localhost passwd

@fiore kind of evil but maybe a separate ssh port where they can only access passwd, similar to them only accessing sftp-internal on this one

@Larvitz uh oh

hi fedi i'm looking for domain registrar recommendations that aren't cloudflare, but are priced closely to wholesale, and support 'modern' things, namely:
- dnssec
- whois privacy
- 'fancy' record types (TLSA, SSHFP, HTTPS, NS)
- a good api

optionally but nice:
- multi-provider DNSSEC

any pointers are greatly appreciated!