diff --git a/hosts/ops-jrz1.nix b/hosts/ops-jrz1.nix
index 0cd798a..bd3a66e 100644
--- a/hosts/ops-jrz1.nix
+++ b/hosts/ops-jrz1.nix
@@ -94,6 +94,10 @@
   # Local backup service (Phase 1: manual trigger)
   services.backup.enable = true;
 
+  # Security hardening - DISABLED pending fixes
+  # security.fail2ban-enhanced.enable = true;
+  # security.ssh-hardening.enable = true;
+
   # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
   programs.nix-ld.enable = true;
   programs.nix-ld.libraries = with pkgs; [
diff --git a/modules/security/ssh-hardening.nix b/modules/security/ssh-hardening.nix
index f15c2f0..0a363e9 100644
--- a/modules/security/ssh-hardening.nix
+++ b/modules/security/ssh-hardening.nix
@@ -15,8 +15,8 @@ with lib;
 
     allowUsers = mkOption {
       type = types.listOf types.str;
-      default = [ "admin" ];
-      description = "Users allowed to SSH";
+      default = [ ];
+      description = "Users allowed to SSH (empty = allow all authenticated users)";
     };
 
     maxAuthTries = mkOption {
@@ -47,17 +47,17 @@ with lib;
 
         # Security settings
         PermitEmptyPasswords = false;
-        UsePAM = false;
+        # UsePAM must stay true - NixOS SSH auth requires PAM
         X11Forwarding = false;
         AllowAgentForwarding = config.security.ssh-hardening.level == "development";
         AllowTcpForwarding = config.security.ssh-hardening.level != "paranoid";
         GatewayPorts = "no";
 
-        # User restrictions
-        AllowUsers = config.security.ssh-hardening.allowUsers;
+        # User restrictions (only set if explicitly configured)
+        AllowUsers = mkIf (config.security.ssh-hardening.allowUsers != [])
+          config.security.ssh-hardening.allowUsers;
 
-        # Protocol settings
-        Protocol = 2;
+        # Logging
         LogLevel = if config.security.ssh-hardening.level == "paranoid" then "VERBOSE" else "INFO";
 
         # Timing settings