Fix known-hosts trust deadlock, host key stat, and optional nozstd build

- stdout logger: release mutex while waiting on pause resume so prompt
  callbacks can log (fixes hang after trusting new hosts; known_hosts
  was written but Resume never ran).
- known hosts callback: stop borrowing the SSH dial throttle channel
  (could block or interact badly with parallel handshakes).
- host key path: use errors.Is(..., fs.ErrNotExist) for RootedPath.Stat
  wrapped errors; stat errors now fail fast instead of mis-read.
- public key path: same ErrNotExist check for authorized_keys miss.
- Build: optional DTAIL_NO_ZSTD=yes / nozstd tag for CGO-free builds;
  split zstd readers into tagged files.
- Docs/examples: firewalld note for port 2222, log prune timer+script,
  SSHBindAddress note, dserver unit disabled-by-default comment;
  firewalld helper script example.
- Regression test for stdout pause/mutex behavior.

Made-with: Cursor

1 files changed, 3 insertions, 1 deletions

diff --git a/internal/ssh/server/publickeycallback.go b/internal/ssh/server/publickeycallback.go
index 3afbfba..df83bf6 100644
--- a/internal/ssh/server/publickeycallback.go
+++ b/internal/ssh/server/publickeycallback.go
@@ -1,7 +1,9 @@
 package server
 
 import (
+	"errors"
 	"fmt"
+	iofs "io/fs"
 	"os"
 	goUser "os/user"
 	"path/filepath"
@@ -142,7 +144,7 @@ func findAuthorizedKeysPath(user *user.User, cacheDir, cwd string,
 	if _, err = rootedAuthorizedKeysPath.Stat(); err == nil {
 		return rootedAuthorizedKeysPath, nil
 	}
-	if !os.IsNotExist(err) {
+	if !errors.Is(err, iofs.ErrNotExist) {
 		return fs.RootedPath{}, err
 	}