disable systemd socket activation (#769)

* disable systemd socket activation Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * move start to after deactivation so it can start --------- Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-11-10 09:14:18 +00:00 · 2024-06-18 15:56:09 +02:00 · 2024-06-18 15:56:09 +02:00 · 19ca997bd6
commit 19ca997bd6
parent 8dab761c52
3 changed files with 33 additions and 0 deletions
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@ -37,6 +37,12 @@ This role uses the default port 22 or the port configured in the inventory to co

 If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.

+## Disabling systemd-socket activation on Debian and Ubuntu systems
+
+Since Debian 12 and Ubuntu 22.04 the ssh-daemon is not running by default anymore but is instead activated via systemd.
+We revert this change to its traditional behaviour.
+For more information, see [this issue](https://github.com/dev-sec/ansible-collection-hardening/issues/763).
+
 <!-- BEGIN_ANSIBLE_DOCS -->

 ## Supported Operating Systems
--- a/roles/ssh_hardening/tasks/disable-systemd-socket.yml
+++ b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
@ -0,0 +1,18 @@
+---
+- name: Remove ssh service systemd-socket file
+  ansible.builtin.file:
+    path: /etc/systemd/system/ssh.service.d/00-socket.conf
+    state: absent
+
+- name: Disable systemd-socket activation
+  ansible.builtin.systemd:
+    name: ssh.socket
+    state: stopped
+    enabled: false
+    masked: true
+
+- name: Enable normal sshd start
+  ansible.builtin.systemd:
+    name: ssh.service
+    state: started
+    enabled: true
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@ -32,6 +32,15 @@
  ansible.builtin.set_fact:
    sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"

+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
 - name: Set default for ssh_host_key_files if not supplied
  ansible.builtin.include_tasks: crypto_hostkeys.yml
  when: