From 19ca997bd6a6e30dd2ea7835457029ce83167ef3 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Date: Tue, 18 Jun 2024 15:56:09 +0200
Subject: [PATCH] disable systemd socket activation (#769)

* disable systemd socket activation

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* move start to after deactivation so it can start

---------

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---
 roles/ssh_hardening/README.md                  |  6 ++++++
 .../tasks/disable-systemd-socket.yml           | 18 ++++++++++++++++++
 roles/ssh_hardening/tasks/hardening.yml        |  9 +++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 roles/ssh_hardening/tasks/disable-systemd-socket.yml

diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 08e4cad7..5a1042ba 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -37,6 +37,12 @@ This role uses the default port 22 or the port configured in the inventory to co
 
 If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
 
+## Disabling systemd-socket activation on Debian and Ubuntu systems
+
+Since Debian 12 and Ubuntu 22.04 the ssh-daemon is not running by default anymore but is instead activated via systemd.
+We revert this change to its traditional behaviour.
+For more information, see [this issue](https://github.com/dev-sec/ansible-collection-hardening/issues/763).
+
 <!-- BEGIN_ANSIBLE_DOCS -->
 
 ## Supported Operating Systems
diff --git a/roles/ssh_hardening/tasks/disable-systemd-socket.yml b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
new file mode 100644
index 00000000..c867fcbb
--- /dev/null
+++ b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
@@ -0,0 +1,18 @@
+---
+- name: Remove ssh service systemd-socket file
+  ansible.builtin.file:
+    path: /etc/systemd/system/ssh.service.d/00-socket.conf
+    state: absent
+
+- name: Disable systemd-socket activation
+  ansible.builtin.systemd:
+    name: ssh.socket
+    state: stopped
+    enabled: false
+    masked: true
+
+- name: Enable normal sshd start
+  ansible.builtin.systemd:
+    name: ssh.service
+    state: started
+    enabled: true
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
index 8708964e..060d3f6b 100644
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@@ -32,6 +32,15 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
 - name: Set default for ssh_host_key_files if not supplied
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when: