disable systemd socket activation

rndmh3ro · rndmh3ro · commit 50743f84e594 · 2024-06-04T10:06:07.000+02:00
Signed-off-by: Sebastian Gumprich &lt;rndmh3ro@users.noreply.github.com&gt;
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -37,6 +37,12 @@ This role uses the default port 22 or the port configured in the inventory to co
 
 If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
 
+## Disabling systemd-socket activation on Debian and Ubuntu systems
+
+Since Debian 12 and Ubuntu 22.04 the ssh-daemon is not running by default anymore but is instead activated via systemd.
+We revert this change to its traditional behaviour.
+For more information, see [this issue](https://github.com/dev-sec/ansible-collection-hardening/issues/763).
+
 <!-- BEGIN_ANSIBLE_DOCS -->
 
 ## Supported Operating Systems
diff --git a/roles/ssh_hardening/tasks/disable-systemd-socket.yml b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
@@ -0,0 +1,17 @@
+---
+- name: Remove systemd-socket file
+  ansible.builtin.file:
+    path: /etc/systemd/system/ssh.service.d/00-socket.conf
+    state: absent
+
+- name: Enable normal sshd start
+  ansible.builtin.systemd:
+    name: ssh.service
+    state: started
+    enabled: true
+
+- name: Disable systemd-socket activation
+  ansible.builtin.systemd:
+    name: ssh.socket
+    state: stopped
+    enabled: false
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
@@ -32,6 +32,15 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
 - name: Set default for ssh_host_key_files if not supplied
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when:
