disable systemd socket activation (#769)

* disable systemd socket activation Signed-off-by: Sebastian Gumprich <[email protected]> * move start to after deactivation so it can start --------- Signed-off-by: Sebastian Gumprich <[email protected]>
dev-sec · Jun 18, 2024 · 19ca997 · 19ca997
1 parent 8dab761
commit 19ca997
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -37,6 +37,12 @@ This role uses the default port 22 or the port configured in the inventory to co
 
 If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
 
+## Disabling systemd-socket activation on Debian and Ubuntu systems
+
+Since Debian 12 and Ubuntu 22.04 the ssh-daemon is not running by default anymore but is instead activated via systemd.
+We revert this change to its traditional behaviour.
+For more information, see [this issue](https://github.com/dev-sec/ansible-collection-hardening/issues/763).
+
 <!-- BEGIN_ANSIBLE_DOCS -->
 
 ## Supported Operating Systems

diff --git a/roles/ssh_hardening/tasks/disable-systemd-socket.yml b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
@@ -0,0 +1,18 @@
+---
+- name: Remove ssh service systemd-socket file
+  ansible.builtin.file:
+    path: /etc/systemd/system/ssh.service.d/00-socket.conf
+    state: absent
+
+- name: Disable systemd-socket activation
+  ansible.builtin.systemd:
+    name: ssh.socket
+    state: stopped
+    enabled: false
+    masked: true
+
+- name: Enable normal sshd start
+  ansible.builtin.systemd:
+    name: ssh.service
+    state: started
+    enabled: true
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
@@ -32,6 +32,15 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
 - name: Set default for ssh_host_key_files if not supplied
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when: