Home Explore Help
Sign In
kotoyuuko
/
ansible-proxy-chain
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix: remove invalid validate param from SSH drop-in task

Ansible template module requires %s in validate commands; the
previous value lacked it and caused playbook failure on all hosts.
Also rename handler to reload ssh to match the notify.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
kotoyuuko 3 weeks ago
parent
a9a72248cc
commit
c1ea73d3ac
7 changed files with 48 additions and 3 deletions
Split View Show Diff Stats
  1. 2 0
      openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/.openspec.yaml
  2. 19 0
      openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/design.md
  3. 19 0
      openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/proposal.md
  4. 3 0
      openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/specs/NOTE.md
  5. 3 0
      openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/tasks.md
  6. 1 1
      roles/base/handlers/main.yml
  7. 1 2
      roles/base/tasks/main.yml

+ 2 - 0
openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/.openspec.yaml
View File 

@@ -0,0 +1,2 @@
 
+schema: spec-driven
 
+created: 2026-04-22

+ 19 - 0
openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/design.md
View File 

@@ -0,0 +1,19 @@
 
+## Context
 
+
 
+The drop-in SSH hardening task uses `validate: "sshd -t -f /etc/ssh/sshd_config"`. Ansible's template module requires `%s` in validate commands and rejects any command that doesn't contain it. Since this is a drop-in file in `sshd_config.d/`, not a full config, validating the temp file standalone isn't meaningful anyway.
 
+
 
+## Goals / Non-Goals
 
+
 
+**Goals:**
 
+- Fix the Ansible error so the playbook runs without failure
 
+
 
+**Non-Goals:**
 
+- No changes to SSH hardening settings or the drop-in file content
 
+
 
+## Decisions
 
+
 
+Remove `validate` entirely. The drop-in is 6 simple key-value lines. If there's a syntax issue, `systemctl reload ssh` will fail and leave the existing working config in place.
 
+
 
+## Risks / Trade-offs
 
+
 
+- [No pre-validation of config syntax] → Mitigation: the drop-in contains only 6 well-known sshd directives. Any typo would be caught immediately on reload, and sshd won't restart if the full config is invalid.

+ 19 - 0
openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/proposal.md
View File 

@@ -0,0 +1,19 @@
 
+## Why
 
+
 
+Ansible's `template` module requires `%s` in the `validate` command as a placeholder for the temp file. Our drop-in config uses `validate: "sshd -t -f /etc/ssh/sshd_config"` which lacks `%s`, causing the module to fail on both relay and landing servers.
 
+
 
+## What Changes
 
+
 
+- Remove the `validate` parameter from the SSH hardening drop-in task — it's a 6-line incremental config that doesn't need pre-validation; sshd reload will fail safely on bad syntax
 
+
 
+## Capabilities
 
+
 
+### New Capabilities
 
+<!-- none -->
 
+
 
+### Modified Capabilities
 
+<!-- none -->
 
+
 
+## Impact
 
+
 
+- `roles/base/tasks/main.yml`: remove `validate` from the SSH hardening drop-in task

+ 3 - 0
openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/specs/NOTE.md
View File 

@@ -0,0 +1,3 @@
 
+## Note
 
+
 
+No capability changes. Internal task parameter fix.

+ 3 - 0
openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/tasks.md
View File 

@@ -0,0 +1,3 @@
 
+## 1. Remove validate parameter
 
+
 
+- [x] 1.1 Remove `validate` from the SSH hardening drop-in task in `roles/base/tasks/main.yml`

+ 1 - 1
roles/base/handlers/main.yml
View File 

@@ -1,5 +1,5 @@
 
 ---
 
-- name: restart sshd
 
+- name: reload ssh
 
   ansible.builtin.systemd:
 
     name: ssh
 
     state: reloaded

+ 1 - 2
roles/base/tasks/main.yml
View File 

@@ -16,8 +16,7 @@
 
     owner: root
 
     group: root
 
     mode: "0644"
 
-    validate: "sshd -t -f /etc/ssh/sshd_config"
 
-  notify: restart sshd
 
+  notify: reload ssh
 
 
 - name: Allow SSH through UFW
 
   community.general.ufw: