## MODIFIED Requirements

### Requirement: SSH is hardened
The base role SHALL configure SSH to disable password authentication, disable root login, and only allow key-based authentication. The SSH port SHALL be configurable per host via `ssh_port`, defaulting to 22.

#### Scenario: SSH hardening applied
- **WHEN** the base role completes
- **THEN** `/etc/ssh/sshd_config` has `PasswordAuthentication no`, `PermitRootLogin no`, and `PubkeyAuthentication yes`
- **THEN** the sshd Port directive uses the host's `ssh_port` value
- **THEN** the sshd service is restarted

#### Scenario: Custom SSH port per host
- **WHEN** a host defines `ssh_port: 2222` in inventory
- **THEN** sshd listens on port 2222
- **THEN** UFW allows port 2222 instead of 22
- **THEN** fail2ban monitors port 2222