## Context

The drop-in SSH hardening task uses `validate: "sshd -t -f /etc/ssh/sshd_config"`. Ansible's template module requires `%s` in validate commands and rejects any command that doesn't contain it. Since this is a drop-in file in `sshd_config.d/`, not a full config, validating the temp file standalone isn't meaningful anyway.

## Goals / Non-Goals

**Goals:**
- Fix the Ansible error so the playbook runs without failure

**Non-Goals:**
- No changes to SSH hardening settings or the drop-in file content

## Decisions

Remove `validate` entirely. The drop-in is 6 simple key-value lines. If there's a syntax issue, `systemctl reload ssh` will fail and leave the existing working config in place.

## Risks / Trade-offs

- [No pre-validation of config syntax] → Mitigation: the drop-in contains only 6 well-known sshd directives. Any typo would be caught immediately on reload, and sshd won't restart if the full config is invalid.