ansible-proxy-chain/openspec/changes/archive/2026-04-22-custom-ssh-port/specs/server-base/spec.md

MODIFIED Requirements

Requirement: SSH is hardened

The base role SHALL configure SSH to disable password authentication, disable root login, and only allow key-based authentication. The SSH port SHALL be configurable per host via ssh_port, defaulting to 22.

Scenario: SSH hardening applied

• WHEN the base role completes
• THEN /etc/ssh/sshd_config has PasswordAuthentication no, PermitRootLogin no, and PubkeyAuthentication yes
• THEN the sshd Port directive uses the host's ssh_port value
• THEN the sshd service is restarted

Scenario: Custom SSH port per host

• WHEN a host defines ssh_port: 2222 in inventory
• THEN sshd listens on port 2222
• THEN UFW allows port 2222 instead of 22
• THEN fail2ban monitors port 2222