design.md 1.4 KB
Context
Ubuntu 22.04+ ships with /etc/ssh/sshd_config that includes Include /etc/ssh/sshd_config.d/*.conf at the top. Files in sshd_config.d/ override settings from the main config because they're processed first and later directives take precedence. The base role currently replaces the entire main config with a minimal template.
Goals / Non-Goals
Goals:
- Only override the 6 specific settings that need hardening
- Preserve Ubuntu's default sshd_config including Include directives
- Apply changes without dropping active SSH connections
Non-Goals:
- No changes to which hardening settings are enforced
- No changes to UFW or fail2ban
Decisions
Use a drop-in config file at /etc/ssh/sshd_config.d/99-hardening.conf containing only the settings we want to override:
Port {{ ssh_port }}
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
X11Forwarding no
Ubuntu's default config already has Include /etc/ssh/sshd_config.d/*.conf, so our drop-in takes effect without touching the main config.
Also fix the handler: restart sshd → reload ssh. Correct service name, and reload doesn't terminate existing connections.
Risks / Trade-offs
- [Older Ubuntu versions may not support sshd_config.d] → This project targets Ubuntu/Debian servers; all supported versions (22.04+) include the drop-in mechanism.