ansible-proxy-chain/openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/design.md

Context

The drop-in SSH hardening task uses validate: "sshd -t -f /etc/ssh/sshd_config". Ansible's template module requires %s in validate commands and rejects any command that doesn't contain it. Since this is a drop-in file in sshd_config.d/, not a full config, validating the temp file standalone isn't meaningful anyway.

Goals / Non-Goals

Goals:

• Fix the Ansible error so the playbook runs without failure

Non-Goals:

• No changes to SSH hardening settings or the drop-in file content

Decisions

Remove validate entirely. The drop-in is 6 simple key-value lines. If there's a syntax issue, systemctl reload ssh will fail and leave the existing working config in place.

Risks / Trade-offs

• [No pre-validation of config syntax] → Mitigation: the drop-in contains only 6 well-known sshd directives. Any typo would be caught immediately on reload, and sshd won't restart if the full config is invalid.