ansible-proxy-chain/openspec/changes/archive/2026-04-22-ssh-hardening-incremental/proposal.md

Why

The base role completely replaces /etc/ssh/sshd_config with a custom template, which overwrites Ubuntu's default configuration including Include directives and other distro-specific settings. This can cause sshd to enter a broken state after the handler fires — password auth, root login, and other defaults are silently removed, and sshd may not recover properly from the restart.

What Changes

• Replace the full sshd_config.j2 template with a drop-in config file at /etc/ssh/sshd_config.d/99-hardening.conf that only overrides the specific settings we need to change
• Remove the old sshd_config.j2 template file
• Change the sshd handler from restart sshd to reload ssh to avoid dropping active connections

Capabilities

New Capabilities

Modified Capabilities

Impact

• roles/base/tasks/main.yml: change from template to copy/drop-in task
• roles/base/templates/sshd_config.j2: deleted
• roles/base/templates/sshd-hardening.conf.j2: new file
• roles/base/handlers/main.yml: handler service name and state corrected
• No changes to which settings are enforced — same hardening, delivered incrementally