Merge pull request #1003 from konstruktoid/sshsocket

use ssh.socket and disable the service on ubuntu

Author: konstruktoid

handlers/main.yml

@@ -78,29 +78,34 @@
   when:
     - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
 
-- name: Restart ssh service
+- name: Restart ssh socket
   become: true
   ansible.builtin.service:
-    name: ssh
+    name: "{{ 'ssh.socket' if ansible_facts.os_family == 'Debian' else 'sshd.socket' }}"
     state: restarted
-  register: ssh_service
-  failed_when:
-    - ssh_service is not success
-    - not 'Could not find the requested service' in ssh_service.msg
+    enabled: true
   when:
     - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
+    - ansible_facts.distribution == "Ubuntu"
 
-- name: Restart sshd service
+- name: Restart ssh service
   become: true
   ansible.builtin.service:
-    name: sshd
+    name: "{{ 'ssh.service' if ansible_facts.os_family == 'Debian' else 'sshd.service' }}"
     state: restarted
-  register: sshd_service
-  failed_when:
-    - sshd_service is not success
-    - not 'Could not find the requested service' in sshd_service.msg
+    enabled: true
+  when:
+    - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
+
+- name: Disable ssh service
+  become: true
+  ansible.builtin.service:
+    name: "{{ 'ssh.service' if ansible_facts.os_family == 'Debian' else 'sshd.service' }}"
+    state: stopped
+    enabled: false
   when:
     - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
+    - ansible_facts.distribution == "Ubuntu"
 
 - name: Restart Postfix
   become: true

molecule/default/converge.yml

@@ -11,6 +11,16 @@
       when:
         - ansible_facts.distribution == 'AlmaLinux'
 
+    - name: Install acl on Debian
+      become: true
+      ansible.builtin.apt:
+        name: acl
+        state: present
+        install_recommends: false
+        update_cache: true
+      when:
+        - ansible_facts.os_family == 'Debian'
+
     - name: Include Ansible role
       ansible.builtin.import_role:
         name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/default/verify.yml

@@ -99,7 +99,6 @@
       become: true
       ansible.builtin.user:
         name: "{{ item }}"
-        group: "{{ item }}"
         shell: /bin/bash
         create_home: true
         generate_ssh_key: true
@@ -118,9 +117,9 @@
     - name: Assert home directory permissions
       ansible.builtin.assert:
         that:
-          - home_dir.stat.mode == "0700"
+          - home_dir.stat.mode == login_defs.home_mode
         success_msg: "{{ home_dir.stat.path }} has correct permissions: {{ home_dir.stat.mode }}"
-        fail_msg: "{{ home_dir.stat.path }} permissions are incorrect: {{ home_dir.stat.mode }}"
+        fail_msg: "{{ home_dir.stat.path }} permissions are incorrect: {{ home_dir.stat.mode }}, expected {{ login_defs.home_mode }} or {{ umask_value }}"
       when:
         - home_dir.stat.exists
 
@@ -144,17 +143,23 @@
         - sshd
         - sshd_config
 
-    - name: Ensure privilege separation directory exists
+    - name: Ensure privilege separation directories exist
       become: true
       ansible.builtin.file:
-        path: /run/sshd
+        path: "{{ item.path }}"
         owner: root
         group: root
         state: directory
-        mode: "0755"
-      tags:
-        - sshd
-        - sshd_config
+        mode: "{{ item.mode }}"
+      register: privsep_dir
+      failed_when:
+        - privsep_dir is changed
+        - not (item.path == '/run/sshd' and ansible_facts.distribution == 'Ubuntu')
+      loop:
+        - { path: /run/sshd, mode: "0755" }
+        - { path: /usr/share/empty.sshd, mode: "0711" }
+        - { path: /var/empty, mode: "0755" }
+        - { path: /var/empty/sshd, mode: "0711" }
 
     - name: Stat IPv6 status
       become: true

tasks/sshconfig.yml

@@ -17,14 +17,18 @@
   ansible.builtin.debug:
     msg: "{{ ssh_installed_version }}"
 
-- name: Ensure privilege separation directory exists
+- name: Ensure privilege separation directories exist
   become: true
   ansible.builtin.file:
     path: "{{ item.path }}"
     owner: root
     group: root
     state: directory
     mode: "{{ item.mode }}"
+  register: privsep_dir
+  changed_when:
+    - privsep_dir is changed
+    - not (item.path == '/run/sshd' and ansible_facts.distribution == 'Ubuntu')
   loop:
     - { path: /run/sshd, mode: "0755" }
     - { path: /usr/share/empty.sshd, mode: "0711" }
@@ -250,7 +254,8 @@
     (not sshd_config_d.stat.exists) or
     (grep_include.rc != 0)
   notify:
-    - Restart sshd service
+    - Disable ssh service
+    - Restart ssh socket
     - Restart ssh service
 
 - name: Configure sshd using sshd_config.d
@@ -268,7 +273,8 @@
     - sshd_config_d.stat.exists
     - grep_include.rc == 0
   notify:
-    - Restart sshd service
+    - Disable ssh service
+    - Restart ssh socket
     - Restart ssh service
 
 - name: Remove possible Subsystem duplicate