ssh_hardening ipv6

[Wolvez1911]

Description

It seems impossible to get the ssh_hardening role to set the ssh daemon to listen on all IPv4 AND IPv6 addresses for Debian. The goal is to set ListenAddress to:
ListenAddress ::
or
don't set it at all
because for at least Debian 11+ sshd listens on all IPv4 AND IPv6 addresses by default.

Reproduction steps

1
    - name: SSH_Hardening
      include_role:
        name: ssh_hardening
      vars:
        ssh_permit_root_login: "without-password"
        network_ipv6_enable: true
        ssh_listen_to: '::'
or
2
    - name: SSH_Hardening
      include_role:
        name: ssh_hardening
      vars:
        ssh_permit_root_login: "without-password"
        network_ipv6_enable: true
        ssh_listen_to: "::"
or
3
    - name: SSH_Hardening
      include_role:
        name: ssh_hardening
      vars:
        ssh_permit_root_login: "without-password"
        network_ipv6_enable: true
        ssh_listen_to: '[::]'
or
4
    - name: SSH_Hardening
      include_role:
        name: ssh_hardening
      vars:
        ssh_permit_root_login: "without-password"
        network_ipv6_enable: true
        ssh_listen_to: "[::]"
or
5
    - name: SSH_Hardening
      include_role:
        name: ssh_hardening
      vars:
        ssh_permit_root_login: "without-password"
        network_ipv6_enable: true
#        ssh_listen_to: '::'

Current Behavior

reproduction options 1-4 result in:

TASK [ssh_hardening : Create sshd_config and set permissions to root/600] **************************************************************************************************
fatal: [bookwormhardened]: FAILED! => {"changed": false, "checksum": "43f6aefbac95d99fe02b9fe12d76b7bd7a461727", "exit_status": 255, "msg": "failed to validate", "stderr": "/root/.ansible/tmp/ansible-tmp-1700439006.707395-94286-125003981978082/source line 24: bad port number\r\n", "stderr_lines": ["/root/.ansible/tmp/ansible-tmp-1700439006.707395-94286-125003981978082/source line 24: bad port number"], "stdout": "", "stdout_lines": []}

the file: /root/.ansible/tmp/ansible-tmp-1700439006.707395-94286-125003981978082/source 
seems to be deleted after the playbook runs so I can't see what the file says.

Reproduction option 5 results in ListenAddress being set to:
ListenAddress 0.0.0.0

Which results in sshd listening on only IPv4

Expected Behavior

Being able to set ListenAddress to
ListenAddress ::

OS / Environment

version 8.8.0 and 9.0.0
Debian 11 and 12

Ansible Version

ansible [core 2.14.3]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Collection Version

9.0.0

Additional information

Not sure if this is a YAML problem because of IPv6 :: or if there is a problem with the role.

[rndmh3ro]

ssh_listen_to is a list-variable (you can define multiple listen-options in the ssh-config). This should work:

  vars:
    ssh_listen_to:
      - "[::]"

[Wolvez1911]

That worked. Apparently it was a ME problem. Thanks for the help