Support systemd socket activation for sshd

[schurzi]

Description

Recent Ubuntu Version have changed how sshd is startet (https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-ubuntu-22-10-and-later/30189). We should evaluate what we will need to change in our configuration to support this.

Solution

Update our role to support the new way of running things.

Alternatives

No response

Additional information

We removed some tests to temporarily support the changes (#762), this should be reverted to do the full tests again.

Things we need to look into, that come to my mind:

• restart handler needs to be different
• config file needs no Listen directives
• Listen configuration moves to systemd

[rndmh3ro]

I don't want to include any Debian specific systemd things here. Aside, letting the start AND the listen-port get handled by systemd thus breaking decades old standards seems to much complication for too little benefit. Right now the sshd-hardening-role is very leightweight and I'd like to keep it that way.

So let's rever the behaviour. According to the link you provided we need to do this:

    rm /etc/systemd/system/ssh.service.d/00-socket.conf
    systemctl disable --now ssh.socket
    systemctl enable --now ssh.service
    systemctl daemon-reload
    systemctl restart ssh

In ansible-terms - a task to dlete the 00-socket.conf, disable the ssh.socket, enable the ssh.service. Restart via handler.

@schurzi, what do you think?

[schurzi]

I too think that is the sensible thing to do here. I am just musing over the order of systemctl disable --now ssh.socket and systemctl enable --now ssh.service we should not create situations where ssh access becomes unavailable