ssh_hardening role may fail if default host keys are missing on Debian/Ubuntu #880
Description
Description
On a fresh or unusually configured Debian/Ubuntu server, it's possible for the /etc/ssh/ directory to be missing the ssh_host_ecdsa_key and ssh_host_ed25519_key files, even with a modern OpenSSH server(OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025) installed.
Reproduction steps
I am using vps from colocrossing
1. reinstall os debian 12
2. run this roleCurrent Behavior
2025-07-18 13:14:59,554 p= u= n=ansible INFO| TASK [devsec.hardening.ssh_hardening : Change host private key ownership, group and permissions] *********************************************************************************************
2025-07-18 13:15:05,018 p= u= n=ansible INFO| ok: [xxx] => (item=/etc/ssh/ssh_host_rsa_key)
2025-07-18 13:15:10,845 p= u= n=ansible INFO| failed: [xxx] (item=/etc/ssh/ssh_host_ecdsa_key) => {"ansible_loop_var": "item", "changed": false, "item": "/etc/ssh/ssh_host_ecdsa_key", "msg": "file (/etc/ssh/ssh_host_ecdsa_key) is absent, cannot continue", "path": "/etc/ssh/ssh_host_ecdsa_key", "state": "absent"}
2025-07-18 13:15:16,324 p= u= n=ansible INFO| failed: [xxx] (item=/etc/ssh/ssh_host_ed25519_key) => {"ansible_loop_var": "item", "changed": false, "item": "/etc/ssh/ssh_host_ed25519_key", "msg": "file (/etc/ssh/ssh_host_ed25519_key) is absent, cannot continue", "path": "/etc/ssh/ssh_host_ed25519_key", "state": "absent"}
Expected Behavior
no failed task
OS / Environment
Linux local 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux
Ansible Version
ansible [core 2.18.7]Collection Version
---
collections:
- name: devsec.hardening
version: 10.3.0Additional information
now I can regenerate these missing files by run sudo dpkg-reconfigure openssh-server