From c15ae89385e0ebca9bb5fe7230ae076e29ac14a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Fri, 11 Mar 2022 13:00:38 +0100
Subject: [PATCH] feat: validate modified sshd_config file to avoid locking
 ourselves out of SSH due to invalid config

---
 tasks/configure-ssh-hardening.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tasks/configure-ssh-hardening.yml b/tasks/configure-ssh-hardening.yml
index cb01036..b34818d 100644
--- a/tasks/configure-ssh-hardening.yml
+++ b/tasks/configure-ssh-hardening.yml
@@ -1,10 +1,11 @@
 ---
 - name: Konfiguration für OpenSSH einspielen - gehärtete Config
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: "/etc/ssh/sshd_config"
     backup: "yes"
     insertbefore: "### BEGIN ANSIBLE MANAGED BLOCK - SFTP SERVER"
     marker: "### {mark} ANSIBLE MANAGED BLOCK - HARDENED SSH SERVER"
+    validate: /usr/sbin/sshd -T -f %s
     block: |
       ### Debian-specific default configurations as described by sshd_config(5) manpage. These differ from the vanilla OpenSSH defaults.
       ChallengeResponseAuthentication no
-- 
GitLab