ssh-hardening disables IPv6 for ssh by default #906
Description
Description
After running the role devsec.hardening.ssh_hardening with the following configuration:
roles:
- role: devsec.hardening.ssh_hardening
vars:
ssh_server_password_login: false
ssh_permit_root_login: "no"
I could no longer reach my server via SSH. I realized that this was because IPv6 connections were disabled by the role by setting the listening address to 0.0.0.0 instead of ::, which will listen on both IPv4 and IPv6.
Reproduction steps
- hosts: all
become: yes
collections:
- devsec.hardening
roles:
- role: devsec.hardening.ssh_hardening
vars:
ssh_server_password_login: false
ssh_permit_root_login: "no"Current Behavior
# Addresses sshd listens on. Default is 0.0.0.0.
# Specify desired address here if you don't want sshd to listen on all available addresses.
ListenAddress 0.0.0.0
This will only listen on IPv4 addresses.
Expected Behavior
ListenAddress ::
This will listen on all IPv4 and IPv6 addresses.
OS / Environment
Debian Trixie (13.1)
Ansible Version
ansible [core 2.18.1]
config file = None
configured module search path = ['/home/robert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/robert/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.13.3 (main, Aug 14 2025, 11:53:40) [GCC 14.2.0] (/usr/bin/python3)
jinja version = 3.1.5
libyaml = TrueCollection Version
Paste version of the collection. This will be automatically formatted into code, so no need for backticks.Additional information
No response