AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Debian 12 Bookworm: OpenSSH Hardening Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate openssh hardening on Debian 12 Bookworm (Linux 6.1, GA 2023-06-10) with Ansible. Disable password auth, enforce ed25519 keys, restrict ciphers.

Debian 12 Bookworm (Linux 6.1) reached general availability on 2023-06-10 and is supported LTS through 2028. systemd 252, OpenSSL 3.0, non-free-firmware split. This guide shows how to automate openssh hardening on Debian 12 Bookworm with Ansible end-to-end: prerequisites, an opinionated playbook using the ansible.builtin.lineinfile module, validation, and troubleshooting.

Every example is tested with ansible-core 2.18 LTS on a Linux control node and is idempotent — re-running the playbook converges to the same state with zero changed tasks.

Why OpenSSH Hardening on Debian 12 Bookworm

Debian 12 Bookworm is a workhorse for production Linux. Hand-rolling shell scripts for openssh hardening drifts within weeks. Ansible's ansible.builtin.lineinfile module gives you idempotent state management, dry-run with --check, and rollback via inventory.

See also: Ansible on Debian 11 Bullseye: OpenSSH Hardening Complete Guide

Prerequisites

Control node: Linux/macOS with Python 3.11+ and ansible-core 2.18.

Managed node (Debian 12 Bookworm, Linux 6.1): • SSH key-based auth as a sudoer • Python 3 (python3) installed (default on Debian 12 Bookworm) • Time synced via systemd-timesyncd or chrony

OpenSSH Hardening playbook

Inventory

[debian-12-bookworm]
host01.example.com

[debian-12-bookworm:vars]
ansible_connection=ssh
ansible_user=ansible
ansible_become=true
ansible_become_method=sudo

Playbook

---
- name: Harden OpenSSH on Debian 12 Bookworm
  hosts: debian-12-bookworm
  tasks:
    - name: Disable password auth
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
        validate: 'sshd -t -f %s'
      notify: restart-ssh
    - name: Restrict ciphers
      ansible.builtin.blockinfile:
        path: /etc/ssh/sshd_config.d/10-crypto.conf
        create: true
        block: |
          KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
      notify: restart-ssh
  handlers:
    - name: restart-ssh
      ansible.builtin.systemd_service:
        name: ssh
        state: restarted

See also: Ansible on Debian 13 Trixie: OpenSSH Hardening Complete Guide

Validation

ansible-playbook -i inventory/debian-12-bookworm.ini openssh-hardening.yml --check --diff
ansible-playbook -i inventory/debian-12-bookworm.ini openssh-hardening.yml

Confirm idempotency by running the playbook a second time — the play recap should report changed=0.

Troubleshooting

| Symptom | Likely cause | Fix | |---|---|---| | Could not resolve hostname | DNS / /etc/hosts mismatch | Add A record or fix /etc/hosts | | Sudo: a password is required | NOPASSWD missing | Grant ansible ALL=(ALL) NOPASSWD: ALL in /etc/sudoers.d/ansible | | Failed to lock /var/lib/dpkg/ | unattended-upgrades running | Wait or run systemctl stop unattended-upgrades |

See also: Ansible on Ubuntu 20.04 LTS: OpenSSH Hardening Complete Guide

FAQ

Q. Which ansible-core release should I use with Debian 12 Bookworm? Use ansible-core 2.18 LTS. It is the current long-term support line and matches the collection versions referenced in this guide.

Q. Is the ansible.builtin.lineinfile module idempotent? Yes. Re-running the playbook converges to the same state and reports changed=0 on the second run.

Q. How do I roll back if openssh hardening breaks production? Maintain a previous-version inventory and re-run the prior playbook. For package changes use APT pinning or DNF rollback.

Q. Does this playbook work in --check mode? Yes. All tasks shown support check mode and --diff so you can preview changes before committing them.

Related guides

Ansible playbooks for Windows Server 2025Ansible Windows automation WinRM complete guideAnsible 13 breaking-changes referenceAnsible connection types: SSH, WinRM, Local, Docker, Network guide

Conclusion

Debian 12 Bookworm (Linux 6.1) is a first-class Ansible target for openssh hardening. Standardize on ansible-core 2.18 LTS plus the ansible.builtin collection, keep your inventory under version control, and gate every change with --check in CI. The playbook above is idempotent, supports rollback, and scales from a single host to thousands without modification.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home