Cannot re-enable MOTD once disabled

[Trufax]

Describe the bug

I use the Dynamic MOTD defined by Ubuntu as default.

Once the MOTD was disabled (by running the playbook with the default parameters) i could not reanbale it, it did not matter if i set "ssh_print_motd" or "ssh_print_pam_motd" or both. MOTD stays gone.

Expected behavior

Once i enable the MOTD it should appear at the SSH login

Actual behavior

Login with user in SSH after the ssh-harding role was excecuted, no MOTD appears. Rerun the ansible role and enable the MOTD, when you check the ansible output it seems to skipp the step of enabling the MOTD:

TASK [dev-sec.ssh-hardening : disable dynamic MOTD] ****************************
skipping: [XX.XX.XX.XX] => {"changed": false, "skip_reason": "Conditional result was False"}

Also when you login again via SSH the MOTD is still gone. There seems to be now way to reanable the dynamic MOTD via the ansible script once it was disabled.

Example Playbook

- hosts: XX.XX.XX.XX
  remote_user: username
  become: yes
  collections:
    - devsec.hardening
  roles:
  - role: dev-sec.ssh-hardening
    vars:
      sftp_enabled: true
      ssh_print_motd: ture
      ssh_print_pam_motd: true
      ssh_print_last_log: true

OS / Environment

Ubuntu 20.10

Ansible Version

2.9.9

Role Version

latest

[rndmh3ro]

That's indeed a bug and should be changed. We could do this with the ternary operator that sets state to present or absent depending on ssh_print_pam_motd.

[Sebster7]

Current workaround is to revert to an earlier backup of the sshd file in /etc/pam.d on the box the playbook has run on.