diff --git a/roles/ssh_hardening/tasks/disable-systemd-socket.yml b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
index c867fcbb..35f8988e 100644
--- a/roles/ssh_hardening/tasks/disable-systemd-socket.yml
+++ b/roles/ssh_hardening/tasks/disable-systemd-socket.yml
@@ -10,9 +10,3 @@
     state: stopped
     enabled: false
     masked: true
-
-- name: Enable normal sshd start
-  ansible.builtin.systemd:
-    name: ssh.service
-    state: started
-    enabled: true
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
index 59a82530..6ebbd2bd 100644
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@@ -32,14 +32,8 @@
   ansible.builtin.set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
-# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
-- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
-  ansible.builtin.include_tasks: disable-systemd-socket.yml
-  when:
-    - ssh_server_hardening | bool
-    - ssh_server_enabled | bool
-    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
-      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+- name: Install openssh package and configure the service
+  ansible.builtin.include_tasks: install.yml
 
 - name: Set default for ssh_host_key_files if not supplied
   ansible.builtin.include_tasks: crypto_hostkeys.yml
diff --git a/roles/ssh_hardening/tasks/install.yml b/roles/ssh_hardening/tasks/install.yml
new file mode 100644
index 00000000..174c6ea9
--- /dev/null
+++ b/roles/ssh_hardening/tasks/install.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Install openssh package
+  ansible.builtin.package:
+    name: "{{ ssh_pkg_name }}"
+    state: present
+
+# see https://github.com/dev-sec/ansible-collection-hardening/issues/763
+- name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
+  ansible.builtin.include_tasks: disable-systemd-socket.yml
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
+      (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
+
+- name: Enable or disable sshd service
+  ansible.builtin.service:
+    name: "{{ sshd_service_name }}"
+    enabled: "{{ ssh_server_service_enabled }}"
diff --git a/roles/ssh_hardening/vars/Debian.yml b/roles/ssh_hardening/vars/Debian.yml
index d062326e..056c3da8 100644
--- a/roles/ssh_hardening/vars/Debian.yml
+++ b/roles/ssh_hardening/vars/Debian.yml
@@ -1,4 +1,5 @@
 ---
+ssh_pkg_name: "openssh-server openssh-client"
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: ssh
diff --git a/roles/ssh_hardening/vars/Fedora.yml b/roles/ssh_hardening/vars/Fedora.yml
index 702989a7..666fdc4f 100644
--- a/roles/ssh_hardening/vars/Fedora.yml
+++ b/roles/ssh_hardening/vars/Fedora.yml
@@ -1,4 +1,5 @@
 ---
+ssh_pkg_name: ssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd
diff --git a/roles/ssh_hardening/vars/Fedora_37.yml b/roles/ssh_hardening/vars/Fedora_37.yml
index fa0f3b6f..7b19679b 100644
--- a/roles/ssh_hardening/vars/Fedora_37.yml
+++ b/roles/ssh_hardening/vars/Fedora_37.yml
@@ -1,4 +1,5 @@
 ---
+ssh_pkg_name: ssh
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd
diff --git a/roles/ssh_hardening/vars/FreeBSD.yml b/roles/ssh_hardening/vars/FreeBSD.yml
index 2967494d..0aa951d3 100644
--- a/roles/ssh_hardening/vars/FreeBSD.yml
+++ b/roles/ssh_hardening/vars/FreeBSD.yml
@@ -1,4 +1,5 @@
 ---
+ssh_pkg_name: openssh-portable
 sshd_path: /usr/sbin/sshd
 ssh_host_keys_dir: /etc/ssh
 sshd_service_name: sshd
diff --git a/roles/ssh_hardening/vars/Ubuntu.yml b/roles/ssh_hardening/vars/Ubuntu.yml
new file mode 100644
index 00000000..37189da4
--- /dev/null
+++ b/roles/ssh_hardening/vars/Ubuntu.yml
@@ -0,0 +1,2 @@
+---
+ssh_pkg_name: "openssh-server openssh-client"
diff --git a/roles/ssh_hardening/vars/main.yml b/roles/ssh_hardening/vars/main.yml
index 6c4bb2c9..6274c165 100644
--- a/roles/ssh_hardening/vars/main.yml
+++ b/roles/ssh_hardening/vars/main.yml
@@ -1,4 +1,7 @@
 ---
+
+ssh_pkg_name: openssh
+
 ssh_macs_53_default:
   - hmac-ripemd160
   - hmac-sha1