Port parameter sshd_config is 22 AND whatever you specify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Focal |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
* The "Port" option in sshd_config is accumulative, but due to a bug re-
adds the default when an include is encountered. Therefore we have these
cases
a) Port 722
Listens on 722 (correct)
b) Port 722
Port 2222
Listens on 722 & 2222 (correct)
c) Port 722
include /path/to/
Listens on 722 & 22 (applied defaults as if Port was unset)
* Of the above (c) is a bug, not documented that way and can lead to open
ports not expected and not wanted.
[Test Case]
* Test if defaults are applied even if option is specified
Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722:
systemctl stop ssh
mv /etc/ssh/
cat > /etc/ssh/
Include /etc/ssh/
Port 7722
EOF
systemctl start ssh
systemctl status ssh
# restore the original config:
mv /etc/ssh/
Which will show:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/
Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
Docs: man:sshd(8)
Process: 45261 ExecStartPre=
Main PID: 45271 (sshd)
Tasks: 1 (limit: 18457)
Memory: 1.3M
CGroup: /system.
May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.
So, NOW it will have ports 22 AND 7722 open!
With the fix this should no more happen.
* Test if multiple options still work
[Regression Potential]
* The change itself isn't very invasive and I don't expect it to break it
with crashes or similar.
But if people didn't realize that this is a bug, they might have a
config in place and somewhat rely on the broken behavior.
It is good thou that (a) (b) of above are the common cases and won't
change.
Further even if a user used (c) the explicitly configured port will
still work.
Fortunately it is early in the Focal lifetime and it was the one
introducting the 'include' feature - therefore I'd expect not too many
people using it yet.
[Other Info]
* n/a
----
On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit).
Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/
The /etc/ssh/
Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else').
Regards,
Adriaan
PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side-effect.
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 103 lines (+69/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch (+59/-0)
debian/patches/series (+1/-0)
- Lucas Kanashiro (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 103 lines (+69/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch (+59/-0)
debian/patches/series (+1/-0)
Changed in openssh (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in openssh (Ubuntu): | |
status: | Triaged → In Progress |
Changed in openssh (Ubuntu Focal): | |
status: | Triaged → In Progress |
Changed in openssh (Debian): | |
status: | Unknown → New |
Changed in openssh (Debian): | |
status: | New → Fix Released |
@Adriaan, are there really 2 sshd running? Or is it only one binding to the 2 ports and applying different parameter using Match conditions? Beware what on 20.04, there is support for additional config snippets dropped in /etc/ssh/ sshd_config. d/*.conf.
To check for 2 daemons:
sudo ss -nltp | grep sshd