Ubuntu
openssh package

Package creates a socket file for all addresses of all families, even when bind to a single address

Bug #1991566 reported by Corey Reichle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

I am configuring OpenSSH to listen only on ipv4 and only on one interface and one address, with nginx listening on 22 on the other interface, and families.

In order to make this happen, I had to "break" the socket file installed by the package at:

/etc/systemd/system/sockets.target.wants/ssh.socket

To read as follows:

[Unit]
Description=OpenBSD Secure Shell server socket
Before=ssh.service
Conflicts=ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

#[Socket]
#ListenStream=22
#Accept=yes

#[Install]
#WantedBy=sockets.target

(Commented out the lines that installed the socket)

Then a daemon-reload, and restart of ngxinx, and all components of the solution are working as required.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssh-server 1:8.9p1-3 [modified: lib/systemd/system/ssh.socket]
ProcVersionSignature:

Uname: Linux 5.15.53-1-pve x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Mon Oct 3 16:36:37 2022
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
 LANG=C
 SHELL=/bin/bash
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Corey Reichle (corey-reichle) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

Your bug report is against jammy, but socket activation is a default for ssh only in kinetic. Were you using ubuntu-bug from a different machine than the one affected?

> In order to make this happen, I had to "break" the socket file installed by the package at:

> /etc/systemd/system/sockets.target.wants/ssh.socket

So first of all, this is a symlink to a file under /lib; your changes will be overwritten on package upgrade.

Secondly, listening on all interfaces is a default for openssh, both before and after the move to socket-based activation. To configure the systemd socket unit to listen on a particular interface, you need only drop an override file in /etc/systemd/system/ssh.socket.d/ with the contents:
[Socket]
ListenStream=
ListenStream=$address:22

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Corey Reichle (corey-reichle) wrote :

I ran this from a container image running under LXC, so perhaps that's the confusion of jammy vs kinetic.

Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.53-1-pve x86_64)

(From motd)

While yes, this "solution" I did will in fact get wiped on upgrade, it was done as a troubleshooting step, to figure out if this was, in fact, the usse.

However, listening on all interfaces, as a default, may be fine, however, this is managed via the sshd config. Otherwise, we are left with 2 places to configure a service, that already has a very comprehensive configuration file, all of it's own (/etc/ssh/sshd_config).

If the sshd config is modified, it should trigger re-creation of the pertinent socket, or all configuration of sshd should be within it's unit file, and not in another configuration file.

A more sane default would be "Listen only on the interfaces the service has requested", not "Listen on all interfaces, regardless of what the configuration file specifies" I would think? Or "Listen only on interfaces that have been requested".

Prior to socket activation, openssh only listens on interfaces specified in it's config file, which does default to all families, all interfaces, unless it's specified. Then, it listens only where it is told to do so (As indicated in the attached sshd conf).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.