Changing Port in sshd_config requires calling systemctl daemon-reload

Bug #2069041 reported by teutat3s
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Medium
Nick Rosbrook
Noble
Fix Committed
Medium
Nick Rosbrook

Bug Description

[Impact]

There is currently no comment in the default /etc/ssh/sshd_config explaining that a systemctl daemon-reload is needed for changes to Port etc. to take effect when systemd socket activation is used (the default on Ubuntu).

Users may change e.g. Port in /etc/ssh/sshd_config and expect systemctl restart ssh.service to reflect the change, but this will not work.

[Test Plan]

1. The proposed fix here is to improve the documentation by adding a comment above the default Port setting in /etc/ssh/sshd_config. Hence, the test is to simply install openssh-server from noble-proposed, and verify that the comment is there.

2. Because the patch changes the default sshd_config, and debian/openssh-server.ucf-md5sum needs to be updated when this happens, an upgrade from noble to oracular should be done after installing openssh-server from noble-proposed. If a debconf prompt is shown, then a mistake was made in recording the checksums. Otherwise, they are correct.

[Where problems could occur]

There is low technical risk, but we should be sure that the documentation is clear and improves the experience of users. It could be harmful if the documentation accidentally makes things worse, or is just confusing.

Also, a packaging quirk of openssh-server is that checksums of the patched sshd_config (along with certain settings tweaked) need to be recorded in debian/openssh-server.ucf-md5sum to avoid unnecessary debconf prompts on upgrades. I have updated those checksums, but if they are incorrent, then in future upgrades users might see an unnecessary debconf prompt about /etc/ssh/sshd_config.

[Original Description]

Changing the Port directive in sshd_config and restarting ssh.service is without effect, sshd keeps listening to port 22.

Also mentioned in https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-ubuntu-22-10-and-later/30189/32

Steps to reproduce:
1. Install Ubuntu 24.04 LTS
2. Change Port directive in /etc/ssh/sshd_config to Port 2233
3. Restart ssh.service
4. Observe sshd still listening to port 22

Expected behaviour: sshd changes port to 2233

Actual behaviour: sshd keeps listening to port 22

Steve Langasek (vorlon)
tags: added: rls-nn-incoming rls-oo-incoming
Changed in openssh (Ubuntu):
status: New → Triaged
Revision history for this message
Nick Rosbrook (enr0n) wrote :

With 24.04 LTS, ssh is socket activated by default. The configuration for the socket is generated by reading the regular /etc/ssh/sshd_config (or /etc/ssh/sshd_config.d/ snippets), but the configuration needs to be reloaded. So, the steps for configuring a new port are:

# Add new port to /etc/ssh/sshd_config.d/port.conf
systemctl daemon-reload
systemctl restart ssh.socket

The key point being that a systemctl daemon-reload is needed.

tags: added: foundations-todo
removed: rls-nn-incoming rls-oo-incoming
Revision history for this message
Nick Rosbrook (enr0n) wrote :

There is really no way around requiring a daemon-reload. The best thing we can do here is improve the documentation to make this clear to users.

Changed in openssh (Ubuntu Noble):
status: New → Triaged
assignee: nobody → Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu):
assignee: nobody → Nick Rosbrook (enr0n)
importance: Undecided → Medium
Changed in openssh (Ubuntu Noble):
importance: Undecided → Medium
Revision history for this message
Pedro Macedo (pedromacedo) wrote :

I modified the /etc/sshd/sshd_config file, ran the commands:
systemctl daemon-reload
systemctl restart ssh.socket
And the port was not changed.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

@perdromacedo can you share the output of

$ grep Port /etc/sshd/sshd_config
$ systemctl daemon-reload
$ systemctl status ssh.socket ssh.service

Revision history for this message
shucai he (baozixiaoge) wrote :

I'm currently trying out the Ubuntu 24.04 version and encountered an issue where modifying the SSH port didn't take effect. Fortunately, I came across this help and followed your suggestions to attempt the modifications. The port modification is now working as expected.
 sudo vim /etc/ssh/sshd_config
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket

Nick Rosbrook (enr0n)
description: updated
Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
description: updated
summary: - Changing Port in sshd_config and restarting ssh.service without effect
+ Changing Port in sshd_config requires calling systemctl daemon-reload
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Noble):
status: Triaged → In Progress
Revision history for this message
Robie Basak (racb) wrote :

This isn't a full review, but in passing I saw:

> Also, a packaging quirk of openssh-server is that checksums of the patched sshd_config (along with certain settings tweaked) need to be recorded in debian/openssh-server.ucf-md5sum to avoid unnecessary debconf prompts on upgrades. I have updated those checksums, but if they are incorrent, then in future upgrades users might see an unnecessary debconf prompt about /etc/ssh/sshd_config.

Please add to the Test Plan to verify that there are no conffile prompts in the at-risk upgrade paths.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

> Please add to the Test Plan to verify that there are no conffile prompts in the at-risk upgrade paths.

Added. Thanks.

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.6p1-3ubuntu14

---------------
openssh (1:9.6p1-3ubuntu14) oracular; urgency=medium

  * d/p/sshd-socket-generator.patch: add note to sshd_config
    Explain that a systemctl daemon-reload is needed for changes
    to Port et al to take effect. (LP: #2069041)
  * debian/openssh-server.ucf-md5sum: add new checksums for sshd_config

 -- Nick Rosbrook <email address hidden> Tue, 18 Jun 2024 13:31:47 -0400

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Proposed package upload rejected

An upload of openssh to noble-proposed has been rejected from the upload queue for the following reason: "please rebase to current noble-security".

tags: added: noble
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Noble):
status: In Progress → Triaged
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Noble):
status: Triaged → In Progress
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello teutat3s, or anyone else affected,

Accepted openssh into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssh (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:9.6p1-3ubuntu13.6)

All autopkgtests for the newly accepted openssh (1:9.6p1-3ubuntu13.6) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

crmsh/unknown (i386)
debvm/unknown (amd64)
fence-agents/4.12.1-2~exp1ubuntu4 (amd64)
freedombox/unknown (amd64)
g10k/unknown (amd64)
gvfs/unknown (amd64)
libnet-scp-perl/unknown (amd64)
libnet-sftp-foreign-perl/unknown (amd64)
libnetapp-perl/unknown (amd64)
nova/unknown (i386)
pkg-perl-tools/0.78 (amd64, armhf)
rancid/unknown (amd64)
tinyssh/20240101-2 (amd64, armhf)
ubuntu-boot-test/2 (amd64)
vorta/unknown (amd64)
wcc/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote :
Download full text (20.3 KiB)

I have verified this fix using openssh-server 1:9.6p1-3ubuntu13.6 from noble-proposed.

First, I installed openssh-server from noble-proposed and checked that the comment was present in /etc/ssh/sshd_config:

nr@six:~$ lxc launch ubuntu:noble noble
Launching noble
nr@six:~$ lxc exec noble bash
root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF
> Types: deb
> URIs: http://us.archive.ubuntu.com/ubuntu/
> Suites: noble-proposed
> Components: main universe
> Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
> EOF
root@noble:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB]
Get:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:5 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [15.0 MB]
Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [180 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [48.6 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.0 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [3556 B]
Get:10 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [650 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [79.1 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [68.0 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [10.7 kB]
Get:14 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:15 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [433 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble/universe Translation-en [5982 kB]
Get:17 http://security.ubuntu.com/ubuntu noble-security/main Translation-en [93.2 kB]
Get:18 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components [7152 B]
Get:19 http://security.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [5816 B]
Get:20 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [555 kB]
Get:21 http://archive.ubuntu.com/ubuntu noble/universe amd64 Components [3871 kB]
Get:22 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en [148 kB]
Get:23 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Components [51.9 kB]
Get:24 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [13.5 kB]
Get:25 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [388 kB]
Get:26 http://archive.ubuntu.com/ubuntu noble/universe amd64 c-n...

tags: added: verification-done verification-done-noble
removed: verification-needed verification-needed-noble
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello teutat3s, or anyone else affected,

Accepted openssh into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-noble
removed: verification-done verification-done-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:9.6p1-3ubuntu13.7)

All autopkgtests for the newly accepted openssh (1:9.6p1-3ubuntu13.7) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

crmsh/4.6.0-1ubuntu2 (amd64)
crmsh/unknown (i386)
fence-agents/unknown (amd64)
keychain/unknown (i386)
openmpi/4.1.6-7ubuntu2 (amd64)
openssh/1:9.6p1-3ubuntu13.7 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote :

The latest upload was restricted to a fix in d/t/sshd-socket-generator, so my previous verification stands.

tags: added: verification-done verification-done-noble
removed: verification-needed verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13.7

---------------
openssh (1:9.6p1-3ubuntu13.7) noble; urgency=medium

  * d/t/sshd-socket-generator: run test_match_on_port test
    The test case was added to verify the fix for LP: 2076023,
    but it is not actually executed at the moment. Now that
    it does run, fix the grep commands used.

openssh (1:9.6p1-3ubuntu13.6) noble; urgency=medium

  * Explicitly listen on IPv4 by default, with socket-activated sshd
    (LP: #2080216)
    - d/systemd/ssh.socket: explicitly listen on ipv4 by default
    - d/t/sshd-socket-generator: update for new defaults and AddressFamily
    - sshd-socket-generator: handle new ssh.socket default settings
  * sshd-socket-generator: do not parse server match config
    (LP: #2076023)
  * d/p/systemd-socket-activation.patch: don't clear rexec_flag
    (LP: #2071815)
  * d/p/sshd-socket-generator.patch: add note to sshd_config
    Explain that a systemctl daemon-reload is needed for changes
    to Port et al to take effect.
    (LP: #2069041)
  * debian/openssh-server.ucf-md5sum: add new checksums for sshd_config

 -- Nick Rosbrook <email address hidden> Wed, 23 Oct 2024 14:19:51 -0400

Changed in openssh (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Update Released

The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

1:9.6p1-3ubuntu13.7 was moved back to noble-proposed due to a possible regression[1] that is being investigated. Setting the bug tasks back to fix committed.

1:9.6p1-3ubuntu13.5 was restored in noble-updates.

1. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2087551

Changed in openssh (Ubuntu Noble):
status: Fix Released → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Adding block-proposed-noble to avoid accidental release while the regression in https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2087551 is investigated.

tags: added: block-proposed-noble
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.