Changing Port in sshd_config requires calling systemctl daemon-reload

Bug #2069041 reported by teutat3s
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Committed
Medium
Nick Rosbrook
Noble
In Progress
Medium
Nick Rosbrook

Bug Description

[Impact]

There is currently no comment in the default /etc/ssh/sshd_config explaining that a systemctl daemon-reload is needed for changes to Port etc. to take effect when systemd socket activation is used (the default on Ubuntu).

Users may change e.g. Port in /etc/ssh/sshd_config and expect systemctl restart ssh.service to reflect the change, but this will not work.

[Test Plan]

1. The proposed fix here is to improve the documentation by adding a comment above the default Port setting in /etc/ssh/sshd_config. Hence, the test is to simply install openssh-server from noble-proposed, and verify that the comment is there.

2. Because the patch changes the default sshd_config, and debian/openssh-server.ucf-md5sum needs to be updated when this happens, an upgrade from noble to oracular should be done after installing openssh-server from noble-proposed. If a debconf prompt is shown, then a mistake was made in recording the checksums. Otherwise, they are correct.

[Where problems could occur]

There is low technical risk, but we should be sure that the documentation is clear and improves the experience of users. It could be harmful if the documentation accidentally makes things worse, or is just confusing.

Also, a packaging quirk of openssh-server is that checksums of the patched sshd_config (along with certain settings tweaked) need to be recorded in debian/openssh-server.ucf-md5sum to avoid unnecessary debconf prompts on upgrades. I have updated those checksums, but if they are incorrent, then in future upgrades users might see an unnecessary debconf prompt about /etc/ssh/sshd_config.

[Original Description]

Changing the Port directive in sshd_config and restarting ssh.service is without effect, sshd keeps listening to port 22.

Also mentioned in https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-ubuntu-22-10-and-later/30189/32

Steps to reproduce:
1. Install Ubuntu 24.04 LTS
2. Change Port directive in /etc/ssh/sshd_config to Port 2233
3. Restart ssh.service
4. Observe sshd still listening to port 22

Expected behaviour: sshd changes port to 2233

Actual behaviour: sshd keeps listening to port 22

Steve Langasek (vorlon)
tags: added: rls-nn-incoming rls-oo-incoming
Changed in openssh (Ubuntu):
status: New → Triaged
Revision history for this message
Nick Rosbrook (enr0n) wrote :

With 24.04 LTS, ssh is socket activated by default. The configuration for the socket is generated by reading the regular /etc/ssh/sshd_config (or /etc/ssh/sshd_config.d/ snippets), but the configuration needs to be reloaded. So, the steps for configuring a new port are:

# Add new port to /etc/ssh/sshd_config.d/port.conf
systemctl daemon-reload
systemctl restart ssh.socket

The key point being that a systemctl daemon-reload is needed.

tags: added: foundations-todo
removed: rls-nn-incoming rls-oo-incoming
Revision history for this message
Nick Rosbrook (enr0n) wrote :

There is really no way around requiring a daemon-reload. The best thing we can do here is improve the documentation to make this clear to users.

Changed in openssh (Ubuntu Noble):
status: New → Triaged
assignee: nobody → Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu):
assignee: nobody → Nick Rosbrook (enr0n)
importance: Undecided → Medium
Changed in openssh (Ubuntu Noble):
importance: Undecided → Medium
Revision history for this message
Pedro Macedo (pedromacedo) wrote :

I modified the /etc/sshd/sshd_config file, ran the commands:
systemctl daemon-reload
systemctl restart ssh.socket
And the port was not changed.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

@perdromacedo can you share the output of

$ grep Port /etc/sshd/sshd_config
$ systemctl daemon-reload
$ systemctl status ssh.socket ssh.service

Revision history for this message
shucai he (baozixiaoge) wrote :

I'm currently trying out the Ubuntu 24.04 version and encountered an issue where modifying the SSH port didn't take effect. Fortunately, I came across this help and followed your suggestions to attempt the modifications. The port modification is now working as expected.
 sudo vim /etc/ssh/sshd_config
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket

Nick Rosbrook (enr0n)
description: updated
Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
description: updated
summary: - Changing Port in sshd_config and restarting ssh.service without effect
+ Changing Port in sshd_config requires calling systemctl daemon-reload
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Noble):
status: Triaged → In Progress
Revision history for this message
Robie Basak (racb) wrote :

This isn't a full review, but in passing I saw:

> Also, a packaging quirk of openssh-server is that checksums of the patched sshd_config (along with certain settings tweaked) need to be recorded in debian/openssh-server.ucf-md5sum to avoid unnecessary debconf prompts on upgrades. I have updated those checksums, but if they are incorrent, then in future upgrades users might see an unnecessary debconf prompt about /etc/ssh/sshd_config.

Please add to the Test Plan to verify that there are no conffile prompts in the at-risk upgrade paths.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

> Please add to the Test Plan to verify that there are no conffile prompts in the at-risk upgrade paths.

Added. Thanks.

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.