sshd cannot bind to IPv4 interfaces
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Noble |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The default listening sockets for sshd are different depending on whether socket activation is used or not, even when /etc/ssh/
# Socket-activated
root@n2:~# systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/usr/lib/
Active: active (listening) since Tue 2024-10-01 20:36:15 UTC; 12min ago
Triggers: ● ssh.service
Listen: [::]:22 (Stream)
CGroup: /system.
Oct 01 20:36:15 n2 systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
root@n2:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 47u IPv6 2781411 0t0 TCP *:ssh (LISTEN)
# Non-socket-
root@n2:~# systemctl disable --now ssh.socket
Removed "/etc/systemd/
Removed "/etc/systemd/
root@n2:~# ln -s /dev/null /etc/systemd/
root@n2:~# systemctl enable --now ssh.service
Synchronizing state of ssh.service with SysV service script with /usr/lib/
Executing: /usr/lib/
Created symlink /etc/systemd/
Created symlink /etc/systemd/
root@n2:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 798 root 3u IPv4 2793622 0t0 TCP *:ssh (LISTEN)
sshd 798 root 4u IPv6 2793624 0t0 TCP *:ssh (LISTEN)
By default, we have net.ipv6.
[Test Plan]
1. Check that on a noble system, without custom sshd_config, sshd is listening on both IPv4 and IPv6 on port 22:
$ lsof -i :22
2. Check that setting AddressFamily to e.g. inet results in only an IPv4 socket:
$ echo "AddressFamily inet" >> /etc/ssh/
$ systemctl daemon-reload
$ systemctl restart ssh.socket
$ lsof -i :22
There should only be one listener now.
3. Check the same thing with inet6, and a custom port for good measure:
$ echo "AddressFamily inet6" >> /etc/ssh/
$ echo "Port 1234" >> /etc/ssh/
$ systemctl daemon-reload
$ systemctl restart ssh.socket
$ lsof -i :1234
4. The new tests in debian/
[Where problems could occur]
The fix requires new default settings in the [Socket] section of ssh.socket, and handling for new defaults in sshd-socket-
[Original Description]
After upgrading from 22.04 to 24.04 I noticed that my sshd only listening on IPv6 interface (::), while previously it was listening both IPv4 (0.0.0.0) and IPv6 (::). I tried to explicitly specify ListenAddress 0.0.0.0 (assuming it would bind to IPv4 only) but after restart sshd was still listening on IPv6 only.
This problem affects other packages as well, for example, openvpn.
Rebuilding applications from sources seems to fix the issue.
Setting net.ipv6.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-server 1:9.6p1-3ubuntu13.5
ProcVersionSign
Uname: Linux 6.8.0-41-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckR
Date: Tue Sep 10 16:45:54 2024
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=screen.
SourcePackage: openssh
UpgradeStatus: Upgraded to noble on 2024-09-10 (0 days ago)
Related branches
- Steve Langasek: Pending requested
-
Diff: 318 lines (+172/-35)5 files modifieddebian/changelog (+11/-0)
debian/patches/sshd-socket-generator.patch (+54/-25)
debian/patches/systemd-socket-activation.patch (+23/-1)
debian/systemd/ssh.socket (+3/-1)
debian/tests/sshd-socket-generator (+81/-8)
tags: |
added: foundations-todo removed: rls-nn-incoming |
Changed in openssh (Ubuntu): | |
status: | Confirmed → Triaged |
description: | updated |
Changed in openssh (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in openssh (Ubuntu Noble): | |
status: | New → In Progress |
tags: |
added: verification-done-noble removed: verification-needed-noble |
Is sshd not accessible at all over ipv4? How did you notice that sshd was not listening on ipv4?
In the default case, we should end up with ssh.socket listening on [::]:22, but with IPV6_V6ONLY=0 so that sshd is still accessible over ipv4.
> Setting net.ipv6. bindv6only= 0 also helps, but that's not a solution.
I think this is the default on Ubuntu, no?
If your system does have net.ipv6. bindv6only= 1, and you don't want to change it, a workaround for now should be to do:
$ mkdir -p /etc/systemd/ systemd/ ssh.socket. d/ system/ ssh.socket. d/bindipv6only- both.conf << EOF
$ cat > /etc/systemd/
[Socket]
BindIPv6Only=both
EOF
which has the effect of setting IPV6_V6ONLY to 0 for this particular socket.
We should probably fix sshd-socket- generator to automatically do this in certain cases.