debcrafters-packages team mailing list archive

Thread
Date
[Bug 2080216] Re: sshd cannot bind to IPv4 interfaces

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Nick Rosbrook <2080216@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Jul 2025 18:41:40 -0000
Reply-to: Bug 2080216 <2080216@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
I also verified the fix using a fresh noble container:

root@n:~# apt policy openssh-server
openssh-server:
  Installed: 1:9.6p1-3ubuntu13.13
  Candidate: 1:9.6p1-3ubuntu13.13
  Version table:
 *** 1:9.6p1-3ubuntu13.13 100
        100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.6p1-3ubuntu13.12 500
        500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
     1:9.6p1-3ubuntu13.11 500
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     1:9.6p1-3ubuntu13 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages

1. Check the default:

root@n:~# lsof -i :22
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd   1 root   47u  IPv4 2258326      0t0  TCP *:ssh (LISTEN)
systemd   1 root   48u  IPv6 2258327      0t0  TCP *:ssh (LISTEN)

2. Check that AddressFamily works for IPv4 only:

root@n:~# echo "AddressFamily inet" >> /etc/ssh/sshd_config.d/custom.conf
root@n:~# systemctl daemon-reload
root@n:~# systemctl restart ssh.socket
root@n:~# lsof -i :22
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd   1 root   47u  IPv4 2259275      0t0  TCP *:ssh (LISTEN)

3. Check that AddressFamily works for IPv6 only (with a non-default port
for good measure):

root@n:~# echo "AddressFamily inet6" > /etc/ssh/sshd_config.d/custom.conf
root@n:~# echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf
root@n:~# systemctl daemon-reload
root@n:~# systemctl restart ssh.socket
root@n:~# lsof -i :1234
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd   1 root   47u  IPv6 2263137      0t0  TCP *:1234 (LISTEN)
root@n:~# lsof -i :22

4. Lastly, the new dep8 tests added are passing, e.g.
https://autopkgtest.ubuntu.com/results/autopkgtest-
noble/noble/arm64/o/openssh/20250702_155647_cf67f@/log.gz:

2090s autopkgtest [15:52:15]: test sshd-socket-generator: preparing testbed
2090s Reading package lists...
2090s Building dependency tree...
2090s Reading state information...
2090s Starting pkgProblemResolver with broken count: 0
2090s Starting 2 pkgProblemResolver with broken count: 0
2090s Done
2091s 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2092s autopkgtest [15:52:17]: test sshd-socket-generator: [-----------------------
2092s test_default...PASS
2092s test_custom_port...PASS
2092s test_default_and_custom_port...PASS
2092s test_mutiple_custom_ports...PASS
2092s test_custom_listenaddress...PASS
2092s test_custom_listenaddress_and_port...PASS
2092s test_custom_ipv6_listenaddress...PASS
2092s test_match_on_port...PASS
2092s test_custom_family_ipv4...PASS
2092s test_custom_family_ipv6...PASS
2092s test_custom_port_and_family_ipv4...PASS
2092s test_custom_port_and_family_ipv6...PASS
2093s autopkgtest [15:52:18]: test sshd-socket-generator: -----------------------]
2093s autopkgtest [15:52:18]: test sshd-socket-generator:  - - - - - - - - - - results - - - - - - - - - -

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2080216

Title:
  sshd cannot bind to IPv4 interfaces

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Noble:
  Fix Committed

Bug description:
  [Impact]

  The default listening sockets for sshd are different depending on
  whether socket activation is used or not, even when
  /etc/ssh/sshd_config is the default. E.g.:

  # Socket-activated

  root@n2:~# systemctl status ssh.socket
  ● ssh.socket - OpenBSD Secure Shell server socket
       Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled)
       Active: active (listening) since Tue 2024-10-01 20:36:15 UTC; 12min ago
     Triggers: ● ssh.service
       Listen: [::]:22 (Stream)
       CGroup: /system.slice/ssh.socket

  Oct 01 20:36:15 n2 systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
  root@n2:~# lsof -i :22
  COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
  systemd   1 root   47u  IPv6 2781411      0t0  TCP *:ssh (LISTEN)

  # Non-socket-activated

  root@n2:~# systemctl disable --now ssh.socket
  Removed "/etc/systemd/system/ssh.service.requires/ssh.socket".
  Removed "/etc/systemd/system/sockets.target.wants/ssh.socket".
  root@n2:~# ln -s /dev/null /etc/systemd/system-generators/sshd-socket-generator
  root@n2:~# systemctl enable --now ssh.service
  Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
  Executing: /usr/lib/systemd/systemd-sysv-install enable ssh
  Created symlink /etc/systemd/system/sshd.service → /usr/lib/systemd/system/ssh.service.
  Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /usr/lib/systemd/system/ssh.service.
  root@n2:~# lsof -i :22
  COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
  sshd    798 root    3u  IPv4 2793622      0t0  TCP *:ssh (LISTEN)
  sshd    798 root    4u  IPv6 2793624      0t0  TCP *:ssh (LISTEN)

  By default, we have net.ipv6.bindv6only=0 sysctl, and
  BindIPv6Only=both on ssh.socket, which means usually users can connect
  over IPv4 regardless. However, the fact remains that the resulting
  listening sockets are different in these two cases, and socket-
  activated ssh does not accurately reflect the settings in
  /etc/ssh/sshd_config.

  [Test Plan]

  1. Check that on a noble system, without custom sshd_config, sshd is
  listening on both IPv4 and IPv6 on port 22:

  $ lsof -i :22

  2. Check that setting AddressFamily to e.g. inet results in only an
  IPv4 socket:

  $ echo "AddressFamily inet" >> /etc/ssh/sshd_config.d/custom.conf
  $ systemctl daemon-reload
  $ systemctl restart ssh.socket
  $ lsof -i :22

  There should only be one listener now.

  3. Check the same thing with inet6, and a custom port for good
  measure:

  $ echo "AddressFamily inet6" >> /etc/ssh/sshd_config.d/custom.conf
  $ echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf
  $ systemctl daemon-reload
  $ systemctl restart ssh.socket
  $ lsof -i :1234

  4. The new tests in debian/tests/sshd-socket-generator should all pass
  in autopkgtest.

  [Where problems could occur]

  The fix requires new default settings in the [Socket] section of
  ssh.socket, and handling for new defaults in sshd-socket-generator. It
  would be more likely to see problems with the generator as opposed to
  the changes in ssh.socket. However, new subtests were added to
  debian/tests/sshd-socket-generator to help avoid this.

  [Original Description]

  After upgrading from 22.04 to 24.04 I noticed that my sshd only
  listening on IPv6 interface (::), while previously it was listening
  both IPv4 (0.0.0.0) and IPv6 (::). I tried to explicitly specify
  ListenAddress 0.0.0.0 (assuming it would bind to IPv4 only) but after
  restart sshd was still listening on IPv6 only.

  This problem affects other packages as well, for example, openvpn.

  Rebuilding applications from sources seems to fix the issue.

  Setting net.ipv6.bindv6only=0 also helps, but that's not a solution.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: openssh-server 1:9.6p1-3ubuntu13.5
  ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12
  Uname: Linux 6.8.0-41-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  Date: Tue Sep 10 16:45:54 2024
  ProcEnviron:
   LANG=C.UTF-8
   PATH=(custom, no user)
   SHELL=/bin/bash
   TERM=screen.xterm-256color
  SourcePackage: openssh
  UpgradeStatus: Upgraded to noble on 2024-09-10 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2080216/+subscriptions