← Back to team overview

debcrafters-packages team mailing list archive

[Bug 2118912] Re: openssh-server unavailable after upgrade to 1:9.6p1-3ubuntu13.13

 

Thanks for filing this bug report.

This appears to be configuration issue on your end, but you're correct
that it is new in the recent update.

tl;dr - You should not edit the systemd units directly. Just add your
sshd_config.d drop-in, and run:

$ systemctl daemon-reload
$ systemctl restart ssh.socket

See the comment near the top of /etc/ssh/sshd_config.

--

The longer version of things - the last update added
BindIPv6Only=ipv6-only to ssh.socket. This is required so that ipv6-only
(i.e. AddressFamily inet6) setups are honored. However, setting that
option changes the behavior of ListenStream=<port> [1]. Namely, a single
port number in ListenStream= is interpreted as a port to listen on via
IPv6. By default, it is also available on IPv4, but not when
BindIPv6Only=ipv6-only.

And, with your override (via systemctl edit) is in place, you end up
with:

root@n:~# systemctl cat ssh.socket
# /usr/lib/systemd/system/ssh.socket
[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=0.0.0.0:22
ListenStream=[::]:22
BindIPv6Only=ipv6-only
Accept=no
FreeBind=yes

[Install]
WantedBy=sockets.target
RequiredBy=ssh.service

# /run/systemd/generator/ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator

[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=0.0.0.0:1221
ListenStream=[::]:1221

# /etc/systemd/system/ssh.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=22
ListenStream=1221

root@n:~# lsof -i :22
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd   1 root    3u  IPv6 2143641      0t0  TCP *:ssh (LISTEN)
sshd    864 root    3u  IPv6 2143641      0t0  TCP *:ssh (LISTEN)

But, if you remove your override, and let sshd-socket-generator handle
the port configuration as it's designed to do, things are resolved:

root@n:~# rm /etc/systemd/system/ssh.socket.d/override.conf
root@n:~# systemctl daemon-reload
root@n:~# systemctl restart ssh.socket
root@n:~# systemctl cat ssh.socket
# /usr/lib/systemd/system/ssh.socket
[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=0.0.0.0:22
ListenStream=[::]:22
BindIPv6Only=ipv6-only
Accept=no
FreeBind=yes

[Install]
WantedBy=sockets.target
RequiredBy=ssh.service

# /run/systemd/generator/ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator

[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=0.0.0.0:1221
ListenStream=[::]:1221

root@n:~# lsof -i :22
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd   1 root    3u  IPv4 2155385      0t0  TCP *:ssh (LISTEN)
systemd   1 root   43u  IPv6 2155386      0t0  TCP *:ssh (LISTEN)
sshd    930 root    3u  IPv4 2155385      0t0  TCP *:ssh (LISTEN)
sshd    930 root    4u  IPv6 2155386      0t0  TCP *:ssh (LISTEN)


[1] https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#ListenStream=

** Changed in: openssh (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2118912

Title:
  openssh-server unavailable after upgrade to 1:9.6p1-3ubuntu13.13

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  Ubuntu release: Ubuntu 24.04.2 LTS
  Package affected version: openssh-server:1:9.6p1-3ubuntu13.13

  -------

  After upgrading openssh-server:1:9.6p1-3ubuntu13.11 and openssh-
  server:1:9.6p1-3ubuntu13.12 to openssh-server:1:9.6p1-3ubuntu13.13
  using unattended upgrades I found my Ubuntu 24 server unreachable via
  ssh.

  During intial setup I changed my ssh configuration adding TCP 1221 to
  its binding ports, to make that I followed these steps:

  cat << EOF > /etc/ssh/sshd_config.d/custom.conf
  Port 1221
  Port 22
  PermitRootLogin no
  PasswordAuthentication no
  EOF

  systemctl edit ssh.socket

  # adding these lines
  [Socket]
  ListenStream=
  ListenStream=22
  ListenStream=1221

  If I don't add any of those configuration changes to ssh.service and
  ssh.socket ssh is still available on standard tcp port 22 after
  upgrading to version 1:9.6p1-3ubuntu13.13.

  I I add those changes AFTER upgrading to version 1:9.6p1-3ubuntu13.13
  the problem still occurr and ssh will become unavailable.

  Downgrade to previous version (1:9.6p1-3ubuntu13.11 or
  1:9.6p1-3ubuntu13.12 fixes the problem without changing any of the
  previous customizations.

  Syntax to downgrade:
  sudo apt update; sudo apt install -y openssh-client=1:9.6p1-3ubuntu13.11 openssh-server=1:9.6p1-3ubuntu13.11 openssh-sftp-server=1:9.6p1-3ubuntu13.11

  Steps to reproduce the problem on a new Ubuntu instance (tested both on AWS EC2 and GCP instances):
  1. create a new instance based on Ubuntu 24LTS AMI
  2. add TCP port 1221 (or any port you want) to ssh binding

  cat << EOF > /etc/ssh/sshd_config.d/custom.conf
  Port 1221
  Port 22
  PermitRootLogin no
  PasswordAuthentication no
  EOF

  systemctl edit ssh.socket

  # add these lines
  [Socket]
  ListenStream=
  ListenStream=22
  ListenStream=1221

  systemctl restart ssh.service ssh.socket

  3. check ssh is available on TCP 22 and TCP 1221 (check firewall or security group)
  4. upgrade system packages (make sure to upgrade openssh-server to version 1:9.6p1-3ubuntu13.13
  sudo apt update ; sudo apt upgrade -y
  5. sudo shutdown -r now
  6. ssh unavailable after reboot but ssh.service and ssh.socket do not show any error or problem whatsoever.

  Thanks

  Tas

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2118912/+subscriptions



References