debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #04584
[Bug 2118912] Re: openssh-server unavailable after upgrade to 1:9.6p1-3ubuntu13.13
Thanks for filing this bug report.
This appears to be configuration issue on your end, but you're correct
that it is new in the recent update.
tl;dr - You should not edit the systemd units directly. Just add your
sshd_config.d drop-in, and run:
$ systemctl daemon-reload
$ systemctl restart ssh.socket
See the comment near the top of /etc/ssh/sshd_config.
--
The longer version of things - the last update added
BindIPv6Only=ipv6-only to ssh.socket. This is required so that ipv6-only
(i.e. AddressFamily inet6) setups are honored. However, setting that
option changes the behavior of ListenStream=<port> [1]. Namely, a single
port number in ListenStream= is interpreted as a port to listen on via
IPv6. By default, it is also available on IPv4, but not when
BindIPv6Only=ipv6-only.
And, with your override (via systemctl edit) is in place, you end up
with:
root@n:~# systemctl cat ssh.socket
# /usr/lib/systemd/system/ssh.socket
[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Socket]
ListenStream=0.0.0.0:22
ListenStream=[::]:22
BindIPv6Only=ipv6-only
Accept=no
FreeBind=yes
[Install]
WantedBy=sockets.target
RequiredBy=ssh.service
# /run/systemd/generator/ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator
[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=0.0.0.0:1221
ListenStream=[::]:1221
# /etc/systemd/system/ssh.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=22
ListenStream=1221
root@n:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 3u IPv6 2143641 0t0 TCP *:ssh (LISTEN)
sshd 864 root 3u IPv6 2143641 0t0 TCP *:ssh (LISTEN)
But, if you remove your override, and let sshd-socket-generator handle
the port configuration as it's designed to do, things are resolved:
root@n:~# rm /etc/systemd/system/ssh.socket.d/override.conf
root@n:~# systemctl daemon-reload
root@n:~# systemctl restart ssh.socket
root@n:~# systemctl cat ssh.socket
# /usr/lib/systemd/system/ssh.socket
[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Socket]
ListenStream=0.0.0.0:22
ListenStream=[::]:22
BindIPv6Only=ipv6-only
Accept=no
FreeBind=yes
[Install]
WantedBy=sockets.target
RequiredBy=ssh.service
# /run/systemd/generator/ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator
[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=0.0.0.0:1221
ListenStream=[::]:1221
root@n:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 3u IPv4 2155385 0t0 TCP *:ssh (LISTEN)
systemd 1 root 43u IPv6 2155386 0t0 TCP *:ssh (LISTEN)
sshd 930 root 3u IPv4 2155385 0t0 TCP *:ssh (LISTEN)
sshd 930 root 4u IPv6 2155386 0t0 TCP *:ssh (LISTEN)
[1] https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#ListenStream=
** Changed in: openssh (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2118912
Title:
openssh-server unavailable after upgrade to 1:9.6p1-3ubuntu13.13
Status in openssh package in Ubuntu:
Invalid
Bug description:
Ubuntu release: Ubuntu 24.04.2 LTS
Package affected version: openssh-server:1:9.6p1-3ubuntu13.13
-------
After upgrading openssh-server:1:9.6p1-3ubuntu13.11 and openssh-
server:1:9.6p1-3ubuntu13.12 to openssh-server:1:9.6p1-3ubuntu13.13
using unattended upgrades I found my Ubuntu 24 server unreachable via
ssh.
During intial setup I changed my ssh configuration adding TCP 1221 to
its binding ports, to make that I followed these steps:
cat << EOF > /etc/ssh/sshd_config.d/custom.conf
Port 1221
Port 22
PermitRootLogin no
PasswordAuthentication no
EOF
systemctl edit ssh.socket
# adding these lines
[Socket]
ListenStream=
ListenStream=22
ListenStream=1221
If I don't add any of those configuration changes to ssh.service and
ssh.socket ssh is still available on standard tcp port 22 after
upgrading to version 1:9.6p1-3ubuntu13.13.
I I add those changes AFTER upgrading to version 1:9.6p1-3ubuntu13.13
the problem still occurr and ssh will become unavailable.
Downgrade to previous version (1:9.6p1-3ubuntu13.11 or
1:9.6p1-3ubuntu13.12 fixes the problem without changing any of the
previous customizations.
Syntax to downgrade:
sudo apt update; sudo apt install -y openssh-client=1:9.6p1-3ubuntu13.11 openssh-server=1:9.6p1-3ubuntu13.11 openssh-sftp-server=1:9.6p1-3ubuntu13.11
Steps to reproduce the problem on a new Ubuntu instance (tested both on AWS EC2 and GCP instances):
1. create a new instance based on Ubuntu 24LTS AMI
2. add TCP port 1221 (or any port you want) to ssh binding
cat << EOF > /etc/ssh/sshd_config.d/custom.conf
Port 1221
Port 22
PermitRootLogin no
PasswordAuthentication no
EOF
systemctl edit ssh.socket
# add these lines
[Socket]
ListenStream=
ListenStream=22
ListenStream=1221
systemctl restart ssh.service ssh.socket
3. check ssh is available on TCP 22 and TCP 1221 (check firewall or security group)
4. upgrade system packages (make sure to upgrade openssh-server to version 1:9.6p1-3ubuntu13.13
sudo apt update ; sudo apt upgrade -y
5. sudo shutdown -r now
6. ssh unavailable after reboot but ssh.service and ssh.socket do not show any error or problem whatsoever.
Thanks
Tas
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2118912/+subscriptions
References
