Ubuntu
openssh package

Unable to listen on port 22 if multiple Port= present in sshd configuration

Bug #2059872 reported by Andre Tomt
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
High
Nick Rosbrook

Bug Description

Recently introduced sshd-socket-generator for socket activation in openssh 1:9.6p1-3ubuntu3 has a bug when dealing with multiple Port or ListenAddress entries in the sshd configuration.

If you have multiple Port or ListenAddress and one of them is for port 22, it just skips it.

To show it clearly, here is an example:
Port 22
Port 1024

It generates:
ListenStream=
ListenStream=1024

Now nothing is listening to port 22, hence breaking existing configurations.

This was tested on 1:9.6p1-3ubuntu11.

The intention seems to be to not generate the drop-in if only port 22 is in use, but it does not account for the case of multiple Port or ListenAddress where one of them is for port 22.

Revision history for this message
Chris Guiver (guiverc) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command only once, as it will automatically gather debugging information, in a terminal:

apport-collect 2059872

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu):
importance: Undecided → High
assignee: nobody → Nick Rosbrook (enr0n)
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thanks for reporting this. I confirmed it with:

root@n:~# cat > /etc/ssh/sshd_config.d/ports.conf << EOF
> Port 22
> Port 1024
> EOF
 root@n:~# /lib/systemd/system-generators/sshd-socket-generator .
root@n:~# cat ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator

[Socket]
ListenStream=
ListenStream=1024

Looking at the code the bug is very clear.

Changed in openssh (Ubuntu):
status: New → Triaged
tags: added: foundations-todo
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Joseph Yasi (joe-yasi) wrote :

Is there a workaround for this?

Revision history for this message
Nick Rosbrook (enr0n) wrote :

The fix is already in noble-proposed, so you could enable that and install from there. Or, you can wait probably another day until it lands in the release pocket.

Changed in openssh (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13

---------------
openssh (1:9.6p1-3ubuntu13) noble; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * debian: Remove dependency on libsystemd
    As per the xz backdoor we learned that the least dependencies sshd have,
    the best it is, so avoid to plug libsystemd (which also brings various
    other dependencies) inside sshd for no reason:

    - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
      dependency
    - d/p/systemd-socket-activation.patch: Import patch from debian that
      mimics the libsystemd sd_listen_fds() code, as refactored by Colin
      Watson.
    - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
    - d/rules: Drop --with-systemd flag (new options are used by default)

  [ Nick Rosbrook ]
  * debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
    (LP: #2060150)
  * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled
    (LP: #2059874)
  * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
    (LP: #2059872)

 -- Nick Rosbrook <email address hidden> Fri, 05 Apr 2024 15:30:31 -0400

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.