[Bug 2080216] Re: sshd cannot bind to IPv4 interfaces
Nick Rosbrook
2080216 at bugs.launchpad.net
Tue Oct 1 20:58:38 UTC 2024
** Description changed:
+ [Impact]
+
+ The default listening sockets for sshd are different depending on
+ whether socket activation is used or not, even when /etc/ssh/sshd_config
+ is the default. E.g.:
+
+ # Socket-activated
+
+ root at n2:~# systemctl status ssh.socket
+ ● ssh.socket - OpenBSD Secure Shell server socket
+ Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled)
+ Active: active (listening) since Tue 2024-10-01 20:36:15 UTC; 12min ago
+ Triggers: ● ssh.service
+ Listen: [::]:22 (Stream)
+ CGroup: /system.slice/ssh.socket
+
+ Oct 01 20:36:15 n2 systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
+ root at n2:~# lsof -i :22
+ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
+ systemd 1 root 47u IPv6 2781411 0t0 TCP *:ssh (LISTEN)
+
+ # Non-socket-activated
+
+ root at n2:~# systemctl disable --now ssh.socket
+ Removed "/etc/systemd/system/ssh.service.requires/ssh.socket".
+ Removed "/etc/systemd/system/sockets.target.wants/ssh.socket".
+ root at n2:~# ln -s /dev/null /etc/systemd/system-generators/sshd-socket-generator
+ root at n2:~# systemctl enable --now ssh.service
+ Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
+ Executing: /usr/lib/systemd/systemd-sysv-install enable ssh
+ Created symlink /etc/systemd/system/sshd.service → /usr/lib/systemd/system/ssh.service.
+ Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /usr/lib/systemd/system/ssh.service.
+ root at n2:~# lsof -i :22
+ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
+ sshd 798 root 3u IPv4 2793622 0t0 TCP *:ssh (LISTEN)
+ sshd 798 root 4u IPv6 2793624 0t0 TCP *:ssh (LISTEN)
+
+ By default, we have net.ipv6.bindv6only=0 sysctl, and BindIPv6Only=both
+ on ssh.socket, which means usually users can connect over IPv4
+ regardless. However, the fact remains that the resulting listening
+ sockets are different in these two cases, and socket-activated ssh does
+ not accurately reflect the settings in /etc/ssh/sshd_config.
+
+ [Test Plan]
+
+ 1. Check that on a noble system, without custom sshd_config, sshd is
+ listening on both IPv4 and IPv6 on port 22:
+
+ $ lsof -i :22
+
+ 2. Check that setting AddressFamily to e.g. inet results in only an IPv4
+ socket:
+
+ $ echo "AddressFamily inet" >> /etc/ssh/sshd_config.d/custom.conf
+ $ systemctl daemon-reload
+ $ systemctl restart ssh.socket
+ $ lsof -i :22
+
+ There should only be one listener now.
+
+ 3. Check the same thing with inet6, and a custom port for good measure:
+
+ $ echo "AddressFamily inet6" >> /etc/ssh/sshd_config.d/custom.conf
+ $ echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf
+ $ systemctl daemon-reload
+ $ systemctl restart ssh.socket
+ $ lsof -i :1234
+
+ 4. The new tests in debian/tests/sshd-socket-generator should all pass
+ in autopkgtest.
+
+ [Where problems could occur]
+
+ The fix requires new default settings in the [Socket] section of
+ ssh.socket, and handling for new defaults in sshd-socket-generator. It
+ would be more likely to see problems with the generator as opposed to
+ the changes in ssh.socket. However, new subtests were added to
+ debian/tests/sshd-socket-generator to help avoid this.
+
+ [Original Description]
+
After upgrading from 22.04 to 24.04 I noticed that my sshd only
listening on IPv6 interface (::), while previously it was listening both
IPv4 (0.0.0.0) and IPv6 (::). I tried to explicitly specify
ListenAddress 0.0.0.0 (assuming it would bind to IPv4 only) but after
restart sshd was still listening on IPv6 only.
This problem affects other packages as well, for example, openvpn.
Rebuilding applications from sources seems to fix the issue.
Setting net.ipv6.bindv6only=0 also helps, but that's not a solution.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-server 1:9.6p1-3ubuntu13.5
ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12
Uname: Linux 6.8.0-41-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Tue Sep 10 16:45:54 2024
ProcEnviron:
- LANG=C.UTF-8
- PATH=(custom, no user)
- SHELL=/bin/bash
- TERM=screen.xterm-256color
+ LANG=C.UTF-8
+ PATH=(custom, no user)
+ SHELL=/bin/bash
+ TERM=screen.xterm-256color
SourcePackage: openssh
UpgradeStatus: Upgraded to noble on 2024-09-10 (0 days ago)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2080216
Title:
sshd cannot bind to IPv4 interfaces
Status in openssh package in Ubuntu:
Triaged
Status in openssh source package in Noble:
New
Bug description:
[Impact]
The default listening sockets for sshd are different depending on
whether socket activation is used or not, even when
/etc/ssh/sshd_config is the default. E.g.:
# Socket-activated
root at n2:~# systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled)
Active: active (listening) since Tue 2024-10-01 20:36:15 UTC; 12min ago
Triggers: ● ssh.service
Listen: [::]:22 (Stream)
CGroup: /system.slice/ssh.socket
Oct 01 20:36:15 n2 systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
root at n2:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 47u IPv6 2781411 0t0 TCP *:ssh (LISTEN)
# Non-socket-activated
root at n2:~# systemctl disable --now ssh.socket
Removed "/etc/systemd/system/ssh.service.requires/ssh.socket".
Removed "/etc/systemd/system/sockets.target.wants/ssh.socket".
root at n2:~# ln -s /dev/null /etc/systemd/system-generators/sshd-socket-generator
root at n2:~# systemctl enable --now ssh.service
Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable ssh
Created symlink /etc/systemd/system/sshd.service → /usr/lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /usr/lib/systemd/system/ssh.service.
root at n2:~# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 798 root 3u IPv4 2793622 0t0 TCP *:ssh (LISTEN)
sshd 798 root 4u IPv6 2793624 0t0 TCP *:ssh (LISTEN)
By default, we have net.ipv6.bindv6only=0 sysctl, and
BindIPv6Only=both on ssh.socket, which means usually users can connect
over IPv4 regardless. However, the fact remains that the resulting
listening sockets are different in these two cases, and socket-
activated ssh does not accurately reflect the settings in
/etc/ssh/sshd_config.
[Test Plan]
1. Check that on a noble system, without custom sshd_config, sshd is
listening on both IPv4 and IPv6 on port 22:
$ lsof -i :22
2. Check that setting AddressFamily to e.g. inet results in only an
IPv4 socket:
$ echo "AddressFamily inet" >> /etc/ssh/sshd_config.d/custom.conf
$ systemctl daemon-reload
$ systemctl restart ssh.socket
$ lsof -i :22
There should only be one listener now.
3. Check the same thing with inet6, and a custom port for good
measure:
$ echo "AddressFamily inet6" >> /etc/ssh/sshd_config.d/custom.conf
$ echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf
$ systemctl daemon-reload
$ systemctl restart ssh.socket
$ lsof -i :1234
4. The new tests in debian/tests/sshd-socket-generator should all pass
in autopkgtest.
[Where problems could occur]
The fix requires new default settings in the [Socket] section of
ssh.socket, and handling for new defaults in sshd-socket-generator. It
would be more likely to see problems with the generator as opposed to
the changes in ssh.socket. However, new subtests were added to
debian/tests/sshd-socket-generator to help avoid this.
[Original Description]
After upgrading from 22.04 to 24.04 I noticed that my sshd only
listening on IPv6 interface (::), while previously it was listening
both IPv4 (0.0.0.0) and IPv6 (::). I tried to explicitly specify
ListenAddress 0.0.0.0 (assuming it would bind to IPv4 only) but after
restart sshd was still listening on IPv6 only.
This problem affects other packages as well, for example, openvpn.
Rebuilding applications from sources seems to fix the issue.
Setting net.ipv6.bindv6only=0 also helps, but that's not a solution.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-server 1:9.6p1-3ubuntu13.5
ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12
Uname: Linux 6.8.0-41-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Tue Sep 10 16:45:54 2024
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=screen.xterm-256color
SourcePackage: openssh
UpgradeStatus: Upgraded to noble on 2024-09-10 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2080216/+subscriptions
More information about the foundations-bugs
mailing list