[Bug 1876320] Re: Port parameter sshd_config is 22 AND whatever you specify

Adriaan van Nijendaal launchpad at choam.com
Sat May 2 15:57:01 UTC 2020 

Thank you Simon and Seth, for your quick response. I have looked into
this further by installing a virgin Ubuntu Server 20.04 with SSH.

Changing the 'Port' in /etc/ssh/sshd_config to 7722 starts sshd on port
7722 and NOT on port 22, just like you said, Simon. BUT:

Rename sshd_config to something_else and replace sshd_config with two
lines to include the original config (now called something_else) and set
the Port to 7722:

systemctl stop ssh
mv /etc/ssh/sshd_config /etc/ssh/something_else
cat > /etc/ssh/sshd_config <<EOF
Include /etc/ssh/something_else
Port 7722
EOF
systemctl start ssh
systemctl status ssh
# restore the original config:
mv /etc/ssh/something_else /etc/ssh/sshd_config

Which will show:

● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 45271 (sshd)
      Tasks: 1 (limit: 18457)
     Memory: 1.3M
     CGroup: /system.slice/ssh.service
             └─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.

So, NOW it will have ports 22 AND 7722 open!

If one sets debug level 3 in /etc/default/ssh (SSHD_OPTS="-d -d -d"),
syslog will show that 'something_else' is read from line 1 in
sshd_config and that the Port is set afterwards (and not anywhere in
/etc/ssh/something_else).

May  2 15:34:01 cabernet systemd[1]: Stopping OpenBSD Secure Shell server...
May  2 15:34:01 cabernet systemd[1]: ssh.service: Succeeded.
May  2 15:34:01 cabernet systemd[1]: Stopped OpenBSD Secure Shell server.
May  2 15:34:01 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May  2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/sshd_config
May  2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 43
May  2 15:34:01 cabernet sshd[45345]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 43
May  2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/sshd_config line 1: new include /etc/ssh/something_else
May  2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/sshd_config line 1: including /etc/ssh/something_else
May  2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/something_else
May  2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 296
May  2 15:34:01 cabernet sshd[45345]: debug2: parse_server_config_depth: config /etc/ssh/something_else len 296
May  2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/something_else line 13: new include /etc/ssh/sshd_config.d/*.conf
May  2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/something_else line 13: no match for /etc/ssh/sshd_config.d/*.conf
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:63 setting ChallengeResponseAuthentication no
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:86 setting UsePAM yes
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:91 setting X11Forwarding yes
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:95 setting PrintMotd no
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:113 setting AcceptEnv LANG LC_*
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:116 setting Subsystem sftp#011/usr/lib/openssh/sftp-server
May  2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/sshd_config:2 setting Port 7722
May  2 15:34:01 cabernet sshd[45345]: debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f  31 Mar 2020
May  2 15:34:01 cabernet sshd[45345]: debug1: private host key #0: ssh-rsa SHA256:wiRec7mI3CIkcHIwvlEC137Ak+aZzEPocrwYHZtEn7M
May  2 15:34:01 cabernet sshd[45345]: debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:qdlfKdKcW/T2Rm13DFa6KqHRxCwZNxPZPV/0nu1/uDM
May  2 15:34:01 cabernet sshd[45345]: debug1: private host key #2: ssh-ed25519 SHA256:RqHjOSrBKft8jayVulIKh/y7EGkmFE+acxTLOPd4HOc
May  2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[0]='/usr/sbin/sshd'
May  2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[1]='-D'
May  2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[2]='-d'
May  2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[3]='-d'
May  2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[4]='-d'
May  2 15:34:01 cabernet sshd[45345]: debug3: already daemonized
May  2 15:34:01 cabernet sshd[45345]: debug3: oom_adjust_setup
May  2 15:34:01 cabernet sshd[45345]: debug1: Set /proc/self/oom_score_adj from 0 to -1000
May  2 15:34:01 cabernet sshd[45345]: debug2: fd 3 setting O_NONBLOCK
May  2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on 0.0.0.0.
May  2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 7722.
May  2 15:34:01 cabernet sshd[45345]: debug2: fd 4 setting O_NONBLOCK
May  2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
May  2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on ::.
May  2 15:34:01 cabernet sshd[45345]: Server listening on :: port 7722.
May  2 15:34:01 cabernet sshd[45345]: debug2: fd 5 setting O_NONBLOCK
May  2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on 0.0.0.0.
May  2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 22.
May  2 15:34:01 cabernet sshd[45345]: debug2: fd 6 setting O_NONBLOCK
May  2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 6 IPV6_V6ONLY
May  2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on ::.
May  2 15:34:01 cabernet sshd[45345]: Server listening on :: port 22.
May  2 15:34:01 cabernet systemd[1]: Started OpenBSD Secure Shell server.

I have read the source code for sshd, but I cannot find the 'obvious'
place where this goes wrong, although the juggling of the options
structure in process_config_line_depth() (in readconf.c) may have
something to do with it.

This bug probably won't affect too many people. Given that I have
already found a work-around and that I will now look into the 'Match'
keyword (which I was not aware of) to avoid running two daemons, I
suggest handling this issue at a low priority.

(Yes, my private keys are visible. This temporary install is not
accessible from the internet and will be scrapped in a few hours
anyway.)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1876320

Title:
  Port parameter sshd_config is 22 AND whatever you specify

Status in openssh package in Ubuntu:
  New

Bug description:
  On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd
  deamons. One (on port 22) is for internal use, accepts passwords etc.
  The second (on port 7722) does not allow PAM use and no passwords,
  allows only one user(name) and uses an alternative autorized_keys file
  (that only root can edit).

  Any parameter FIRST encountered in sshd_config is the one that is
  accepted; others do not override (like in many other config files).
  There is one exception: 'Port', which is accumulative. To make life
  easier, I set the more restrictive parameters for port 7722 first and
  next include the system-default /etc/ssh/sshd_config.

  The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify
  'Port' anywhere - the default is 22. But: it is obviously still
  accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722
  AND 22. This is unwanted.

  Proposed solution: Remove the accumulative behavior for 'Port' and
  REQUIRE the 'Port' parameter like before (and maybe have second and
  later parameters override the earlier ones, like 'everyone else').

  Regards,

  Adriaan

  PS Searching for solutions, I found that specifying 'ListenAddress
  0.0.0.0:7722' stops sshd from listening to port 22. This, however, is
  not documented in 'man 5 sshd_config' and may be an unreliable side-
  effect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320/+subscriptions

More information about the foundations-bugs mailing list