45

I am on Ubuntu 22.10 and I cannot change SSH default port. I have tried the following:

  • Edited /etc/ssh/sshd_config, left the default #Port 22 line but added Port 1234 below it.

  • Then added allow rule for it in UFW using the command:

    sudo ufw allow 1234

    which added:

    To Action From
    1234 ALLOW Anywhere
    1234 (v6) ALLOW Anywhere (v6)

I then restarted the SSH service using 2 different methods (see start of block below), but I saw no change. Service status states it started listening on port 22 and to verify this I checked the listening ports and sure enough it's still 22.

$ sudo systemctl restart ssh
$ sudo service ssh restart
$ systemctl status ssh
ssh.service - OpenBSD Secure Shell server
 Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
Drop-In: /etc/systemd/system/ssh.service.d
         └─00-socket.conf
 Active: active (running) since Mon 2022-11-07 10:12:52 AEDT; 5s ago
TriggeredBy: ● ssh.socket
   Docs: man:sshd(8)
         man:sshd_config(5)
Process: 54858 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 54859 (sshd)
  Tasks: 1 (limit: 1020)
 Memory: 1.3M
    CPU: 13ms
 CGroup: /system.slice/ssh.service
         └─54859 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Nov 07 10:12:52 webserver.abc.com systemd[1]: Starting OpenBSD Secure Shell server...
Nov 07 10:12:52 webserver.abc.com sshd[54859]: Server listening on :: port 22.
Nov 07 10:12:52 webserver.abc.com systemd[1]: Started OpenBSD Secure Shell server.


ss -tlpn


State         Recv-Q        Send-Q               Local Address:Port   Peer Address:Port Process
LISTEN        0             4096                             :22                :*    -

Am I missing a step or doing something wrong? I do note the service status has preset: enabled, but multiple guides I've read haven't mentioned anything about disabling anything like presets.

EDIT: Thanks matigo for reminding me, but sshd.service doesn't seem to be installed yet. I have the config files and can remote in just fine, not sure if I just don't understand and I need to install sshd for it to take over the default SSH operations?

muru
  • 207,228
Silently
  • 1,211

8 Answers8

71

SSHd now uses socket-based activation Ubuntu 22.10 or later. Read more about this change being discussed here.

TLDR: The /etc/ssh/sshd_config are unused, now that I read the comments in full I found:

# Port and ListenAddress options are not used when sshd is socket-activated,
# which is now the default in Ubuntu. See sshd_config(5) and
# /usr/share/doc/openssh-server/README.Debian.gz for details.

Your options for changing from default port:

  • Turning off this change and reverting to how SSHd worked prior to this update (From twinsen in discussion linked above):

    • systemctl disable --now ssh.socket
    • systemctl enable --now ssh.service
    • Then the /etc/ssh/sshd_config works again with Ports and Addresses setting

  • OR Listening socket stream update (from saxl in discussion linked above)

    1. mkdir -p /etc/systemd/system/ssh.socket.d
    2. cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
ListenStream=
ListenStream=1234
EOF
    3. sudo systemctl daemon-reload
    4. sudo systemctl restart ssh.socket

It should then state it's started listening on the new port: systemctl status ssh ...

Nov 07 14:42:37 webserver.abc.com sshd[58725]: Server listening on 0.0.0.0 port 1234.
Nov 07 14:42:37 webserver.abc.com sshd[58725]: Server listening on :: port 1234

Community
  • 1
Silently
  • 1,211
16

This is how I solved the OpenSSH port issue on Ubuntu 22.10.

Important - Please take a backup or snapshot before you make changes.

Use the nano editor and change the value of ListenStream parameter

sudo nano /lib/systemd/system/ssh.socket

Change the following parameter to the port of your choice e.g. 44022

ListenStream=44022

Save the file and quit nano editor.

sudo systemctl daemon-reload<br>
sudo systemctl restart ssh<br>
sudo netstat -tulpn<br>

Now you should be able to see that the port 44022 is open.

Do not forget to open the port on firewall e.g. ufw.

sudo ufw allow 44022

I suggest you open another putty session to ensure you are able to login.

Nmath
  • 12,664
Cyberian
  • 177
15

In Ubuntu 24.04, everything works with the default setup, just the behavior is now slightly different than before. I'm not sure if this would have worked already on Ubuntu 22.04 up until 23.10 - I can currently only test on 24.04.

To change the port, just uncomment the line starting with Port in /etc/ssh/sshd_config (remove the hashtag # in front of the line), then change the value from 22 to whatever is suitable for your needs.

The new thing is: To activate this new config, it is now required to inform systemd about the change:

sudo systemctl daemon-reload

Then the ssh service and socket can be restarted as before, to activate the change:

sudo systemctl restart ssh.socket
sudo systemctl restart ssh.service

This immediately activates the new config. I have tested this on Ubuntu 24.04 and it instantly allows to connect to the host using the new port. For testing, you may try with ssh and something like:

ssh -p<your-new-port-number> localhost

This should successfully open the connection to your host on the new port, and possibly ask for your password, or log you in automatically (i.e. when using key-based authentication).

emmenlau
  • 306
3

SSHd now uses socket-based activation Ubuntu 22.10 or later. Read more about this change being discussed here.

For my purposes adding a socket handler is a complication that we do not want, so we are adding the following to our pre-ansible installation steps to remove ssh.socket and go back to using the sshd_config file. (Some of these were not previously documented, so this might save someone else some time.)

Previously we would do the following post-build.

add line "Port 4022" after "#Port 22" in /etc/ssh/sshd_config then

sudo systemctl restart ssh

It looks like the following was required on a new ubuntu 20.10 (Mate 20.10) installation.

add line "Port 4022" after "#Port 22" in /etc/ssh/sshd_config then

sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service
sudo mv /etc/systemd/system/ssh.service.d/00-socket.conf ./save_disable_ssh.service.d_00-socket.conf
sudo systemctl daemon-reload
sudo systemctl stop ssh
sudo systemctl stop ssh.socket
sudo systemctl start ssh

ymmv

Zanna
  • 72,312
Vik Solem
  • 57
2

I followed the steps from others but nothing worked,... until I uninstalled openssh-server and then reinstalled it, along with ssh.

  1. mkdir -p /etc/systemd/system/ssh.socket.d

  2. nano /etc/systemd/system/ssh.socket.d/listen.conf

    [Socket]
ListenStream=
ListenStream=1234

  3. sudo apt remove --purge openssh-server

  4. sudo apt install openssh-server ssh

  5. sudo systemctl daemon-reload

  6. sudo systemctl restart ssh

After this, running sudo systemctl status ssh should show you are listening on the ports originally setup.

Feb 21 19:28:08 Computer systemd[1]: Starting OpenBSD Secure Shell server...
Feb 21 19:28:08 Computer sshd[48455]: Server listening on :: port 1234.
Feb 21 19:28:08 Computer systemd[1]: Started OpenBSD Secure Shell server.

I do not understand why but I wonder if there was some daemon that did not want to be restarted/reloaded or killed, but uninstalling and reinstalling forced that and therefore picked up the new configuration changes. Very ugly.

muru
  • 207,228
C.D.
  • 369
0

@Silently is right, probably... But systemctl disable --now ssh.socket ; systemctl enable --now ssh.service method doesn't work for me. I don't care why Ubuntu team decided to break SSHD severely, they do it wrong regardless of their intentions: only that odd "Listening socket stream update" method works!

Update: the topic starter didn't mention that you should do it in a slightly different way:

  1. mkdir -p /etc/systemd/system/ssh.socket.d

  2. cat > /etc/systemd/system/ssh.socket.d/listen.conf << EOF
[Socket]
ListenStream=
ListenStream=1234
EOF

  3. Change SSHD port one way or another (I added /etc/ssh/sshd_config.d/local.conf with Port 1234)

  4. [sudo] systemctl daemon-reload

  5. [sudo] systemctl restart ssh

steeldriver
  • 142,475
abulava
  • 9
0

I followed the answers to this question today (2023-02-14), and still was getting a SSH service being spawned on ipv6, even though I had set AcceptFamily inet and ListenAddress 10.0.2.15:2022 configured on my /etc/ssh/sshd_config file on Ubuntu 22.10, then configured listen.conf with the different port.

Well, I traced this bug report: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993478/comments/14 which let me to the script on https://launchpadlibrarian.net/630622842/openssh_9.0p1-1ubuntu8.debdiff

which hinted the solution for me. So, if you need a basic configuration of a single ipv4 address listening on a custom port (e.g. 10.0.2.15 on 22022), do this:

  • Erase all Port and ListenAddress information on /etc/ssh/sshd_config
  • Create the directory /etc/systemd/system/ssh.socket.d (i.e. sudo mkdir -p /etc/systemd/system/ssh.socket.d)
  • Put this content to the /etc/systemd/system/ssh.socket.d/addresses.conf file:
[Socket]
ListenStream=
ListenStream=10.0.2.15:2022

HINT: Do not put Accept=yes on this configuration, hoping for the OS to spawn a ssh service on connection demand. On a new Ubuntu 22.10 installation and configuration as in this answer, this made the ssh service to listen on 0.0.0.0 port 22, and even worse not starting the service on boot.

Then issue these commands:

systemctl daemon-reload
systemctl disable ssh.socket
systemctl stop ssh.socket
systemctl enable ssh.service
systemctl start ssh.service
Niloct
  • 121
0

I've found one more caveat using WSL. The port is defined by default as

[Socket]
ListenStream=22

Which means "listen IPv6, and IPv4 also". However, netstat -nl46 shows only ::1:22 is being listened, and IP v4 port listening is not forwarded to Windows host. I had to reconfigure it with explicitly separate directives, only then both IPv6 and IPv4 listening are forwarded to Windows host. So my /etc/systemd/system/ssh.socket.d/override.conf is:

[Socket]
# It is the default, do not repeat
# ListenStream=22
# It is the default which is not forwarded to Windows host
# BindIPv6Only=both
# Override it to avoid conflict
BindIPv6Only=ipv6-only
# Explicitly listen IPv4 in addition
ListenStream=0.0.0.0:22
Konstantin Pelepelin
  • 101