I have verified the fix using openssh-server from noble-proposed. I setup a container and enabled noble-proposed:
nr@six:~$ lxc launch ubuntu:noble noble Launching noble nr@six:~$ lxc exec noble bash root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF > Types: deb > URIs: http://us.archive.ubuntu.com/ubuntu/ > Suites: noble-proposed > Components: main universe > Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg > EOF root@noble:~# apt update Get:1 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB] Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB] Get:4 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB] Get:5 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB] Get:6 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [15.0 MB] Get:7 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [433 kB] Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [180 kB] Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [48.6 kB] Get:10 http://security.ubuntu.com/ubuntu noble-security/main Translation-en [93.2 kB] Get:11 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components [7152 B] Get:12 http://security.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [5816 B] Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.0 kB] Get:14 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [555 kB] Get:15 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [3556 B] Get:16 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [650 kB] Get:17 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [79.1 kB] Get:18 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en [148 kB] Get:19 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [68.0 kB] Get:20 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [10.7 kB] Get:21 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Components [51.9 kB] Get:22 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [13.5 kB] Get:23 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [388 kB] Get:24 http://security.ubuntu.com/ubuntu noble-security/restricted Translation-en [74.8 kB] Get:25 http://archive.ubuntu.com/ubuntu noble/universe Translation-en [5982 kB] Get:26 http://archive.ubuntu.com/ubuntu noble/universe amd64 Components [3871 kB] Get:27 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Components [212 B] Get:28 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [10.9 kB] Get:29 http://security.ubuntu.com/ubuntu noble-security/multiverse Translation-en [2808 B] Get:30 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Components [212 B] Get:31 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 c-n-f Metadata [344 B] Get:32 http://archive.ubuntu.com/ubuntu noble/universe amd64 c-n-f Metadata [301 kB] Get:33 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [269 kB] Get:34 http://archive.ubuntu.com/ubuntu noble/multiverse Translation-en [118 kB] Get:35 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Components [35.0 kB] Get:36 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 c-n-f Metadata [8328 B] Get:37 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [599 kB] Get:38 http://archive.ubuntu.com/ubuntu noble-updates/main Translation-en [146 kB] Get:39 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Components [114 kB] Get:40 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 c-n-f Metadata [10.3 kB] Get:41 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [707 kB] Get:42 http://archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [210 kB] Get:43 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components [305 kB] Get:44 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f Metadata [19.8 kB] Get:45 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [388 kB] Get:46 http://archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [74.8 kB] Get:47 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Components [212 B] Get:48 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [14.7 kB] Get:49 http://archive.ubuntu.com/ubuntu noble-updates/multiverse Translation-en [3820 B] Get:50 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Components [940 B] Get:51 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 c-n-f Metadata [552 B] Get:52 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Components [208 B] Get:53 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 c-n-f Metadata [112 B] Get:54 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [10.6 kB] Get:55 http://archive.ubuntu.com/ubuntu noble-backports/universe Translation-en [10.8 kB] Get:56 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Components [21.0 kB] Get:57 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f Metadata [1104 B] Get:58 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 Components [212 B] Get:59 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 c-n-f Metadata [116 B] Get:60 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 Components [212 B] Get:61 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 c-n-f Metadata [116 B] Fetched 31.8 MB in 5s (6608 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 16 packages can be upgraded. Run 'apt list --upgradable' to see them. Then, confirmed the bug using the CURRENT version: root@noble:~# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 47u IPv6 10390833 0t0 TCP *:ssh (LISTEN) Then, checked that the NEW version fixes the bug: root@noble:~# apt install openssh-server -y -t noble-proposed Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: openssh-client openssh-sftp-server Suggested packages: keychain libpam-ssh monkeysphere ssh-askpass molly-guard The following packages will be upgraded: openssh-client openssh-server openssh-sftp-server 3 upgraded, 0 newly installed, 0 to remove and 71 not upgraded. Need to get 1451 kB of archives. After this operation, 1024 B of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.6 [37.3 kB] Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.6 [509 kB] Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6p1-3ubuntu13.6 [905 kB] Fetched 1451 kB in 0s (4309 kB/s) Preconfiguring packages ... (Reading database ... 34495 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-client (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Setting up openssh-client (1:9.6p1-3ubuntu13.6) ... Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.6) ... Setting up openssh-server (1:9.6p1-3ubuntu13.6) ... Replacing config file /etc/ssh/sshd_config with new version Processing triggers for man-db (2.12.0-4build2) ... Processing triggers for ufw (0.36.2-6) ... Scanning processes... No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@noble:~# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 42u IPv4 10398858 0t0 TCP *:ssh (LISTEN) systemd 1 root 49u IPv6 10398859 0t0 TCP *:ssh (LISTEN) And, did the remaining tests to make sure that AddressFamily is honored correctly: root@noble:~# echo "AddressFamily inet" > /etc/ssh/sshd_config.d/custom.conf root@noble:~# systemctl daemon-reload root@noble:~# systemctl restart ssh.socket root@noble:~# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 42u IPv4 10400868 0t0 TCP *:ssh (LISTEN) root@noble:~# echo "AddressFamily inet6" > /etc/ssh/sshd_config.d/custom.conf root@noble:~# echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf root@noble:~# systemctl daemon-reload root@noble:~# systemctl restart ssh.socket root@noble:~# lsof -i :1234 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 39u IPv6 10394546 0t0 TCP *:1234 (LISTEN) Finally, I took a look at the autopkgtest[1] and found that the new tests are passing: 2330s autopkgtest [10:35:34]: test sshd-socket-generator: [----------------------- 2330s test_default...PASS 2330s test_custom_port...PASS 2330s test_default_and_custom_port...PASS 2330s test_mutiple_custom_ports...PASS 2330s test_custom_listenaddress...PASS 2330s test_custom_listenaddress_and_port...PASS 2330s test_custom_ipv6_listenaddress...PASS 2330s test_custom_family_ipv4...PASS 2330s test_custom_family_ipv6...PASS 2330s test_custom_port_and_family_ipv4...PASS 2330s test_custom_port_and_family_ipv6...PASS 2331s autopkgtest [10:35:35]: test sshd-socket-generator: -----------------------] 2331s sshd-socket-generator PASS [1] https://autopkgtest.ubuntu.com/results/autopkgtest- noble/noble/amd64/o/openssh/20241023_104810_f2c24@/log.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2080216 Title: sshd cannot bind to IPv4 interfaces Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Noble: Fix Committed Bug description: [Impact] The default listening sockets for sshd are different depending on whether socket activation is used or not, even when /etc/ssh/sshd_config is the default. E.g.: # Socket-activated root@n2:~# systemctl status ssh.socket ● ssh.socket - OpenBSD Secure Shell server socket Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled) Active: active (listening) since Tue 2024-10-01 20:36:15 UTC; 12min ago Triggers: ● ssh.service Listen: [::]:22 (Stream) CGroup: /system.slice/ssh.socket Oct 01 20:36:15 n2 systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket. root@n2:~# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 47u IPv6 2781411 0t0 TCP *:ssh (LISTEN) # Non-socket-activated root@n2:~# systemctl disable --now ssh.socket Removed "/etc/systemd/system/ssh.service.requires/ssh.socket". Removed "/etc/systemd/system/sockets.target.wants/ssh.socket". root@n2:~# ln -s /dev/null /etc/systemd/system-generators/sshd-socket-generator root@n2:~# systemctl enable --now ssh.service Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable ssh Created symlink /etc/systemd/system/sshd.service → /usr/lib/systemd/system/ssh.service. Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /usr/lib/systemd/system/ssh.service. root@n2:~# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 798 root 3u IPv4 2793622 0t0 TCP *:ssh (LISTEN) sshd 798 root 4u IPv6 2793624 0t0 TCP *:ssh (LISTEN) By default, we have net.ipv6.bindv6only=0 sysctl, and BindIPv6Only=both on ssh.socket, which means usually users can connect over IPv4 regardless. However, the fact remains that the resulting listening sockets are different in these two cases, and socket- activated ssh does not accurately reflect the settings in /etc/ssh/sshd_config. [Test Plan] 1. Check that on a noble system, without custom sshd_config, sshd is listening on both IPv4 and IPv6 on port 22: $ lsof -i :22 2. Check that setting AddressFamily to e.g. inet results in only an IPv4 socket: $ echo "AddressFamily inet" >> /etc/ssh/sshd_config.d/custom.conf $ systemctl daemon-reload $ systemctl restart ssh.socket $ lsof -i :22 There should only be one listener now. 3. Check the same thing with inet6, and a custom port for good measure: $ echo "AddressFamily inet6" >> /etc/ssh/sshd_config.d/custom.conf $ echo "Port 1234" >> /etc/ssh/sshd_config.d/custom.conf $ systemctl daemon-reload $ systemctl restart ssh.socket $ lsof -i :1234 4. The new tests in debian/tests/sshd-socket-generator should all pass in autopkgtest. [Where problems could occur] The fix requires new default settings in the [Socket] section of ssh.socket, and handling for new defaults in sshd-socket-generator. It would be more likely to see problems with the generator as opposed to the changes in ssh.socket. However, new subtests were added to debian/tests/sshd-socket-generator to help avoid this. [Original Description] After upgrading from 22.04 to 24.04 I noticed that my sshd only listening on IPv6 interface (::), while previously it was listening both IPv4 (0.0.0.0) and IPv6 (::). I tried to explicitly specify ListenAddress 0.0.0.0 (assuming it would bind to IPv4 only) but after restart sshd was still listening on IPv6 only. This problem affects other packages as well, for example, openvpn. Rebuilding applications from sources seems to fix the issue. Setting net.ipv6.bindv6only=0 also helps, but that's not a solution. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: openssh-server 1:9.6p1-3ubuntu13.5 ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12 Uname: Linux 6.8.0-41-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Tue Sep 10 16:45:54 2024 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=screen.xterm-256color SourcePackage: openssh UpgradeStatus: Upgraded to noble on 2024-09-10 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2080216/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
