Jump to content

[Bug] Can't change the ssh port on 6.4.16 bookworm


Recommended Posts

Posted

Hi, everyone,

 

   Recently, i found   i can't change ssh port on 6.4.16 bookworm (Onecloud)  cli version(https://github.com/armbian-delta/os/releases/download/23.8.0-trunk.2/Armbian_23.8.0-trunk.2_Onecloud_bookworm_edge_6.4.16.img.xz#onecloud)

   

   i changed the `/etc/ssh/sshd_config`    add the `Port 10086` .and then i restart the system, It still not working, ssh port only work on `22`

 

  but at the same time, i found the other thing  `KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1` i added is working.

   

   So, i check if selinux is disabled, the sestatus says it's disabled.

 

and  check the  sshd status...it stills on port 22,  no 10086

 

`root@onecloud:~# service sshd status
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-10-12 14:15:38 CST; 3s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 7609 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 7610 (sshd)
      Tasks: 1 (limit: 2190)
     Memory: 1.0M
        CPU: 305ms
     CGroup: /system.slice/ssh.service
             └─7610 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Oct 12 14:15:38 onecloud systemd[1]: Starting ssh.service - OpenBSD Secure Shel>
Oct 12 14:15:38 onecloud sshd[7610]: Server listening on :: port 22.
Oct 12 14:15:38 onecloud systemd[1]: Started ssh.service - OpenBSD Secure Shell`

 

 

So i checked `netstat -atunlp | grep sshd` there is only  22..

  

`
tcp6       0      0 192.168.1.112:22        xxx:20158     ESTABLISHED 3147/sshd: root@pts
tcp6       0    144 192.168.1.112:22       xxx:22320     ESTABLISHED 3514/sshd: root@pts
`

iptables nothing on it.

`Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination`

 

 

So, it may be a bug, sshd can't read configuration to open a new port?

Posted
11 minutes ago, SteeMan said:

That isn't an official armbian release it is some fork of offical armbian.


Its where Armbian community builds are made. Which are anyway not officially supported ... 
 

  • Armbian project maintainers does not answer any support questions regarding those builds!
  • Support? Check general install instructions or TV box specific
Posted

BTW. @samond

 

This could be very much like a Debian upstream problem ... Last week I installed Armbian Ubuntu Jammy x86 build to one of new servers and one of the things I did was changing SSH port. Works as expected.

Posted (edited)

Well i found the solution for this suck settings....@Igor

uhhh,It's a community release.......@SteeMan

 

hope this could help someone else....

 

It seems like ssh port is ruled by sshd.socket rather than sshd.service....

 

So,we need add a sshd.socket @ `/etc/systemd/system`

 

```

[Socket]

ListenStream=

ListenStream=4200

```

(the first ListenStream= is to disable the default 22)

and then verify it `cat /etc/systemd/system/sshd.socket.d/override.conf`

 

and then `systemctl daemon-reload` `systemctl enable sshd.socket` `systemctl start sshd.socket`

 

check the status

 

`systemctl status sshd.socket`

 

 

-----------------------------

 

further more ,Some branches do not support sftp ,so...

 

`sudo mkdir -p /etc/systemd/system/sshd@.service.d`

 

`/etc/systemd/system/sshd@.service.d/sftp.conf`

write this:

```

[Service] Environment="OPTIONS=-o Subsystem=\"sftp /usr/libexec/sftp-server\""

```

`sudo systemctl daemon-reload`

Edited by samond
Posted (edited)

Same here ... I installed Armbian_24.5.1_Odroidxu4_bookworm_current_6.6.31_minimal.img today, along with a few other tools I regularly use:

root@odroidxu4:~#

grep "Port " /etc/ssh/sshd_config

#Port 22
Port 61022

 

root@odroidxu4:~#

systemctl restart ssh

root@odroidxu4:~#

systemctl status ssh | grep listening

Jun 10 23:03:06 odroidxu4 sshd[1309]: Server listening on :: port 22.

 

root@odroidxu4:~#

lsof -nPi | grep ssh | grep -v grep

sshd      1149            root    4u  IPv6  16682      0t0  TCP 192.168.1.6:22->192.168.1.53:42810 (ESTABLISHED)
sshd      1309            root    3u  IPv6   7753      0t0  TCP *:22 (LISTEN)

 

How to effectively change sshd port with newest Armbian, please? These same steps worked in Armbian_21.05.4_Odroidxu4_buster_legacy_4.14.222.img, just as they have in every other Linux distribution.

 

I tried to follow samond's solution, but still no altered sshd port:

root@odroidxu4:~# cat /etc/systemd/system/sshd.socket
[Socket]
ListenStream=
ListenStream=61022

 

root@odroidxu4:~# systemctl daemon-reload && systemctl enable sshd.socket && systemctl start sshd.socket
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.

Edited by ynotssor
trying to undertand what's needed
Posted
On 6/11/2024 at 8:19 AM, ynotssor said:

How to effectively change sshd port with newest Armbian, please?


It is possible we break it unintentionally while fixing something else. @Alessandro Lannocca Would lately applied changes affect this? It seems its bookworm related.

Posted

Negative, I have Raspbian with version 12 bookworm installed on other Pi 3b and can successfully change sshd listen port.

 

Even armbian-config doesn't allow an alternate port. The problem requires a fix in Armbian.

Posted
1 hour ago, ynotssor said:

The problem requires a fix in Armbian.


Yes, it is possible. We have to look into this.

Posted
On 6/13/2024 at 1:07 PM, Igor said:

It is possible we break it unintentionally while fixing something else. @Alessandro Lannocca Would lately applied changes affect this? It seems its bookworm related.

Works for me on Trixie, will check with Bookworm:

 

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 1122
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

[...]

 

● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: disabled)
     Active: active (running) since Sun 2024-06-16 02:31:25 CEST; 13s ago
 Invocation: cd3972f4454d4e37a5ce90e6fade1946
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 1054 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 1103 (sshd)
      Tasks: 9 (limit: 4296)
     Memory: 40.1M (peak: 56.2M)
        CPU: 9.397s
     CGroup: /system.slice/ssh.service
             ├─1103 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
             ├─1347 "sshd: kali [priv]"
             ├─1510 "sshd: kali@pts/0"
             ├─1511 -zsh
             ├─1525 tmux -u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell
             ├─1559 tmux -u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell
             ├─1567 /usr/bin/zsh
             ├─1789 systemctl status ssh
             └─1790 less

giu 16 02:31:24 nappio systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
giu 16 02:31:25 nappio sshd[1103]: Server listening on 0.0.0.0 port 1122.
giu 16 02:31:25 nappio sshd[1103]: Server listening on :: port 1122.
giu 16 02:31:25 nappio systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
gi

 

We're not using ssh.socket by default anymore, so I expect ssh to honour "Port" directive from config file: @ynotssor can you please share your "/etc/ssh/sshd_config" and any file under "/etc/ssh/ssh_config.d" please ?

Thank you!

Posted

Trying vanilla bookworm from trunk on nanopi-r5c, changing sshd port seems to work

 

aless@CORBINO ~ % ssh root@192.168.1.101 -p 61022
root@192.168.1.101's password: 
X11 forwarding request failed on channel 0
 _   _ ____  _   ____  ____   ____ 
| \ | |  _ \(_) |  _ \| ___| / ___|
|  \| | |_) | | | |_) |___ \| |    
| |\  |  __/| | |  _ < ___) | |___ 
|_| \_|_|   |_| |_| \_\____/ \____|
                                   
Welcome to Armbian-unofficial 24.8.0-trunk Bookworm with Linux 6.6.34-current-rockchip64

No end-user support: built from trunk

System load:   15%           	Up time:       4 min	
Memory usage:  5% of 3.65G  	IP:	       192.168.1.101
CPU temp:      41°C           	Usage of /:    4% of 58G    	
RX today:      n/a	  	

[ General system configuration (beta): armbian-config ]

Last login: Sun Jun 16 17:03:59 2024 from 192.168.1.116
nappio:~:# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-06-16 17:05:26 CEST; 30s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 3174 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 3175 (sshd)
      Tasks: 1 (limit: 4297)
     Memory: 3.2M
        CPU: 567ms
     CGroup: /system.slice/ssh.service
             └─3175 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jun 16 17:05:26 nappio systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Jun 16 17:05:26 nappio sshd[3175]: Server listening on 0.0.0.0 port 61022.
Jun 16 17:05:26 nappio sshd[3175]: Server listening on :: port 61022.
Jun 16 17:05:26 nappio systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Jun 16 17:05:42 nappio sshd[3178]: Accepted password for root from 192.168.1.116 port 51699 ssh2
Jun 16 17:05:42 nappio sshd[3178]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Jun 16 17:05:43 nappio sshd[3178]: pam_env(sshd:session): deprecated reading of user environment enabled
nappio:~:#

 

/etc/ssh/sshd_config:

 

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 61022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

 

Posted (edited)

@Igor

I'm on Orange Pi One

Armbian 24.5.1 Bookworm with Linux 6.6.31-current-sunxi

 

I found a fix on this, since I also have issues on the default /etc/ssh/sshd_config  changing port number simply doesn't work because the ssh.service is running on ssh.socket

I found out that on the /etc/systemd/system/sockets.target.wants have 2 files ssh.socket and uuidd.socket  the ssh.socket file is symlinked to /lib/systemd/system/ssh.socket

simply deleting the file ssh.socket file from the /lib/systemd/system/ssh.socket  

will make the /etc/ssh/sshd_config file usable again  after deleting /lib/systemd/system/ssh.socket  file 

execute the command $sudo systemctl daemon-reload

edit the ssh port number from /etc/ssh/sshd_config and put your desired port number (i.e 6120 ) allow the port number from ufw firewall 

restart ssh.service

$ sudo systemctl restart ssh enable ssh service $sudo systemctl enable ssh.service check status and test by logging in on the ssh

 

$ ssh username@yourdomain.com -p 6120

 

This fix works for me

 

alternatively you may also change the port number directly  from /lib/systemd/system/ssh.socket

 

[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target
#ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=6120
Accept=no

[Install]
WantedBy=sockets.target

 

then execute $sudo systemctl daemon-reload  followed by $sudo sytemctl restart ssh

This alternative fix will still run SSH as a socket service but both of them works fine.

 

 

Edited by Ephraim Gariguez
Posted

Update on the above issues: 

 

When a new update for SSH is applied using

$sudo apt update && sudo apt upgrade

 

The same configuration issue will just revert back to running the SSH using socket.ssh again even if you choose not to overwrite the configuration from the update selection screen.

Your /etc/ssh/sshd_config will not be overwritten, however the deleted /lib/systemd/system/ssh.socket file will be re-created by the update. So restarting or rebooting the SSH server will revert to ssh.socket operation again opening Port number 22, even if you reboot.

 

The correct fix would be to just disable the port number from /lib/systemd/system/ssh.socket just leave the ListenStream blank to disable the ssh socket. Stop the SSH service using

$sudo systemctl stop ssh  issue $sudo systemctl daemon-reload 

finally restart ssh $sudo systemctl restart ssh  the applied configuration below  from ssh.socket file will revert to ssh server reading 

the /etc/ssh/sshd_config  and will enable the changing port number and other configuration from that file.

###ssh.socket config#####

[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target


#ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=
Accept=no

 

[Install]
WantedBy=sockets.target

#####################
 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines