49

I am on Ubuntu 22.10 and I cannot change SSH default port. I have tried the following:

  • Edited /etc/ssh/sshd_config, left the default #Port 22 line but added Port 1234 below it.

  • Then added allow rule for it in UFW using the command:

    sudo ufw allow 1234

    which added:

    To Action From
    1234 ALLOW Anywhere
    1234 (v6) ALLOW Anywhere (v6)

I then restarted the SSH service using 2 different methods (see start of block below), but I saw no change. Service status states it started listening on port 22 and to verify this I checked the listening ports and sure enough it's still 22.

$ sudo systemctl restart ssh
$ sudo service ssh restart
$ systemctl status ssh
ssh.service - OpenBSD Secure Shell server
 Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
Drop-In: /etc/systemd/system/ssh.service.d
         └─00-socket.conf
 Active: active (running) since Mon 2022-11-07 10:12:52 AEDT; 5s ago
TriggeredBy: ● ssh.socket
   Docs: man:sshd(8)
         man:sshd_config(5)
Process: 54858 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 54859 (sshd)
  Tasks: 1 (limit: 1020)
 Memory: 1.3M
    CPU: 13ms
 CGroup: /system.slice/ssh.service
         └─54859 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"


Nov 07 10:12:52 webserver.abc.com systemd[1]: Starting OpenBSD Secure Shell server...
Nov 07 10:12:52 webserver.abc.com sshd[54859]: Server listening on :: port 22.
Nov 07 10:12:52 webserver.abc.com systemd[1]: Started OpenBSD Secure Shell server.


ss -tlpn


State         Recv-Q        Send-Q               Local Address:Port   Peer Address:Port Process
LISTEN        0             4096                             :22                *:    -

Am I missing a step or doing something wrong? I do note the service status has preset: enabled, but multiple guides I've read haven't mentioned anything about disabling anything like presets.

EDIT: Thanks matigo for reminding me, but sshd.service doesn't seem to be installed yet. I have the config files and can remote in just fine, not sure if I just don't understand and I need to install sshd for it to take over the default SSH operations?

muru
  • 207,970
Silently
  • 1,301
  • Can I confirm that the service name is ssh rather than sshd? Generally the server is restarted with service sshd restart if you are using the standard server for Ubuntu – matigo Nov 06 '22 at 23:38
  • @matigo I thought that but the default box from linode of this version of ubuntu when I look at the service list with systemctl list-units --type=service I only see one entry for ssh: ssh.service loaded active running OpenBSD Secure Shell server

    Do I need to install sshd separately? I thought of this but then thought it strange that I have sshd config files and I can ssh in just fine at the moment using defaults.

    When trying to do anything with sshd it suggests it doesn't exist: Unit sshd.service could not be found.

     – Silently Nov 07 '22 at 00:18
  • openssh-client/kinetic,now 1:9.0p1-1ubuntu7 amd64 [installed] openssh-server/kinetic,now 1:9.0p1-1ubuntu7 amd64 [installed] – Silently Nov 07 '22 at 00:37
  • Could you edit the question to include what you tried when you say "I then restart the SSH service using 2 different methods but I see no change"? For beginners, the most surefire way to restart a service is probably to reboot the computer. Additionally if you're on Linode then the host may have some backend magic going on and you should probably search their documentation. – rexypoo Nov 07 '22 at 02:57
  • @rexypoo Thanks Rexy, I actually did include the commands in the block just below it. I've edited the post to refer to below. – Silently Nov 07 '22 at 03:31
  • Nothing worked for me, I tried eveything below to no avail. After wasting some time, it was a new server install, so I rebooted to try to terminate the running ssh and get it to reset it. Actually it still didn't work, it's still running on port 22!! – ubuntu Feb 08 '23 at 22:43

8 Answers8

76

SSHd now uses socket-based activation Ubuntu 22.10 or later. Read more about this change being discussed here.

TLDR: The /etc/ssh/sshd_config are unused, now that I read the comments in full I found:

# Port and ListenAddress options are not used when sshd is socket-activated,
# which is now the default in Ubuntu. See sshd_config(5) and
# /usr/share/doc/openssh-server/README.Debian.gz for details.

Your options for changing from default port:

  • Turning off this change and reverting to how SSHd worked prior to this update (From twinsen in discussion linked above):

    • systemctl disable --now ssh.socket
    • systemctl enable --now ssh.service
    • Then the /etc/ssh/sshd_config works again with Ports and Addresses setting

  • OR Listening socket stream update (from saxl in discussion linked above)

    1. mkdir -p /etc/systemd/system/ssh.socket.d
    2. cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
ListenStream=
ListenStream=1234
EOF
    3. sudo systemctl daemon-reload
    4. sudo systemctl restart ssh.socket

It should then state it's started listening on the new port: systemctl status ssh ...

Nov 07 14:42:37 webserver.abc.com sshd[58725]: Server listening on 0.0.0.0 port 1234.
Nov 07 14:42:37 webserver.abc.com sshd[58725]: Server listening on :: port 1234

Community
  • 1
Silently
  • 1,301
  • reverting to how SSHd worked prior does't worked for me but the second solution is working perfectly, thank you sir! – Andrew G Feb 28 '23 at 12:53
  • disable socket doesn't work on Ubuntu 23, the new config does work. – Pablo Pazos Jun 14 '23 at 00:12
  • 3
    Important: don't forget to add the funny "ListenStream=" line (with no address). Without it it doesn't work -- and doesn't print any error messages either :( – Jan Jul 05 '23 at 07:28
  • I don't use funny "ListenStream=" line and I can connect to old 22 port or to new 1234 port... But after I add funny "ListenStream=" line I can connect for new 1234 port only. Ubuntu 23 – Andrew Ternity Oct 25 '23 at 12:43
  • 3
    after trying the no longer working sshd_config method first I also needed to reboot to stop port 22 listening – Stuart Cardall Nov 25 '23 at 22:55
  • 2
    For Ubuntu 24.04, I needed to use ListenStream=0.0.0.0:1234 in listen.conf to get it working. – creativecoder Nov 11 '24 at 18:07
  • 2
    Instead of creating the file manually, use systemctl edit ssh.socket. – Seweryn Niemiec Dec 22 '24 at 11:28
18

In Ubuntu 24.04, everything works with the default setup, just the behavior is now slightly different than before. I'm not sure if this would have worked already on Ubuntu 22.04 up until 23.10 - I can currently only test on 24.04.

To change the port, just uncomment the line starting with Port in /etc/ssh/sshd_config (remove the hashtag # in front of the line), then change the value from 22 to whatever is suitable for your needs.

The new thing is: To activate this new config, it is now required to inform systemd about the change:

sudo systemctl daemon-reload

Then the ssh service and socket can be restarted as before, to activate the change:

sudo systemctl restart ssh.socket
sudo systemctl restart ssh.service

This immediately activates the new config. I have tested this on Ubuntu 24.04 and it instantly allows to connect to the host using the new port. For testing, you may try with ssh and something like:

ssh -p<your-new-port-number> localhost

This should successfully open the connection to your host on the new port, and possibly ask for your password, or log you in automatically (i.e. when using key-based authentication).

emmenlau
  • 336
  • 3
  • 8
  • 2
    In 24.04 this is the only solution that worked. Tried with the ssh.socket.d confs but those did not help, old port was still used. – Kristjan Adojaan Dec 04 '24 at 10:19
  • 1
    Yes, this is the (only) right answer, as this change will remain persistent after updates and reboots. – Ingo Wald Apr 13 '25 at 19:16
16

This is how I solved the OpenSSH port issue on Ubuntu 22.10.

Important - Please take a backup or snapshot before you make changes.

Use the nano editor and change the value of ListenStream parameter

sudo nano /lib/systemd/system/ssh.socket

Change the following parameter to the port of your choice e.g. 44022

ListenStream=44022

Save the file and quit nano editor.

sudo systemctl daemon-reload
sudo systemctl restart ssh
sudo netstat -tulpn

Now you should be able to see that the port 44022 is open.

Do not forget to open the port on firewall e.g. ufw.

sudo ufw allow 44022

I suggest you open another putty session to ensure you are able to login.

reepy
  • 55
Cyberian
  • 177
3

SSHd now uses socket-based activation Ubuntu 22.10 or later. Read more about this change being discussed here.

For my purposes adding a socket handler is a complication that we do not want, so we are adding the following to our pre-ansible installation steps to remove ssh.socket and go back to using the sshd_config file. (Some of these were not previously documented, so this might save someone else some time.)

Previously we would do the following post-build.

add line "Port 4022" after "#Port 22" in /etc/ssh/sshd_config then

sudo systemctl restart ssh

It looks like the following was required on a new ubuntu 20.10 (Mate 20.10) installation.

add line "Port 4022" after "#Port 22" in /etc/ssh/sshd_config then

sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service
sudo mv /etc/systemd/system/ssh.service.d/00-socket.conf ./save_disable_ssh.service.d_00-socket.conf
sudo systemctl daemon-reload
sudo systemctl stop ssh
sudo systemctl stop ssh.socket
sudo systemctl start ssh

ymmv

Zanna
  • 72,471
Vik Solem
  • 57
2

I followed the steps from others but nothing worked,... until I uninstalled openssh-server and then reinstalled it, along with ssh.

  1. mkdir -p /etc/systemd/system/ssh.socket.d

  2. nano /etc/systemd/system/ssh.socket.d/listen.conf

    [Socket]
ListenStream=
ListenStream=1234

  3. sudo apt remove --purge openssh-server

  4. sudo apt install openssh-server ssh

  5. sudo systemctl daemon-reload

  6. sudo systemctl restart ssh

After this, running sudo systemctl status ssh should show you are listening on the ports originally setup.

Feb 21 19:28:08 Computer systemd[1]: Starting OpenBSD Secure Shell server...
Feb 21 19:28:08 Computer sshd[48455]: Server listening on :: port 1234.
Feb 21 19:28:08 Computer systemd[1]: Started OpenBSD Secure Shell server.

I do not understand why but I wonder if there was some daemon that did not want to be restarted/reloaded or killed, but uninstalling and reinstalling forced that and therefore picked up the new configuration changes. Very ugly.

muru
  • 207,970
C.D.
  • 379
0

@Silently is right, probably... But systemctl disable --now ssh.socket ; systemctl enable --now ssh.service method doesn't work for me. I don't care why Ubuntu team decided to break SSHD severely, they do it wrong regardless of their intentions: only that odd "Listening socket stream update" method works!

Update: the topic starter didn't mention that you should do it in a slightly different way:

  1. mkdir -p /etc/systemd/system/ssh.socket.d

  2. cat > /etc/systemd/system/ssh.socket.d/listen.conf << EOF
[Socket]
ListenStream=
ListenStream=1234
EOF

  3. Change SSHD port one way or another (I added /etc/ssh/sshd_config.d/local.conf with Port 1234)

  4. [sudo] systemctl daemon-reload

  5. [sudo] systemctl restart ssh

steeldriver
  • 143,099
abulava
  • 9
0

I followed the answers to this question today (2023-02-14), and still was getting a SSH service being spawned on ipv6, even though I had set AcceptFamily inet and ListenAddress 10.0.2.15:2022 configured on my /etc/ssh/sshd_config file on Ubuntu 22.10, then configured listen.conf with the different port.

Well, I traced this bug report: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993478/comments/14 which let me to the script on https://launchpadlibrarian.net/630622842/openssh_9.0p1-1ubuntu8.debdiff

which hinted the solution for me. So, if you need a basic configuration of a single ipv4 address listening on a custom port (e.g. 10.0.2.15 on 22022), do this:

  • Erase all Port and ListenAddress information on /etc/ssh/sshd_config
  • Create the directory /etc/systemd/system/ssh.socket.d (i.e. sudo mkdir -p /etc/systemd/system/ssh.socket.d)
  • Put this content to the /etc/systemd/system/ssh.socket.d/addresses.conf file:
[Socket]
ListenStream=
ListenStream=10.0.2.15:2022

HINT: Do not put Accept=yes on this configuration, hoping for the OS to spawn a ssh service on connection demand. On a new Ubuntu 22.10 installation and configuration as in this answer, this made the ssh service to listen on 0.0.0.0 port 22, and even worse not starting the service on boot.

Then issue these commands:

systemctl daemon-reload
systemctl disable ssh.socket
systemctl stop ssh.socket
systemctl enable ssh.service
systemctl start ssh.service
Niloct
  • 121
0

I've found one more caveat using WSL. The port is defined by default as

[Socket]
ListenStream=22

Which means "listen IPv6, and IPv4 also". However, netstat -nl46 shows only ::1:22 is being listened, and IP v4 port listening is not forwarded to Windows host. I had to reconfigure it with explicitly separate directives, only then both IPv6 and IPv4 listening are forwarded to Windows host. So my /etc/systemd/system/ssh.socket.d/override.conf is:

[Socket]
# It is the default, do not repeat
# ListenStream=22
# It is the default which is not forwarded to Windows host
# BindIPv6Only=both
# Override it to avoid conflict
BindIPv6Only=ipv6-only
# Explicitly listen IPv4 in addition
ListenStream=0.0.0.0:22
Konstantin Pelepelin
  • 101