Thank you Simon and Seth, for your quick response. I have looked into this further by installing a virgin Ubuntu Server 20.04 with SSH.
Changing the 'Port' in /etc/ssh/sshd_config to 7722 starts sshd on port 7722 and NOT on port 22, just like you said, Simon. BUT:
Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722:
systemctl stop ssh
mv /etc/ssh/sshd_config /etc/ssh/something_else
cat > /etc/ssh/sshd_config <<EOF
Include /etc/ssh/something_else
Port 7722
EOF
systemctl start ssh
systemctl status ssh
# restore the original config:
mv /etc/ssh/something_else /etc/ssh/sshd_config
Which will show:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
Docs: man:sshd(8) man:sshd_config(5)
Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 45271 (sshd)
Tasks: 1 (limit: 18457)
Memory: 1.3M
CGroup: /system.slice/ssh.service └─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.
So, NOW it will have ports 22 AND 7722 open!
If one sets debug level 3 in /etc/default/ssh (SSHD_OPTS="-d -d -d"), syslog will show that 'something_else' is read from line 1 in sshd_config and that the Port is set afterwards (and not anywhere in /etc/ssh/something_else).
May 2 15:34:01 cabernet systemd[1]: Stopping OpenBSD Secure Shell server...
May 2 15:34:01 cabernet systemd[1]: ssh.service: Succeeded.
May 2 15:34:01 cabernet systemd[1]: Stopped OpenBSD Secure Shell server.
May 2 15:34:01 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/sshd_config
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 43
May 2 15:34:01 cabernet sshd[45345]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 43
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/sshd_config line 1: new include /etc/ssh/something_else
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/sshd_config line 1: including /etc/ssh/something_else
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/something_else
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 296
May 2 15:34:01 cabernet sshd[45345]: debug2: parse_server_config_depth: config /etc/ssh/something_else len 296
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/something_else line 13: new include /etc/ssh/sshd_config.d/*.conf
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/something_else line 13: no match for /etc/ssh/sshd_config.d/*.conf
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:63 setting ChallengeResponseAuthentication no
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:86 setting UsePAM yes
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:91 setting X11Forwarding yes
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:95 setting PrintMotd no
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:113 setting AcceptEnv LANG LC_*
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/something_else:116 setting Subsystem sftp#011/usr/lib/openssh/sftp-server
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/sshd_config:2 setting Port 7722
May 2 15:34:01 cabernet sshd[45345]: debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #0: ssh-rsa SHA256:wiRec7mI3CIkcHIwvlEC137Ak+aZzEPocrwYHZtEn7M
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:qdlfKdKcW/T2Rm13DFa6KqHRxCwZNxPZPV/0nu1/uDM
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #2: ssh-ed25519 SHA256:RqHjOSrBKft8jayVulIKh/y7EGkmFE+acxTLOPd4HOc
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[0]='/usr/sbin/sshd'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[1]='-D'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[2]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[3]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[4]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug3: already daemonized
May 2 15:34:01 cabernet sshd[45345]: debug3: oom_adjust_setup
May 2 15:34:01 cabernet sshd[45345]: debug1: Set /proc/self/oom_score_adj from 0 to -1000
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 3 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on 0.0.0.0.
May 2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 7722.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 4 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on ::.
May 2 15:34:01 cabernet sshd[45345]: Server listening on :: port 7722.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 5 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on 0.0.0.0.
May 2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 22.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 6 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 6 IPV6_V6ONLY
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on ::.
May 2 15:34:01 cabernet sshd[45345]: Server listening on :: port 22.
May 2 15:34:01 cabernet systemd[1]: Started OpenBSD Secure Shell server.
I have read the source code for sshd, but I cannot find the 'obvious' place where this goes wrong, although the juggling of the options structure in process_config_line_depth() (in readconf.c) may have something to do with it.
This bug probably won't affect too many people. Given that I have already found a work-around and that I will now look into the 'Match' keyword (which I was not aware of) to avoid running two daemons, I suggest handling this issue at a low priority.
(Yes, my private keys are visible. This temporary install is not accessible from the internet and will be scrapped in a few hours anyway.)
Thank you Simon and Seth, for your quick response. I have looked into this further by installing a virgin Ubuntu Server 20.04 with SSH.
Changing the 'Port' in /etc/ssh/ sshd_config to 7722 starts sshd on port 7722 and NOT on port 22, just like you said, Simon. BUT:
Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722:
systemctl stop ssh sshd_config /etc/ssh/ something_ else sshd_config <<EOF something_ else something_ else /etc/ssh/ sshd_config
mv /etc/ssh/
cat > /etc/ssh/
Include /etc/ssh/
Port 7722
EOF
systemctl start ssh
systemctl status ssh
# restore the original config:
mv /etc/ssh/
Which will show:
● ssh.service - OpenBSD Secure Shell server system/ ssh.service; enabled; vendor preset: enabled)
man: sshd_config( 5) /usr/sbin/ sshd -t (code=exited, status=0/SUCCESS) slice/ssh. service
└ ─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Loaded: loaded (/lib/systemd/
Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
Docs: man:sshd(8)
Process: 45261 ExecStartPre=
Main PID: 45271 (sshd)
Tasks: 1 (limit: 18457)
Memory: 1.3M
CGroup: /system.
May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.
So, NOW it will have ports 22 AND 7722 open!
If one sets debug level 3 in /etc/default/ssh (SSHD_OPTS="-d -d -d"), syslog will show that 'something_else' is read from line 1 in sshd_config and that the Port is set afterwards (and not anywhere in /etc/ssh/ something_ else).
May 2 15:34:01 cabernet systemd[1]: Stopping OpenBSD Secure Shell server... sshd_config config_ depth: config /etc/ssh/ sshd_config len 43 sshd_config line 1: new include /etc/ssh/ something_ else sshd_config line 1: including /etc/ssh/ something_ else something_ else config_ depth: config /etc/ssh/ something_ else len 296 something_ else line 13: new include /etc/ssh/ sshd_config. d/*.conf something_ else line 13: no match for /etc/ssh/ sshd_config. d/*.conf something_ else:63 setting ChallengeRespon seAuthenticatio n no something_ else:86 setting UsePAM yes something_ else:91 setting X11Forwarding yes something_ else:95 setting PrintMotd no something_ else:113 setting AcceptEnv LANG LC_* something_ else:116 setting Subsystem sftp#011/ usr/lib/ openssh/ sftp-server sshd_config: 2 setting Port 7722 wiRec7mI3CIkcHI wvlEC137Ak+ aZzEPocrwYHZtEn 7M qdlfKdKcW/ T2Rm13DFa6KqHRx CwZNxPZPV/ 0nu1/uDM RqHjOSrBKft8jay VulIKh/ y7EGkmFE+ acxTLOPd4HOc 0]='/usr/ sbin/sshd' oom_score_ adj from 0 to -1000
May 2 15:34:01 cabernet systemd[1]: ssh.service: Succeeded.
May 2 15:34:01 cabernet systemd[1]: Stopped OpenBSD Secure Shell server.
May 2 15:34:01 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 43
May 2 15:34:01 cabernet sshd[45345]: debug2: parse_server_
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: filename /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug2: load_server_config: done config len = 296
May 2 15:34:01 cabernet sshd[45345]: debug2: parse_server_
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug2: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug3: /etc/ssh/
May 2 15:34:01 cabernet sshd[45345]: debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #0: ssh-rsa SHA256:
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:
May 2 15:34:01 cabernet sshd[45345]: debug1: private host key #2: ssh-ed25519 SHA256:
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[1]='-D'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[2]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[3]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug1: rexec_argv[4]='-d'
May 2 15:34:01 cabernet sshd[45345]: debug3: already daemonized
May 2 15:34:01 cabernet sshd[45345]: debug3: oom_adjust_setup
May 2 15:34:01 cabernet sshd[45345]: debug1: Set /proc/self/
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 3 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on 0.0.0.0.
May 2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 7722.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 4 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 7722 on ::.
May 2 15:34:01 cabernet sshd[45345]: Server listening on :: port 7722.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 5 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on 0.0.0.0.
May 2 15:34:01 cabernet sshd[45345]: Server listening on 0.0.0.0 port 22.
May 2 15:34:01 cabernet sshd[45345]: debug2: fd 6 setting O_NONBLOCK
May 2 15:34:01 cabernet sshd[45345]: debug3: sock_set_v6only: set socket 6 IPV6_V6ONLY
May 2 15:34:01 cabernet sshd[45345]: debug1: Bind to port 22 on ::.
May 2 15:34:01 cabernet sshd[45345]: Server listening on :: port 22.
May 2 15:34:01 cabernet systemd[1]: Started OpenBSD Secure Shell server.
I have read the source code for sshd, but I cannot find the 'obvious' place where this goes wrong, although the juggling of the options structure in process_ config_ line_depth( ) (in readconf.c) may have something to do with it.
This bug probably won't affect too many people. Given that I have already found a work-around and that I will now look into the 'Match' keyword (which I was not aware of) to avoid running two daemons, I suggest handling this issue at a low priority.
(Yes, my private keys are visible. This temporary install is not accessible from the internet and will be scrapped in a few hours anyway.)