1

I stumbled over the following issue, while debugging ssh connections. I have a Ubuntu 24.04 with openssh-server installed. The corresponding systemd-service is running (now named ssh.service & ssh.socket on 24.04).

I checked for open sockets that listen on port 22. To my surprise there was no socket that listens on IPv4. The only entry is seen for IPv6. Nevertheless, i was able to connect via IPv4 (127.0.0.1 and the given DHCP address). What i expected is the behavior that is found on my older Ubuntu 22.04, where two sockets listen, one for IPv4 & IPv6. I know that there has something changed on the ssh(d) service in the latest Ubuntu, nevertheless, this way to detect open(listen) sockets seems to be "broken".

Questions:

  1. Is this expected behavior?

  2. Why did this change?

  3. How to reliably detect all listening sockets

    (for IPv4/6)?

Missing IPv4 listening socket:
Ubuntu 24.04 | openssh-server/noble-updates,now 1:9.6p1-3ubuntu13.5 amd64

$ sudo netstat -peant | grep 22
<HERE I WOULD EXPECT AN ENTRY>
tcp6       0      0 :::22                   :::*                    LISTEN      0          13806      1/init   

$ sudo ss -tln | grep 22
<HERE I WOULD EXPECT AN ENTRY>
LISTEN 0      4096               *:22               *:*

$ sudo ss -tln -4 | grep 22
<EMPTY: HERE I WOULD EXPECT AN ENTRY>

Expected:
Ubuntu 22.04.4 LTS | openssh-server/jammy-updates,jammy-security,now 1:8.9p1-3ubuntu0.10 amd64

$ sudo netstat -peatn | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          27791      1381/sshd: /usr/sbi
tcp6       0      0 :::22                   :::*                    LISTEN      0          27793      1381/sshd: /usr/sbi

$ sudo ss -tln | grep 22
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*
LISTEN 0      128             [::]:22           [::]:*
Improve this question

2 Answers 2

Reset to default
2

The IPv6 listening socket you see in the netstat output accepts both IPv6 and IPv4 connections. This has been normal behavior on Linux for ages, but can be changed by using the IPV6_V6ONLY socket option. You can view (and change) the default value of this socket option with cat /proc/sys/net/ipv6/bindv6only.

The dual role of IPv6 listening sockets has aroused some controversy, with some people claiming that is is a security problem. RFC 3493 "Basic Socket Interface Extensions for IPv6" has the details, and specifies that the IPV6_V6ONLY sockets options default value should be "off". Nonetheless, both Windows and BSD default to "on".

Improve this answer
1
0

In sshd_config file, You have the following directive:

ListenAddress 0.0.0.0
ListenAddress ::

Second for IPv6 and first for IPv4.
Set the above Listen address for ipv4 beside ipv6.

Improve this answer
1
  • A note for Ubuntu 24 and higher: There have been breaking changes, such that this answer won't be applicable anymore. Commented Sep 22 at 15:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.