[GH-ISSUE #536] [BUG] SSH service is not restarted in ubuntu 24.04 #86

Open
opened 2026-03-03 13:59:01 +03:00 by kerem · 15 comments
Owner

Originally created by @GauthierPLM on GitHub (Dec 10, 2024).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/536

Originally assigned to: @konstruktoid on GitHub.

Describe the bug
During setup, the ssh service is not properly restarted at the end of the setup process.
If SSH port has been changed, we are locked outside the machine as ufw only allows the new port but sshd is still listening on the old port.

The service name is now ssh and no more sshd, maybe this causes the issue?

To Reproduce

  1. Setup a fresh ubuntu 24.04 machine.
  2. Change SSH port to 12322 (or any other port)
  3. use any as FW_ADMIN value.
  4. run ubuntu.sh
  5. once completed, try to SSH into the machine -> connection is refused.

Expected behavior

ssh.service should be properly restarted.

System (lsb_release -a):

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

Originally created by @GauthierPLM on GitHub (Dec 10, 2024). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/536 Originally assigned to: @konstruktoid on GitHub. **Describe the bug** During setup, the ssh service is not properly restarted at the end of the setup process. If SSH port has been changed, we are locked outside the machine as ufw only allows the new port but sshd is still listening on the old port. The service name is now `ssh` and no more `sshd`, maybe this causes the issue? **To Reproduce** 1) Setup a fresh ubuntu 24.04 machine. 2) Change SSH port to 12322 (or any other port) 3) use `any` as `FW_ADMIN` value. 4) run ubuntu.sh 5) once completed, try to SSH into the machine -> connection is refused. **Expected behavior** `ssh.service` should be properly restarted. **System (lsb_release -a):** No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.1 LTS Release: 24.04 Codename: noble
Author
Owner

@konstruktoid commented on GitHub (Dec 10, 2024):

Thanks for creating the issue @GauthierPLM, I believe it's fixed now.

<!-- gh-comment-id:2533052575 --> @konstruktoid commented on GitHub (Dec 10, 2024): Thanks for creating the issue @GauthierPLM, I believe it's fixed now.
Author
Owner

@GauthierPLM commented on GitHub (Dec 17, 2024):

Hi @konstruktoid

I tested again today and while there was no warning about sshd service not being found, the service wasn't restarted and I had to restart it manually.

<!-- gh-comment-id:2548296040 --> @GauthierPLM commented on GitHub (Dec 17, 2024): Hi @konstruktoid I tested again today and while there was no warning about sshd service not being found, the service wasn't restarted and I had to restart it manually.
Author
Owner

@konstruktoid commented on GitHub (Dec 17, 2024):

So the fix didn't work?

<!-- gh-comment-id:2548466208 --> @konstruktoid commented on GitHub (Dec 17, 2024): So the fix didn't work?
Author
Owner

@GauthierPLM commented on GitHub (Dec 17, 2024):

It does not indeed.

<!-- gh-comment-id:2548707759 --> @GauthierPLM commented on GitHub (Dec 17, 2024): It does not indeed.
Author
Owner

@konstruktoid commented on GitHub (Dec 18, 2024):

Can you try this diff?

diff --git a/scripts/sshdconfig b/scripts/sshdconfig
index 8a971b7..01a22bf 100644
--- a/scripts/sshdconfig
+++ b/scripts/sshdconfig
@@ -170,7 +170,7 @@ function f_sshdconfig {
   chown root:root "$SSHDCONF"
   chmod 0600 "$SSHDCONF"

-  systemctl restart ssh.service
+  bash -it -c 'systemctl restart ssh.service'

   if [[ $VERBOSE == "Y" ]]; then
     systemctl status ssh.service --no-pager
<!-- gh-comment-id:2551387115 --> @konstruktoid commented on GitHub (Dec 18, 2024): Can you try this diff? ```diff diff --git a/scripts/sshdconfig b/scripts/sshdconfig index 8a971b7..01a22bf 100644 --- a/scripts/sshdconfig +++ b/scripts/sshdconfig @@ -170,7 +170,7 @@ function f_sshdconfig { chown root:root "$SSHDCONF" chmod 0600 "$SSHDCONF" - systemctl restart ssh.service + bash -it -c 'systemctl restart ssh.service' if [[ $VERBOSE == "Y" ]]; then systemctl status ssh.service --no-pager ```
Author
Owner

@GauthierPLM commented on GitHub (Dec 20, 2024):

Tried today at 12h30 on an existing machine (not yet hardened), and the fix didn't solve the issue. The service still listen on port 22:

# ss -tulpn | grep -e 'ssh\|12322'
tcp   LISTEN 0      4096                     *:22              *:*    users:(("sshd",pid=65406,fd=3))

I had to restart the service myself.

<!-- gh-comment-id:2556832462 --> @GauthierPLM commented on GitHub (Dec 20, 2024): Tried today at 12h30 on an existing machine (not yet hardened), and the fix didn't solve the issue. The service still listen on port 22: ```sh # ss -tulpn | grep -e 'ssh\|12322' tcp LISTEN 0 4096 *:22 *:* users:(("sshd",pid=65406,fd=3)) ``` I had to restart the service myself.
Author
Owner

@konstruktoid commented on GitHub (Dec 20, 2024):

don't really have an idea why this is happening, will continue to test

<!-- gh-comment-id:2557026384 --> @konstruktoid commented on GitHub (Dec 20, 2024): don't really have an idea why this is happening, will continue to test
Author
Owner

@GauthierPLM commented on GitHub (Dec 20, 2024):

I don't know if it will help, but the machines are ARN cloud servers from Hetzner, running Ubuntu 24.04.

This is my cloud-init.yaml file:

#cloud-config
users:
  - name: ...
    groups: users, sudo
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ...
package_update: true
package_upgrade: true
write_files:
  - path: /etc/ssh/sshd_config.d/99-custom.conf
    content: |
      PermitRootLogin no
      PasswordAuthentication no
      KbdInteractiveAuthentication no
      ChallengeResponseAuthentication no
      MaxAuthTries 2
      AllowTcpForwarding no
      X11Forwarding no
      AllowAgentForwarding no
      AuthorizedKeysFile .ssh/authorized_keys
      AllowUsers ...
    owner: root:root
    permissions: '0644'
runcmd:
  - reboot
<!-- gh-comment-id:2557031505 --> @GauthierPLM commented on GitHub (Dec 20, 2024): I don't know if it will help, but the machines are ARN cloud servers from Hetzner, running Ubuntu 24.04. This is my cloud-init.yaml file: ``` #cloud-config users: - name: ... groups: users, sudo sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash ssh_authorized_keys: - ... package_update: true package_upgrade: true write_files: - path: /etc/ssh/sshd_config.d/99-custom.conf content: | PermitRootLogin no PasswordAuthentication no KbdInteractiveAuthentication no ChallengeResponseAuthentication no MaxAuthTries 2 AllowTcpForwarding no X11Forwarding no AllowAgentForwarding no AuthorizedKeysFile .ssh/authorized_keys AllowUsers ... owner: root:root permissions: '0644' runcmd: - reboot ```
Author
Owner

@filisko commented on GitHub (Apr 16, 2025):

same here... crazy that this is hapenning, i had to restart my server and had downtime on an important service :/

<!-- gh-comment-id:2810401304 --> @filisko commented on GitHub (Apr 16, 2025): same here... crazy that this is hapenning, i had to restart my server and had downtime on an important service :/
Author
Owner

@GauthierPLM commented on GitHub (Apr 16, 2025):

@filisko until it's fixed, you can restart the SSH service immediately after running the hardening script:

̀ sudo bash ubuntu.sh && sudo systemctl restart ssh.service`

<!-- gh-comment-id:2810409969 --> @GauthierPLM commented on GitHub (Apr 16, 2025): @filisko until it's fixed, you can restart the SSH service immediately after running the hardening script: ̀ sudo bash ubuntu.sh && sudo systemctl restart ssh.service`
Author
Owner

@konstruktoid commented on GitHub (Apr 17, 2025):

@filisko unless there's an kernel update, you probably don't need to restart your server at all.

@GauthierPLM yeah, I'll see if I can add that some how, haven't really seen another workaround

<!-- gh-comment-id:2812162035 --> @konstruktoid commented on GitHub (Apr 17, 2025): @filisko unless there's an kernel update, you probably don't need to restart your server at all. @GauthierPLM yeah, I'll see if I can add that some how, haven't really seen another workaround
Author
Owner

@Dimi8146 commented on GitHub (Jul 30, 2025):

I could replicate this issue & it annoyed me enough to look into it a bit.

I found a suspicious new sshd_config.d folder with special characters at the end after I finished running the hardening script. Inside I found the hardening.conf file buried in a duplicate /etc/ssh/sshd_config.d/ folder path. But what was annoying was this couldn't be replicated at home, it only occurred on cloud infra.

So, I hunted down the pathfinding logic in sshdconfig, copied it to a cloud shell environment, & it initially looked fine - except when I deleted the variable it was assigned to & looked at the output to the terminal directly:

user@server:~$ "$(dirname $(grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))"
-bash: /etc/ssh/sshd_config.d
/etc/ssh/sshd_config.d
/etc/ssh/sshd_config.d: No such file or directory

I fed this into gpt, along with what I was originally having a problem with and the context of the codebase, then asked it why multiple lines returned when I expected one. It gave me grep/awk + command substitution as the reason for why there was a newline being carried through into dirname, and ultimately creating the unseen folder containing the intended ssh hardening changes. It also gave the following suggestion:

user@server:~$ $(dirname "$(awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)")
-bash: /etc/ssh/sshd_config.d: Is a directory

Not sure if the reasoning is accurate, but I patched sshdconfig with the below diff & the next use ran fine.

- INCLUDEDIR="$(dirname $(grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))"
+ INCLUDEDIR=$(dirname "$(awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)")
<!-- gh-comment-id:3137380314 --> @Dimi8146 commented on GitHub (Jul 30, 2025): I could replicate this issue & it annoyed me enough to look into it a bit. I found a suspicious new sshd_config.d folder with special characters at the end after I finished running the hardening script. Inside I found the hardening.conf file buried in a duplicate /etc/ssh/sshd_config.d/ folder path. But what was annoying was this couldn't be replicated at home, it only occurred on cloud infra. So, I hunted down the pathfinding logic in sshdconfig, copied it to a cloud shell environment, & it initially looked fine - except when I deleted the variable it was assigned to & looked at the output to the terminal directly: ``` user@server:~$ "$(dirname $(grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))" -bash: /etc/ssh/sshd_config.d /etc/ssh/sshd_config.d /etc/ssh/sshd_config.d: No such file or directory ``` I fed this into gpt, along with what I was originally having a problem with and the context of the codebase, then asked it why multiple lines returned when I expected one. It gave me grep/awk + command substitution as the reason for why there was a newline being carried through into dirname, and ultimately creating the unseen folder containing the intended ssh hardening changes. It also gave the following suggestion: ``` user@server:~$ $(dirname "$(awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)") -bash: /etc/ssh/sshd_config.d: Is a directory ``` Not sure if the reasoning is accurate, but I patched sshdconfig with the below diff & the next use ran fine. ``` - INCLUDEDIR="$(dirname $(grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))" + INCLUDEDIR=$(dirname "$(awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)") ```
Author
Owner

@konstruktoid commented on GitHub (Jul 30, 2025):

nicely done @Dimi8146, could you submit a PR?

$ INCLUDEDIR="$(dirname $(sudo grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))"
$ echo $INCLUDEDIR
/etc/ssh/sshd_config.d /etc/ssh/sshd_config.d
$ INCLUDEDIR="$(dirname "$(sudo awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)")"
$ echo $INCLUDEDIR
/etc/ssh/sshd_config.d
<!-- gh-comment-id:3137963845 --> @konstruktoid commented on GitHub (Jul 30, 2025): nicely done @Dimi8146, could you submit a PR? ```sh $ INCLUDEDIR="$(dirname $(sudo grep '^Include' /etc/ssh/sshd_config | awk '{print $NF}'))" $ echo $INCLUDEDIR /etc/ssh/sshd_config.d /etc/ssh/sshd_config.d $ INCLUDEDIR="$(dirname "$(sudo awk '/^Include/{print $NF; exit}' /etc/ssh/sshd_config)")" $ echo $INCLUDEDIR /etc/ssh/sshd_config.d ```
Author
Owner

@Dimi8146 commented on GitHub (Jul 30, 2025):

ah! I must've misremembered the details of my variable troubles, this spanned two days.

Thank you for replicating, that was my main hesitation.
https://github.com/konstruktoid/hardening/pull/642

<!-- gh-comment-id:3138157466 --> @Dimi8146 commented on GitHub (Jul 30, 2025): ah! I must've misremembered the details of my variable troubles, this spanned two days. Thank you for replicating, that was my main hesitation. https://github.com/konstruktoid/hardening/pull/642
Author
Owner

@konstruktoid commented on GitHub (Aug 7, 2025):

this should be fixed with the help of @Dimi8146 and #642

<!-- gh-comment-id:3162931457 --> @konstruktoid commented on GitHub (Aug 7, 2025): this should be fixed with the help of @Dimi8146 and #642
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#86
No description provided.