With Ubuntu 24.04 LTS, Canonical has continued its trend of optimizing system resources, particularly with how SSH (OpenSSH) is handled. If you've been configuring SSH for a while, you might have noticed that starting from Ubuntu 22.10, SSH uses systemd socket-based activation instead of running as a standalone service by default.
While this change improves memory efficiency (especially for VMs and containers), it can also be a bit confusing if you're trying to configure SSH ports or listen addresses. In this article, I'll try to break it all down and show you how to manage SSH the way you want!
I have faced this issue when I launched Ubuntu instances in AWS Cloud and tried to enable password authentication in /etc/ssh/sshd_config, but it didn't work. I then started researching online to understand what was happening.
What’s Changed with SSH?
Socket-Based Activation by Default
Ubuntu now uses socket-based activation for SSH. This means that sshd doesn’t start until an incoming connection request is received. The benefits? Lower memory usage, especially in cloud and containerized environments, as SSH is only active when needed.
Instead of the traditional SSH service (ssh.service), ssh.socket is now responsible for listening on port 22. When a connection attempt is made, ssh.socket directly starts sshd to handle the session, without starting ssh.service persistently.
Configuring a Custom SSH Port
Previously, to change the SSH port, you'd edit /etc/ssh/sshd_config and set:
Port 5643
However, with socket-based activation, systemd intercepts port configurations and defaults to port 22 unless explicitly changed. Ubuntu 24.04 dynamically pulls port settings from /etc/ssh/sshd_config, eliminating the need to manually migrate configurations.
- Edit
/etc/ssh/sshd_config, for example:
Port 5643
- Reload
systemdand restartssh.socket:
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
That’s it! The new port setting should now be active.
What If You Don’t Like This Change?
If you prefer the traditional method where SSH starts at boot and isn’t dependent on systemd sockets, you can disable socket-based activation and restore the classic behavior.
Run:
sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service
This will:
- Stop socket-based activation (ssh.socket)
- Enable ssh.service to run at boot
- Allow
/etc/ssh/sshd_configto fully control SSH settings (including ports and listen addresses)
Avoiding SSH Listening on Multiple Ports
By default, when using socket-based activation and adding a custom port, SSH may end up listening on both the new port and the default port 22. If you only want SSH to listen on one specific port, you must explicitly clear previous settings.
To make SSH listen only on port 5463:
mkdir -p /etc/systemd/system/ssh.socket.d
cat > /etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
ListenStream=
ListenStream=5463
EOF
Then reload systemd and restart ssh.socket:
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
Now SSH will only listen on port 5463.
Conclusion
While systemd socket activation for SSH can be an adjustment, it ultimately provides better efficiency. That said, Ubuntu still allows you to revert to traditional SSH behavior if needed. Understanding these changes ensures you have full control over your system’s SSH configuration.
- If you’re fine with the new socket-based activation, just edit
/etc/ssh/sshd_configand restart ssh.socket. - If you want SSH to run traditionally (like in Ubuntu 20.04 or before), disable ssh.socket and enable ssh.service.
- To ensure SSH only listens on a custom port, clear previous socket settings.
If you have any thoughts or experiences with this change, feel free to share them in the comments!
Top comments (0)