As of version 1:9.0p1-1ubuntu1 of
openssh-server in Kinetic Kudu (Ubuntu 22.10), OpenSSH in Ubuntu is configured by default to use systemd socket activation. This means that sshd will not be started until an incoming connection request is received. This has been done to reduce the memory consumed by Ubuntu Server instances by default, which is of particular interest with Ubuntu running in VMs or LXD containers: by not running sshd when it is not used, we save at least 3MiB of memory in each instance, representing a savings of roughly 5% on an idle, pristine kinetic container.
At Canonical we care about making Ubuntu as efficient as possible on your hardware and in the cloud, which is why this change has been landed as part of a larger effort to reduce the default memory footprint of our images. A default Ubuntu 22.04 LXD image at release time used 65MiB of RAM, which in kinetic now uses 58MiB after this OpenSSH change; and more improvements are in progress, with the intention of backporting the safer changes to our Ubuntu 22.04 images to improve memory usage for the greatest number of users.
On new installs of Ubuntu 22.10 or later, the OpenSSH change in behavior should be completely transparent to users.
On upgrades from Ubuntu 22.04 LTS, users who had configured
Port settings or a
ListenAddress setting in
/etc/ssh/sshd_config will find these settings migrated to
/etc/systemd/system/ssh.socket.d/addresses.conf. As an exception, if more than one
ListenAddress setting is declared, the configuration is not migrated because systemd’s
ListenStream has different semantics: any address configured which is not present at boot time would cause the
ssh.socket unit to not start. Because it is not possible to reliably determine at upgrade time whether
ssh.socket could fail to start on reboot, if you have more than one
ListenAddress configured, your system will not be migrated to socket-based activation but instead the daemon will be started on boot as before.
Socket activation is recommended wherever possible, but if for any reason you find after migration that this is incompatible with your configuration, it is still possible to revert to the previous non-socket-activated behavior by running:
systemctl disable --now ssh.socket rm -f /etc/systemd/system/ssh.service.d/00-socket.conf rm -f /etc/systemd/system/ssh.socket.d/addresses.conf systemctl daemon-reload systemctl enable --now ssh.service