What is "sshd.pam" on port 2222?

I am working on setting up something to listen on port 2222 on my host, but was surprised to see that there is already something listening on that port.

What is sshd.pam and why is it listening on this port? I have sshd running as a systemd service, and I tried stopping it just to verify, and yes, sshd only listens to port 22 which is released when the sshd service is stopped.

Any help on what this is and where it comes from is much appreciated. I would like to release this port for my other use, but just killing the pid immediately starts up another instance of whatever this is. Naturally I want to clear this away in a proper manner so that I don’t risk conflicts later.

TLDR; What is running on port 2222 in my case, and how do I properly stop it so that I can run something else on that port?

❯ ss -ltnp | rg 2222
LISTEN 0      128*    users:(("sshd.pam",pid=2460687,fd=3))
LISTEN 0      128             [::]:2222          [::]:*    users:(("sshd.pam",pid=2460687,fd=4))


SSH running on 2222 with pam is not the norm, please check your sshd config:




Thanks Tom.

I can’t find any mention of port 2222 in /etc/ssh :confused:


Is this a fresh install your trying to setup this on, I’m guessing not. Please provide more details about your setup?

Thanks Tom.

the output gives you the pid 2460687, so you could try

# lsof -p 2460687
sshd    2460687 root  cwd    DIR              253,0      242      96 /
sshd    2460687 root  rtd    DIR              253,0      242      96 /
sshd    2460687 root  txt    REG              253,0   852888 1015456 /usr/sbin/sshd
long list of files 

With that you should see which binary it is and what files it has open. Maybe that gives you a clue what it is.

1 Like

I found what it was now, I had knockd running in a docker container, and for some reason it was keeping port 2222 open, though nothing was sending the knock sequence. I restarted the container and now port 2222 is released.

Thanks for the help!

1 Like