diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 0abe81cdd..fdcc3ce5d 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -50,6 +50,17 @@ function filter_core_antilockout_ports()
 {
     global $config;
     $lockout_ports = array();
+    /*
+     * XXX Some issues here:
+     *
+     * 1. Why does the webgui nolockout control the ssh lockout?
+     * 2. Both webgui and openssh are plugins, their code should
+     *    reside in the respective plugins.inc.d file once anti-
+     *    lockout is fully pluggable.
+     * 3. Openssh opens the port when install media is detected
+     *    and no ssh has ever been configured.  This is in line
+     *    with how the plugin behaves, but probably looks odd.
+     */
     if (!isset($config['system']['webgui']['noantilockout'])) {
         if (empty($config['system']['webgui']['port'])) {
             $lockout_ports[] = $config['system']['webgui']['protocol'] == "https" ? "443" : "80";
@@ -59,7 +70,7 @@ function filter_core_antilockout_ports()
         if ($config['system']['webgui']['protocol'] == "https" && !isset($config['system']['webgui']['disablehttpredirect'])) {
             $lockout_ports[] = "80";
         }
-        if (isset($config['system']['ssh']['enabled'])) {
+        if (isset($config['system']['ssh']['enabled']) || (!isset($config['system']['ssh']) && is_install_media())) {
             $lockout_ports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
         }
     }
diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc
index d15683fdc..f360c1248 100644
--- a/src/etc/inc/plugins.inc.d/openssh.inc
+++ b/src/etc/inc/plugins.inc.d/openssh.inc
@@ -67,7 +67,7 @@ function openssh_configure_do($verbose = false)
 
     if (isset($config['system']['ssh'])) {
         if (isset($config['system']['ssh']['enabled'])) {
-        $sshcfg = $config['system']['ssh'];
+            $sshcfg = $config['system']['ssh'];
         }
     } elseif (is_install_media()) {
         /* only revert to installer config when ssh is not set at all */
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index d38e2c826..4083867fb 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -196,6 +196,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['webgui']['althostnames']);
         }
 
+        /* always store ssh setting to prevent install scenario */
+        config_read_array('system', 'ssh');
+
         if (empty($config['system']['ssh']['enabled']) != empty($pconfig['enablesshd']) ||
             empty($config['system']['ssh']['passwordauth']) != empty($pconfig['passwordauth']) ||
             $config['system']['ssh']['port'] != $pconfig['sshport'] ||