Restricting users using one port

Damien Miller djm at mindrot.org
Sun Oct 9 21:50:05 EST 2011


On Sun, 9 Oct 2011, Alex Bligh wrote:

> I have ssh running on port 22 and (say) port 33333. Port 22 is restricted at
> layer 3 so not much can get to it. Port 33333 is open to the world.
> 
> I only want to allow one user to authenticated using port 33333, but
> all users to authenticate using port 22.
> 
> Is there any way to do this without running 2 sshd processes?

At the moment, no. It might be possible to add more Match options to
select using the local connection address and port. E.g.

Match user djm laddr 172.16.0.1 lport 33333
	PasswordAuthentication yes
	PubkeyAuthentication yes
	ChallengeResponseAuthentication yes
Match laddr 172.16.0.1 lport 33333
	PasswordAuthentication no
	PubkeyAuthentication no
	ChallengeResponseAuthentication no

Darren wrote most of the Match code - what do you think, Darren?

-d


More information about the openssh-unix-dev mailing list