Restricting users using one port

Glenn Maynard glenn at
Mon Oct 17 03:32:04 EST 2011

On Sun, Oct 16, 2011 at 9:20 AM, Darren Tucker <dtucker at> wrote:

> On Mon, Oct 17, 2011 at 12:08:57AM +1100, Darren Tucker wrote:
> [...]
> > I'd suggest calling them LocalAddress and LocalPort (or ServerAddress
> > and ServerPort) though.
> On second thought, I think it should be "Match ListenAddress" to be
> consistent with the existing directive.  I'm not sure if the port should
> be "Match ListenPort" to be consistent with ListenAddress, or "Match
> Port" to be consistent with the existing Port directive (I'm leaning
> toward the former).

"Match ListenAddress" sounds like it's matching against the address the
server is listening on (which may be "all interfaces"), rather than the
address that was actually connected to.

I'd suggest "LocalAddress", with the same syntax as ListenAddress, allowing
an address, port or both to be specified.  This gives a consistent syntax,
and avoids repeating the redundancy between LocalAddress and Port.

Glenn Maynard

More information about the openssh-unix-dev mailing list