openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Restricting users using one port

Re: Restricting users using one port

From: Damien Miller <djm_at_nospam>
Date: Sun Oct 09 2011 - 10:50:05 GMT
To: Alex Bligh <alex@alex.org.uk>

On Sun, 9 Oct 2011, Alex Bligh wrote:

> I have ssh running on port 22 and (say) port 33333. Port 22 is restricted at
> layer 3 so not much can get to it. Port 33333 is open to the world.
>
> I only want to allow one user to authenticated using port 33333, but
> all users to authenticate using port 22.
>
> Is there any way to do this without running 2 sshd processes?

At the moment, no. It might be possible to add more Match options to
select using the local connection address and port. E.g.

Match user djm laddr 172.16.0.1 lport 33333
        PasswordAuthentication yes
        PubkeyAuthentication yes
        ChallengeResponseAuthentication yes
Match laddr 172.16.0.1 lport 33333
        PasswordAuthentication no
        PubkeyAuthentication no
        ChallengeResponseAuthentication no

Darren wrote most of the Match code - what do you think, Darren?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev