openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Restricting users using one port

Re: Restricting users using one port

From: Darren Tucker <dtucker_at_nospam>
Date: Sun Oct 16 2011 - 13:08:57 GMT
To: Damien Miller <>

On Sun, Oct 09, 2011 at 09:50:05PM +1100, Damien Miller wrote:
> On Sun, 9 Oct 2011, Alex Bligh wrote:
> > I have ssh running on port 22 and (say) port 33333. Port 22 is restricted at
> > layer 3 so not much can get to it. Port 33333 is open to the world.
> >
> > I only want to allow one user to authenticated using port 33333, but
> > all users to authenticate using port 22.
> At the moment, no. It might be possible to add more Match options to
> select using the local connection address and port. E.g.
> Darren wrote most of the Match code - what do you think, Darren?

(apologies if this is a duplicate, my previous reply seems to have been
eaten somewhere)

It's feasible. The initial Match processing is done just after the
client sends the username so both the local address and port are known
and there should be no additional hooks needed.

I'd suggest calling them LocalAddress and LocalPort (or ServerAddress
and ServerPort) though.

Attached are two patches: openssh-match-struct.patch which moves the
items that are checked to a struct, and
openssh-match-localaddrport.patch which implements the requested
functionality. (You only need the latter to try it, the former is just
for review).

-- Darren Tucker (dtucker at GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

openssh-unix-dev mailing list