Forced per-user ssh port
Solution 1
You'll have to create a separate sshd_config for each user/port combo containing (along with the usual configuration options) the ListenAddress and AllowUsers keywords.
sshd_config_2201
ListenAddress 0:2201
AllowUsers user1
sshd_config_2202
ListenAddress 0:2202
AllowUsers user2
etc.
You'll need to run sshd once for each user with the -f
switch to specify the individual configuration files.
Solution 2
There is a solution for this. You can use two Match-conditions: One to block user2 on the first port and another one to block user 1 on the second port. Should look like this:
Match User user2, LocalPort 2201
DenyUsers user2
Match User user1, LocalPort 2202
DenyUsers user1
I have a similar configuration running and it works quite well (without saying that it is meaningful).
BTW: Combining Match and global Allow/Deny Rules doesn't work - at least it didn't work for me.
Related videos on Youtube
Nick
Updated on September 17, 2022Comments
-
Nick over 1 year
I want to allow access to each user on a server through a different port. For example; user1 can only be accessed by ssh through port 2201, user 2 can only be accessed through port 2202. I have already allowed access through ports 2201 and 2202 by editing "/etc/ssh/sshd_config" and adding two lines:
Port 2201
Port 2202Both users can now access ssh through both ports (and 22).
- How would I restrict them to only their own ports?
(Also), the users [except root] don't have any automatically created "~/.ssh/" directory so I made one and tried adding a config file and an authorized_keys file - these don't seem to make any difference.
OS is debian squeeze and thanks in advance.
-
EEAA about 13 yearsAgreed - what's the "why" behind your question. I can't help but assume there's a better way to solve your root problem.
-
Alex Holst about 13 yearsTell us why. It doesn't make any sense from a security or systems management perspective.
-
EEAA about 13 yearsAdd a
.ssh
directory to /etc/skel, and then all users will get that folder automatically when their home dir is created. -
Nick about 13 yearsSorry for not answering in a while, I just got out of school. Why? - I want to give each person who I allow to share my server a quota so that i dont go over my traffic limit and aquire surcharges. I want to include sftp/ scp /ssh along with other things into this quota (which I am trying to set up w/ iptables btw). Obviously I can't just put a quota on port 22 as this would be unfair if someone downloads/uploads a huge amount. Is there a better way to do this?. Thanks for all the downvotes though.
-
Nick about 13 yearsSorry about that last comment ^^ , your help is really appreciated.
-
user1686 about 13 yearsAlternatively,
sshd -oPort=2201 -oAllowUsers=user1
. (If you useListenAddress 0:2201
, you will be stuck with IPv4, which is ungood.) -
Nick about 13 yearsI guess from the other comments that this probably wasn't the best solution for my problem, but until I learn systems and security management this works for me. So - thanks to both of you!
-
Catherine MacInnes about 8 yearsPlease note that this is a very old question from 2011. Please try to avoid answering old questions as the answers are rarely relevant and it ends up cluttering up the home screen.
-
Steve over 7 yearsfwiw i found his answer helpful. Google found this ancient question but the new answer was the clue i needed to solve my problem.
-
Emii Khaos almost 7 years@CatherineMacInnes Please note that answering old questions which are still valid and there is a better answer now should get a new answer. Doesn't clutter any homescreen as long as the answer is valid. And google still finds this old question and I have now a valid answer!