4

I want to allow access to each user on a server through a different port. For example; user1 can only be accessed by ssh through port 2201, user 2 can only be accessed through port 2202. I have already allowed access through ports 2201 and 2202 by editing "/etc/ssh/sshd_config" and adding two lines:

Port 2201
Port 2202

Both users can now access ssh through both ports (and 22).

  • How would I restrict them to only their own ports?

(Also), the users [except root] don't have any automatically created "~/.ssh/" directory so I made one and tried adding a config file and an authorized_keys file - these don't seem to make any difference.

OS is debian squeeze and thanks in advance.

Nick
  • 73
  • 2
  • 4
  • 2
    Why would you? The only solution I can think of is running multiple sshd instances... – Bart De Vos Mar 14 '11 at 18:44
  • 1
    Agreed - what's the "why" behind your question. I can't help but assume there's a better way to solve your root problem. – EEAA Mar 14 '11 at 18:58
  • 1
    Tell us why. It doesn't make any sense from a security or systems management perspective. – Alex Holst Mar 14 '11 at 21:03
  • Add a `.ssh` directory to /etc/skel, and then all users will get that folder automatically when their home dir is created. – EEAA Mar 15 '11 at 01:17
  • Sorry for not answering in a while, I just got out of school. Why? - I want to give each person who I allow to share my server a quota so that i dont go over my traffic limit and aquire surcharges. I want to include sftp/ scp /ssh along with other things into this quota (which I am trying to set up w/ iptables btw). Obviously I can't just put a quota on port 22 as this would be unfair if someone downloads/uploads a huge amount. Is there a better way to do this?. Thanks for all the downvotes though. – Nick Mar 15 '11 at 18:08
  • Sorry about that last comment ^^ , your help is really appreciated. – Nick Mar 15 '11 at 18:34

2 Answers2

7

There is a solution for this. You can use two Match-conditions: One to block user2 on the first port and another one to block user 1 on the second port. Should look like this:

Match User user2, LocalPort 2201
   DenyUsers user2

Match User user1, LocalPort 2202
   DenyUsers user1

I have a similar configuration running and it works quite well (without saying that it is meaningful).

BTW: Combining Match and global Allow/Deny Rules doesn't work - at least it didn't work for me.

dustBLN
  • 81
  • 1
  • 4
  • Please note that this is a very old question from 2011. Please try to avoid answering old questions as the answers are rarely relevant and it ends up cluttering up the home screen. – Catherine MacInnes Feb 10 '16 at 21:54
  • fwiw i found his answer helpful. Google found this ancient question but the new answer was the clue i needed to solve my problem. – Steve Jan 06 '17 at 06:30
  • 4
    @CatherineMacInnes Please note that answering old questions which are still valid and there is a better answer now should get a new answer. Doesn't clutter any homescreen as long as the answer is valid. And google still finds this old question and I have now a valid answer! – Emii Khaos Jul 10 '17 at 12:50
1

You'll have to create a separate sshd_config for each user/port combo containing (along with the usual configuration options) the ListenAddress and AllowUsers keywords.

sshd_config_2201

ListenAddress 0:2201
AllowUsers user1

sshd_config_2202

ListenAddress 0:2202
AllowUsers user2

etc.

You'll need to run sshd once for each user with the -f switch to specify the individual configuration files.

Cakemox
  • 24,141
  • 6
  • 41
  • 67
  • 1
    Alternatively, `sshd -oPort=2201 -oAllowUsers=user1`. (If you use `ListenAddress 0:2201`, you will be stuck with IPv4, which is ungood.) – user1686 Mar 15 '11 at 06:06
  • I guess from the other comments that this probably wasn't the best solution for my problem, but until I learn systems and security management this works for me. So - thanks to both of you! – Nick Mar 15 '11 at 19:26