TransWikia.com

SSHD: Different configurations for different ports?

Unix & Linux Asked by goof on December 8, 2021

I have a small SBC running in my apartment that I’m using for backups from my cloud located elsewhere. Each night, my cloud connects to my SBC via SFTP to create a new backup timestamp of my data.

Since this means I need to expose an SSH port to the internet, I want SSH configuration to be very secure. It will only allow one specific user to log in, only permitting certificate based login and so on. I will also change the port so that I don’t have to forward port 22 requests from the internet to my home network.

However, when I’m at home, I want to be able to login into my SBC via SSH using a different account (that is able to sudo) and a password using the regular port 22. I want this to only be allowed from a very specific ip address that is in the private ip address block (192.168.1.10). If I ever need to access my SBC from somewhere else, I can log into my router using a VPN, which will then assign me the correct local IP address inside my home network to connect to my SBC.

Now, I know how to configure these things in sshd_config, but what I don’t know is how to have these different policies to be applied to specific ports. I know I can use the Host directive, but afaik this only affects hostnames, and not ports.

sshsshd

One Answer

You seem to be looking for the Match directive, which is used to conditionally apply configuration items. For instance, you may add to your sshd_config:

Match LocalPort=22 Address="192.168.1.*"
  PasswordAuthentication yes
  AllowUsers username

to allow password authentication and allow (only) username to log in if a connection is made to port 22 and comes from a host whose IP matches the 192.168.1.* pattern.

Note that this example assumes your default configuration is more restrictive, i.e. that by default you don't allow username to log in and don't allow password authentication.

Such a conditional block should be added at the bottom of your configuration file because a Match block is only ended by a subsequent Match directive or by the end of the file. Also, ordering matters: the first directive that is found (and matches) for a configuration parameter is the one that is used.

Answered by fra-san on December 8, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP