Linux SSH Port Configuration – Forced Per-User SSH Port on Debian

debianlinuxportssh

I want to allow access to each user on a server through a different port. For example; user1 can only be accessed by ssh through port 2201, user 2 can only be accessed through port 2202. I have already allowed access through ports 2201 and 2202 by editing "/etc/ssh/sshd_config" and adding two lines:

Port 2201 Port 2202

Both users can now access ssh through both ports (and 22).

How would I restrict them to only their own ports?

(Also), the users [except root] don't have any automatically created "~/.ssh/" directory so I made one and tried adding a config file and an authorized_keys file – these don't seem to make any difference.

OS is debian squeeze and thanks in advance.

Best Answer

You'll have to create a separate sshd_config for each user/port combo containing (along with the usual configuration options) the ListenAddress and AllowUsers keywords.

sshd_config_2201

ListenAddress 0:2201
AllowUsers user1

sshd_config_2202

ListenAddress 0:2202
AllowUsers user2

etc.

You'll need to run sshd once for each user with the -f switch to specify the individual configuration files.

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

SSHd restriction per user basis

What I would do is to set /etc/sshd/sshd_config such that:

PermitRootLogin without-password

just for extra security and to avoid having the root password locked (it would only allow root to log in using a key)

I would instead use AllowGroups instead of AllowUser, as for me it would be more convenient to add users to a group rather than to sshd_config but that could depend on your personal preferences.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

SSHd restriction per user basis

Related Topic