Skip to main content

Is it possible to have 2 ports open on SSH with 2 different authentication schemes? [Resolved]

I'm currently trying to set up an SSH server so that access to it from outside the network is ONLY allowed using an SSH Key and does not allow access to root or by any other username/password combination.

At the same time, internal users inside the network, still need to be able to connect to the same system, but expect to log in in the more traditional sense with a user name and password.

Users both external & internal will be accessing the system from windows using PuttySSH and the external access will be coming into the system via a port forwarding firewall that will open the source port to the outside world on some arbitrarily chosen high numbered port like 55000 (or what ever the admins decide)

The following diagram attempts to show the traffic flows better.

SSH Setup

I know how to set up the actual login to only use keys, and I know how to deny root, what I don't know is how to separate the two login types.

I had considered running two copies of SSHD listening on different ports on the same IP and having two different configurations for each port.

I also considered setting up a "match" rule, but I'm not sure if I can segregate server wide configurations using those options.

Finally, the external person logging in will always be the same user let's call them "Frank" for the purposes of this question, so "Frank" will only ever be allowed to log in from the external IP, and never actually be sat in front of any system connecting internally, where as every other user of the system will only ever connect internally, and never connect from an external IP.

Franks IP that he connects from is a dynamically assigned one but the public IP he is connecting too is static and will never change, the internal IP of the port forwarder like wise will also never change and neither will the internal IP address of the SSH server.

Internal clients will always connect from an IP in the private network range that the internal SSH servers IP is part of and is a 16 bit mask EG:

Is this set up possible, using one config file and one SSH server instance? If so, how do I do it?


Am I much better using 2 running servers with different config?

For ref the SSH server is running on Ubuntu 18.04.

Question Credit: shawty
Question Reference
Asked October 9, 2019
Posted Under: Unix Linux
3 Answers

I think what you should be looking into is splitting out your ssh configs. For example; setup your /etc/ssh/ssh_config to have the global variables you need for all users by default (ssh key auth, port forwarding, etc...).

Then if your user (let's call him Bob) has a local (or nfs mounted) home directory, put a config just for him in /home/bob/.ssh/. This config will contain your match statement as well as if you need him to connect with a password rather then a cert as well as his own keep alive values, etc...

I have done this in the past and presently to lock down certain local accounts to come in from only one IP address and only allow cert based authentication while other user accounts may instead be using PAM authentication and have password based authentication.

In short, building and maintaining separate user config files based on user need is easier to manage than trying to keep it all under the default config file for ssh.

credit: jmatzke
Answered October 9, 2019
Your Answer