We run a public FTP server, which lives in a DMZ. The entire Internet is allowed to FTP to it. It also runs SSH. The firewall only lets admins connect to the SSH port (port 22).
We've had a request from some partners to switch from FTP to SFTP. Of course in concept that makes sense (encryption and strong authentication). But the problem I see with SFTP through OpenSSH is that it runs over port 22, just as a part of SSH.
So in order to enable SFTP, I have to open port 22 up to the world. I don't like that. I realize there are ways to not allow an FTP user interactive SSH login, but I still don't like it.
Is it possible to run SFTP on another port using a special server process? Or some other way to solve this problem?