Running SSH on two ports?

This relates to this question here:

I may be pressured to run SFTP (FTP over SSH).

One thing I don't like is that it would require me to open up the SSH port (port 22) to the Internet (all IP because my SFTP users will be dynamic).

Can anyone give me any security guidelines (specifics) on locking down SSH?

Specifically one option I would like help with is the possibility of running SSH on two ports?  One that supports interactive logins, and one that has it disabled (SFTP only).  That way I can still limit access to the admin SSH port.  Is that possible?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Unless you hack the OpenSSH source, there is no way to restrict SSH to only doing SFTP other than on a user-by-user basis.

To setup a user as SFTP-only, set their login-shell to /the/path/of/sftp-server (for example, this would be /opt/openssh/libexec/sftp-server in our environment).

You'll also have to add sftp-server to /etc/shells.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shanepresleyAuthor Commented:
Thanks Chris,

What about on the second SSH server, only accepting authorized_keys?

For our internal users we accept passwords.   For these FTP jobs we may require public keys.  So if we ran this all on a single instance of SSH, then external users would be able to attempt brute force password cracks.  

So if we ran our internal SSH on port 22 (accepting passwords) and our external SSH (for sftp) on another port and restricted it to PubkeyAuthentication and authorized_keys?

Would that model work?  Allowing our internal users to use passwords, and forcing SFTP users to a pre-authorized key?

Yeah, that would work (run the second sshd with '-f /path/to/config-file').

But it might not be acceptable to (or too difficult for) the SFTP users.

And you still want to setup the SFTP-only users as above.

Oh, and almost forgot, unlike FTP, you can't restrict SFTP to only the users' home directories, so you want this on a machine that's not doing anything else and that is appropriately locked down.
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

shanepresleyAuthor Commented:
Thanks again Chris.

One more followup about "unlike FTP, you can't restrict SFTP to only the users' home directories"

Just to make sure I understand that corectly, their directory at login will be the user home directory, but they'll be able to access anything that their user account is allowed to access? So they can cd up a directory, and still get files, assuming Unix permissions allow them to?

shanepresleyAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.