> Yes and no. The standards wisely do not allow port numbers as a part of the DNS
> identity.
Ok, then one must access the different services by different FQDN.
Apparently. That’s what everybody else has been doing for the last umpteen years. ;-)
> I still think it’s not a very good idea to “securely distinguish several SSH services
> running on a single host”, but it seems entirely doable if you’re bent on it.
I'm curious: What's wrong to have a different SFTP-only service running on a different
port besides the SSH server for admin shell access?
Nothing that I can see off-hand.
On the other hand, what’s your threat model? If it’s on the same host, how can I compromise one key but not the other?
But as I said, while I would separate by virtual hosting and FQDN, you can craft the certs the way you want – except that the DNS name in the SAN cannot have the port.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
