> Yes and no. The standards wisely do not allow port numbers as a part of the DNS > identity. Ok, then one must access the different services by different FQDN. Apparently. That’s what everybody else has been doing for the last umpteen years. ;-) > I still think it’s not a very good idea to “securely distinguish several SSH services > running on a single host”, but it seems entirely doable if you’re bent on it. I'm curious: What's wrong to have a different SFTP-only service running on a different port besides the SSH server for admin shell access? Nothing that I can see off-hand. On the other hand, what’s your threat model? If it’s on the same host, how can I compromise one key but not the other? But as I said, while I would separate by virtual hosting and FQDN, you can craft the certs the way you want – except that the DNS name in the SAN cannot have the port.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev