Niels Kueck wrote:
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
the "ssh"-Client has an Option for using privileged ports clientside. Enforcing this via iptables/ipchains is possible, but I can see only very little gains in this pattern. Your ssh-daemon talks always from its listening port ("Port" in config) to a dynamic port on the client-side. What are your concerns? If it is possible, use tcp-wrappers Client IP restrictions in /etc/hosts.allow/.deny. Don't permit root-logins. Don't use password authentication (Setup authorized_keys and test before you turn off). Use passphrase protected private keys (Have a look at ssh-agent). Setup a restrict /etc/ssh/ssh_config (Disallow Port-Forwarding, X-Forwarding, Agent-Forwarding - your Users should use ~/.ssh/config if they don't like putting parameters to outgoing ssh-sessions.) Peter