From: Fritz Wuehler Subject: Re: Guaranteeing SSH access to specific clients MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit References: Message-ID: Date: Fri, 09 Dec 2022 04:13:06 +0100 Newsgroups: comp.os.linux.misc Path: csiph.com!news.mixmin.net!sewer!news.dizum.net!not-for-mail Organization: dizum.com - The Internet Problem Provider X-Abuse: abuse@dizum.com Injection-Info: sewer.dizum.com - 2001::1/128 Xref: csiph.com comp.os.linux.misc:36409 Harold Johanssen [HJ]: HJ> Is it possible to guarantee SSH to a specific client, to the HJ> exclusion of all other clients? A few ideas that you might want to explore: Use port knocking There is even a port knocking server out there that can be configured to listen on the same port as the SSH server; after the former is done, it gets out of the way of the latter. The client must knock on the port (execute an appropriately configured port knocking client) before connecting. Use SSH over a VPN This way the client will always have a fixed IP (ie. that of their end of the VPN tunnel) and you can apply firewall rules blocking access to port 22 from all other IPs. Use 2FA (e.g. TOTP) + SSH The client visits a web page and is asked for a six digit number (generated by their TOTP authenticator app). The web server captures their IP address and unblocks access to the SSH server from that specific IP for the next X minutes/hours.