Popup Popup - 1 year ago 73
Linux Question

Starting different applications from ssh by using different ports?

In a linux-based system¹, I would like to be able to log on using ssh. I need to launch two (or possibly three) different executables, ideally by connecting to different ports.

Ideally I would like to open a couple of different ports, and have sshd launch different executables² depending on which port. How do I set this up? I have looked through the sshd_config, but without finding anything that looks applicable.

Another alternative that came up was to set up different users, and set up the different applications I want to launch as their respective shells.

(What I do not want to do is to have the remote user specify the executable, as in

ssh user@host executable

Or have I missed any obvious solution?

¹It's a BuildRoot-based embedded system, running on fairly meager resources, but it's a fully-fledged recent Linux kernel and I have a working ssh connection.

²They are interactive CLI-based programs.

Answer Source

Most linux systems use the OpenSSH server. It looks like you can get this behavior using the Match directive. Documentation for the SSH server configuration file is here.

First, you have to make sshd listen for connections on the additional ports that you want to use. You can do this through either the Port or ListenAddress directives.

Port 22       -- Listen on the normal port 22
Port 42       -- Also listen on port 42
ListenAddress    -- Also listen on address, port 62

Then, you can use the Match and ForceCommand directives to take special actions for users connecting to a particular port:

Match LocalPort 42
    ForceCommand /usr/local/bin/the-42-app

Match LocalPort 62
    ForceCommand /usr/local/bin/the-62-app

For people who don't want to set the ssh server to listen on multiple ports, there are two other ways to make the server run "canned" apps depending on how the the user connects.


A subsystem is a command that's pre-configured into the server. Clients request to run the subsystem by name, and the server runs the command associated with the subsystem. This avoids the client having to know the exact command to run.

You configure subsystems in sshd by adding a line like this to sshd_config:

Subsystem someApp /usr/local/bin/someApp

Then the client calls it like this:

ssh user@host -s someApp         -- "-s" means to request a subsystem

Forced Commands on Keys

For key-based authentication, sshd permits you to force a particular command to run when a particular key is used. This is done in the authorized_keys file which is documented here.

Each line of an authorized_keys file normally starts like this:

ssh-rsa AAAAB3N...

You can prepend an options field to the line. One of the options you can specify is a command to run when the key is used to authenticate:

command="/usr/local/bin/someApp" ssh-rsa AAAAB3N...

When that key is used to authenticate, the server will ignore whatever command the client requests to run, and run the specified command instead.