How to run SSH server on multiple ports

An SSH server sometimes needs to keep port 22 available while adding another listener for a migration, firewall exception, or management network. Running sshd on multiple ports lets existing clients continue using the old endpoint while new clients test the alternate one.

OpenSSH creates a listener for each active Port directive in the server configuration. The same daemon, host keys, authentication rules, and user accounts answer on every configured port unless separate ListenAddress or Match rules change the scope.

Every new listener must fit the surrounding network policy. Keep a known-good session open, validate the configuration before restarting, open the additional TCP port in the host or upstream firewall when needed, and test a new login on each port before removing any old access path.

Related: How to change the SSH server port
Related: How to connect to an SSH server on a different port
Related: How to configure SSH to listen to a specific IP address

Steps to run SSH server on multiple ports:

  1. Open a terminal on the SSH server with an account that can use sudo.

    Keep a second SSH session, console, or out-of-band path available until both ports accept new logins.

  2. Check that the additional port is not already listening. 
    $ sudo ss --tcp --listening --numeric --processes 'sport = :2222'
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess

    Header-only output means no local process is listening on port 2222. Use the checker only to normalize a requested port list; it does not test live listeners.
    Tool: Port List Checker

  3. Open the SSH daemon configuration file or an included drop-in that the host already uses. 
    $ sudoedit /etc/ssh/sshd_config

    On systems that keep local sshd settings under /etc/ssh/sshd_config.d, place the same Port lines in the existing site-local drop-in instead of mixing package defaults and local policy.

  4. Add one Port line for each listener. 
    Port 22
Port 2222

    Keep the known-good port active until the new port has passed a separate login test.

  5. Test the sshd configuration. 
    $ sudo sshd -t

    No output means sshd parsed the active server configuration and host keys successfully.
    Related: How to test SSH server configuration

  6. Restart the SSH service. 
    $ sudo systemctl restart ssh

    Use sudo systemctl restart sshd on systems where the unit is named sshd.
    Related: How to manage the SSH server service with systemctl

  7. Open the additional TCP port in the firewall path when remote clients cross a filtered network.

    Related: Allow a port through the firewall in Linux

  8. Verify that sshd is listening on both ports. 
    $ sudo ss --tcp --listening --numeric --processes '( sport = :22 or sport = :2222 )'
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=15013,fd=8))
LISTEN 0      128          0.0.0.0:2222      0.0.0.0:*    users:(("sshd",pid=15013,fd=6))
LISTEN 0      128             [::]:22           [::]:*    users:(("sshd",pid=15013,fd=9))
LISTEN 0      128             [::]:2222         [::]:*    users:(("sshd",pid=15013,fd=7))
  9. Test a new login through the original port from a separate client session. 
    $ ssh -p 22 user@host.example.net whoami
user
  10. Test a new login through the additional port. 
    $ ssh -p 2222 user@host.example.net whoami
user

    If the local listener appears but this login times out from another host, check the host firewall, cloud security group, NAT rule, or network ACL for port 2222/tcp.