Hi, We'd like sshd to listen on port 22 with PasswordAuthentication = no and port 2222 with PasswordAuthentication = yes. At the moment, it seems the only way to do this is to run two sshds, one per port. Since Match blocks already allow PasswordAuthentication to be set, if the Match keyword itself allowed testing of the server port to which the incoming connection was made then we could do PasswordAuthentication no ... Match ServerPort 2222 PasswordAuthentication yes Does this sound plausible? Would you consider it as an enhancement? Should I open a bug accordingly for the work to be done against? Cheers, Ralph. [I'm not subscribed, so please CC me.]