I want to separate SCP to be on a different TCP port than the regular port 22.
Using this port, a user should only be able to run SCP commands but not to do a regular SSH login. That user would not have access to regular SSH login on port 22, and vice versa.
Is that possible?
Simply start a second ssh daemon with a separate sshd_config configuration file and you can run two instances of sshd, each configured differently.
Use for example the Port customport and AllowUsers username1 keyword in one sshd_config and login on your custom port is allowed only for the user username1.
In the other sshd_config use for example the Port 22 and the DenyUsers username1 keywords and login is disallowed on the default sshd port of 22 for the user username1.
AFAIK scp is plagued by a long history of security issues, and restricting users to scp only access always seemed non-trivial and involve quite some work-arounds.
Therefore Red Hat is completely abandoning support for SCP as announced here: https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know and now provides an scp that under the hood uses the SFTP protocol.
Limiting users to only SFTP is natively supported in OpenSSHd with the keyword:
ForceCommand internal-sftp
so that might be your best bet too.
