On various systems, it's possible (easy, even) to use access controls to permit non-root processes to bind to low ports; for example, on FreeBSD, one can use the MAC portacl feature to permit specific users to bind low ports.

On the FreeBSD on which Stash is installed, I've added the necessary configuration to allow the Stash user to bind to port 22 directly:

$ id
uid=1001(_stash) gid=1001(_stash) groups=1001(_stash)
$ nc -l 192.168.11.80 22
[nc was able to open the listen port]
^C

Likewise, Solaris 10 allows assigning the net_privaddr privilege to user accounts for the same purpose.

This is considered normal, supported system behavior, and is a standard approach to allowing processes (such as Java) to bind standard ports without requiring root privileges. We use this functionality to allow OpenDJ (also a Java server) to bind to the LDAP and LDAPS ports (389, 636), to allow Tomcat to bind directly to 443/80, and even to allow Stash itself to directly bind port 443 on our Stash installation.

Ideally, we could simply enable this on our servers, and configure Stash to use the standard SSH port.

However, there are two contraints in Stash itself that prevent this:

• Binding to port 22 is unnecessarily prevented by Stash itself (rather than checking for EACCES).
• Stash provides no UI to bind SSH to a specific IP (which will conflict with the host's sshd binding to tcp/22 on a different IP).