Oh actually here's a possible hinky trick I just thought of: Use iptables to inspect the incoming packet for the special username, assuming you can prevent it from being used by a normal user. When you find it, port-forward the packet to an alternate port that hots a different listen/client directive.