patch to add built-in support for port knocking

Darren Tucker dtucker at zip.com.au
Sun Jul 16 16:35:47 EST 2006


On Sat, Jul 15, 2006 at 11:00:02AM -0400, Ryan Findley wrote:
> A friend gave me access to an svn(+ssh) repository the other day, and  
> told me that I needed to do some port knocking to open up ssh. It  
> occurred to me that it would be extremely convenient if I could add a  
> "knock" configuration option for the host to my ~/.ssh/config file  
> and never think about this again (rather than creating a shell script  
> to accomplish this behavior, and remembering to use it for remote  
> access and svn activity).

You can do it from ~/.ssh/config already with a ProxyCommand.  Make
yourself a little shell script that does the portknocking then execs
connect or netcat, like so:

#!/bin/sh
your_portknock_command $1 && exec /usr/bin/nc $1 $2

Then, add it to ~/.ssh/config:

Host svnserver.example.com
	ProxyCommand /usr/local/bin/portknock_connect %h %p

> After some pretty small changes to ssh.c and readconf.c, my dream is  
> now a reality.
> Might I be able to convince the good people of OpenSSH to consider  
> adding my changes to CVS?

It's unlikely.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list