Re: sniffing, if I were implementing port knocking I would use the "single packet authorization" variant like in knockknock, which makes sniffing much less useful to an attacker.
I just prepend a secret letter to every possible ssh account on my server ('root' becomes 'jroot') and so that way "ssh root@myserver.com" can never work even if you know my root password. And this way my defense is opaque to attackers passively monitoring my network traffic (the username is encrypted in the ssh protocol).
Oh shit, I just gave away my secret on a public forum...
Ha ha, fooled you! I use a different secret letter in actual practice!
(Or do I?)
p.s. Pretty sure port-knocking offers less protection than this scheme.