[marcosdumay]

The sequence of ports becomes a key. I don't think the principle is violated.

What I think is that you should disable password authentication anyway, and adding port knocking to a ssh server that doesn't accept passwords is equivalent to adding a thin wood plank to a 20" steel door with an state of the art lock.

[perlgeek]

But the sequence can be found by sniffing the network connection. Unlike the ssh passwords, which aren't ever transmitted in plain text.

[teddyh]

> The sequence of ports becomes a key.

Yes, I agree completely. Which is why it buys you nothing compared to simply increasing your password/key lengths with the equivalent number of bits. On the contrary, it introduces confusing complexity for oneself and one’s fellows. Maybe this is what unconscionable people call “Job security”?

> equivalent to adding a thin wood plank

It is less like a thin wooden plank and more like a hedge maze which all legitimate users also must traverse each time. And all the hedges are made of asbestos.

[sitkack]

Reason by analogy much? Layered security and out of band. Flaw in ssh? Still have another speed bump in the attack vector.

[mikeash]

Not only is port knocking just adding a key that gives you nothing over a longer password or actual ssh key, but it's also a key that you send in plaintext over public networks every time you connect.