On Fri, Feb 06, 2004 at 09:10:53PM -0300, Alejandro G. Belluscio wrote: > I think I didn't made myself clear (as usual :-). I wasn't thinking > about hiding the ports. But rather as a way to provide certain identity > protection without having to rewrite apps. I don't really mind if my > sshd gets scanned. But what if I translated some S/Key to port sequence?
Maybe I'm paranoid, but I wouldn't enter a password into an ssh client running on a system I don't know for sure I'm the sole root of. Not even a one time one like s/key. You mean like some Java SSH client running in IE on an unpatched Win95 in some Internet cafe abroad? I'd rather bring my old $100 laptop and risk having it stolen. Or drive home to login, if it's urgent. If you trust the ssh client, and want the ssh authentication to grant access to other ports, you'd just ssh tunnel them (there's a nice option to use pf rdr instead of setting up lots of individual -R/-L ports, or use authpf). I thought the point of knocking was primarily hiding from scanners. Once you authenticated to ssh, getting to the other ports is no problem, unless I miss your point again :) Daniel
