Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Changes
|
Wishlist
We have been asked several times to implement Port Knocking: a mechanism for making a running service appear to be a connection-refusing closed port unless the right sequence of "knocks" (attempted connections to genuinely closed ports) is received before the connection attempt.
The PuTTY team is collectively unconvinced that this is a good idea. For a start, it's not universally usable, because many firewalls won't let the knocks through. (Obviously the firewall at the server end is precisely what will need to be specifically listening out for the knock, but firewalls at the client end or in between are likely to cause a lot more trouble. And in particular, if you're connecting through an SSH tunnel, you'll have a hard time sending a knock.) Also, since the knock is effectively sent in cleartext, it doesn't buy you a great deal of security - the only real gain is that your service appears to be a closed port to anyone doing a port scan, and although that might have advantages it might also cause administrators to become more relaxed about the real security of their service. It seems like a lot of effort for very little gain.
Much more importantly, though, we don't like the idea of this mechanism having to be implemented separately in every network client program - particularly given the hints on the port knocking website that more inventive forms of knock may be developed in future, which would of course mean we'd have to keep up with development. To implement and maintain this in PuTTY and all other network utilities would be a huge amount of effort.
If this is to be done at all, it should be done in a largely client-independent manner. For example:
nc
(1).
Then invoke that using the "Local" proxy setting in PuTTY (works on both
Windows and Unix).
connect
(2) system call so that it performs the knock
first. Then you can use LD_PRELOAD
to apply it to
almost any application.
If anyone really wants to see this feature in PuTTY, they should probably look into one of the above options.