PuTTY wish port-knocking

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

We have been asked several times to implement Port Knocking: a mechanism for making a running service appear to be a connection-refusing closed port unless the right sequence of "knocks" (attempted connections to genuinely closed ports) is received before the connection attempt.

The PuTTY team is collectively unconvinced that this is a good idea. For a start, it's not universally usable, because many firewalls won't let the knocks through. (Obviously the firewall at the server end is precisely what will need to be specifically listening out for the knock, but firewalls at the client end or in between are likely to cause a lot more trouble. And in particular, if you're connecting through an SSH tunnel, you'll have a hard time sending a knock.) Also, since the knock is effectively sent in cleartext, it doesn't buy you a great deal of security - the only real gain is that your service appears to be a closed port to anyone doing a port scan, and although that might have advantages it might also cause administrators to become more relaxed about the real security of their service. It seems like a lot of effort for very little gain.

Much more importantly, though, we don't like the idea of this mechanism having to be implemented separately in every network client program - particularly given the hints on the port knocking website that more inventive forms of knock may be developed in future, which would of course mean we'd have to keep up with development. To implement and maintain this in PuTTY and all other network utilities would be a huge amount of effort.

If this is to be done at all, it should be done in a largely client-independent manner. For example:

• On Unix, you could construct a dynamic library which replaced the connect(2) system call, and use LD_PRELOAD to apply it to almost any application.
• Also on Unix, you could write a small command-line application which performed the port knock and then made the connection (a port-knocking enabled equivalent of nc(1)), and then invoke that using the "Local" proxy setting in PuTTY. At some point we would like to implement this proxy setting in Windows PuTTY as well (see proxy-command), and at that point this solution will be applicable to Windows as well.
• On either (or both) of Windows or Unix, you could write a SOCKS server which performed appropriate port knocks before proxying any given connection, and point PuTTY at it using the existing SOCKS proxy support.

If anyone really wants to see this feature in PuTTY, they should probably look into one of the above options. The most universally applicable solution without needing to change PuTTY at all would be the SOCKS server approach.

SGT, 2004-08-07: We've been informed of doorman.sourceforge.net, a port-knocking client and server including a pre-compiled client for Windows. I haven't looked at it closely, but it seems that (a) it uses a single UDP packet as the knock rather than a sequence of failed connections to closed TCP ports, and (b) the knock client works by performing the knock and then running another program (such as PuTTY), which is a very simple approach that I failed to think of when I wrote the above list of possibilities.

Audit trail for this wish.