It's a password. Sent in plain text. But because users pretend that it's stealthy they pretend that it's something else.
Yes, you can have your port-knocking be an OTP. But why? Why not just listen to an UDP port that takes this plain text password or OTP like a sane person? Why sniff SYN packets?
What exactly does port knocking add to this, except make it MUCH more probable that your raw-packet-sniffing-oh-so-coolness has a security hole than that your "open UDP socket, read packet, check for equality" has a security hole?
With IPv6 TCPMD5 (or TCP AO) becomes a much more interesting way to solve this.
* attacker can't do successfull bruteforce attemps at the same rate or at all
* attacker can't reliable intercept (MITM) traffic, as he does not what port is being used
* attacker can' launch sshd DoS attacks, as he does not know where does sshd listen at (at least he has to try 65000 x bigger space, this precludes a lot of time based attacks
It's a password. Sent in plain text. But because users pretend that it's stealthy they pretend that it's something else.
Yes, you can have your port-knocking be an OTP. But why? Why not just listen to an UDP port that takes this plain text password or OTP like a sane person? Why sniff SYN packets?
What exactly does port knocking add to this, except make it MUCH more probable that your raw-packet-sniffing-oh-so-coolness has a security hole than that your "open UDP socket, read packet, check for equality" has a security hole?
With IPv6 TCPMD5 (or TCP AO) becomes a much more interesting way to solve this.