SSH client: port knocking (execute command before connecting)
How can I have a port knocking sequence (or a command that does the port knocking) executed prior to trying to establish an SSH connection?
Preferably using the pre-installed ssh command, but also willing to switch if there's no "standard alternative".
You can also try to use the option ProxyCommand.
It gives you the ability to control the command used to connect to the server; sounds troublesome, but I haven't found any problem with it yet.
From the ssh_config docs:
ProxyCommand
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed using the user's shell ‘exec’ directive to avoid a
lingering shell process.
In the command string, any occurrence of ‘%h’ will be substituted by the host name to connect, ‘%p’ by the port, and ‘%r’ by the remote user name. The command can be basically
anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i
somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to “none” disables
this option entirely. Note that CheckHostIP is not available for connects with a proxy command.
This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0:
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
Example
Lets say you have a command or script that does the knocking IN YOUR PATH: knock.sh <host> <port1 port2 ... portX>
And you want to connect to some host: myhost.net
You can add the following to your ~/.ssh/config
Host thehost
HostName myhost.net
ProxyCommand bash -c 'knock.sh %h <port1 port2 ... portX>; nc %h %p'
- %h => the hostname (myhost.net)
- %p => the port (22)
And you can connect to your host with: ssh user@thehost
You should also be able to use the option directly from the command line with:
ssh -o ProxyCommand="bash -c 'knock.sh %h <port1 port2 ... portX>; nc %h %p'" [email protected]
Notes
If the program writes data to stdout by default it gets hidden, if you need to see it, add -v after ssh.
Also note that ssh has to execute the knocking before performing the connection, so the total time it will take to complete the connection will be greater.
I have a current configuration working with port forwarding enabled and no problem with it yet.
An alternative to feeding all traffic through nc as a ProxyCommand, as in the accepted answer, is to add a Match host/exec line to ~/.ssh/config that effectively only executes your knock command before connecting:
Match host thehost exec "knock -d 500 %h 1234 5678"
Match host thehost.domain.com exec "knock -d 500 %h 1234 5678"
This line doesn't actually do anything else than executing knock, since there's nothing following the directive.
update
To make the knock conditional (and prevent the delay and a ton of redundant firewall rules), probe using netcat before knocking:
Match host thehost exec "nc -zw 3 %h 22 || knock -d 500 %h 1234 5678"
Match host thehost.domain.com exec "nc -zw 3 %h 22 || knock -d 500 %h 1234 5678"
The -w 3 flag is to specify a timeout of 3 seconds for the probe.
updated to take comments of Adrien into account
According to an Ubuntu help page on port knocking, you can do the following:
- Install the
knockprogram by runningsudo apt-get install knockd -
Make a script in
~/binto establish the SSH connection for the particular server:#!/bin/sh knock hostname port1 port2 port3... ssh hostname Make the script executable with
chmod +x ~/bin/whatever- Close the terminal, reopen it, and run
whatever