German mirror provided by / Deutscher Spiegelserver von E-Commerce Onlineshops und Webdesign in Duisburg - obengelb GmbH  &  SEO LEO
 

PuTTY wish port-knocking

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Port knocking
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: never: We don't ever intend to fix this.

We have been asked several times to implement Port Knocking: a mechanism for making a running service appear to be a connection-refusing closed port unless the right sequence of "knocks" (attempted connections to genuinely closed ports) is received before the connection attempt.

The PuTTY team is collectively unconvinced that this is a good idea. For a start, it's not universally usable, because many firewalls won't let the knocks through. (Obviously the firewall at the server end is precisely what will need to be specifically listening out for the knock, but firewalls at the client end or in between are likely to cause a lot more trouble. And in particular, if you're connecting through an SSH tunnel, you'll have a hard time sending a knock.) Also, since the knock is effectively sent in cleartext, it doesn't buy you a great deal of security - the only real gain is that your service appears to be a closed port to anyone doing a port scan, and although that might have advantages it might also cause administrators to become more relaxed about the real security of their service. It seems like a lot of effort for very little gain.

Much more importantly, though, we don't like the idea of this mechanism having to be implemented separately in every network client program - particularly given the hints on the port knocking website that more inventive forms of knock may be developed in future, which would of course mean we'd have to keep up with development. To implement and maintain this in PuTTY and all other network utilities would be a huge amount of effort.

If this is to be done at all, it should be done in a largely client-independent manner. For example:

If anyone really wants to see this feature in PuTTY, they should probably look into one of the above options.


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2008-01-08 16:14:59 +0000)