wok diff openssh/stuff/knock.u @ rev 20636
Add ecryptfs-simple
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Wed Jan 09 13:01:27 2019 +0100 (2019-01-09) |
| parents | |
| children | 809015307697 |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/openssh/stuff/knock.u Wed Jan 09 13:01:27 2019 +0100 1.3 @@ -0,0 +1,504 @@ 1.4 +From https://gnunet.org/knock : 1.5 +https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff 1.6 +--- a/readconf.c 1.7 ++++ b/readconf.c 1.8 +@@ -172,6 +172,9 @@ 1.9 + oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 1.10 + oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 1.11 + oPubkeyAcceptedKeyTypes, oProxyJump, 1.12 ++#ifdef TCP_STEALTH 1.13 ++ oTCPStealthSecret, 1.14 ++#endif 1.15 + oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 1.16 + } OpCodes; 1.17 + 1.18 +@@ -305,6 +308,9 @@ 1.19 + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 1.20 + { "ignoreunknown", oIgnoreUnknown }, 1.21 + { "proxyjump", oProxyJump }, 1.22 ++#ifdef TCP_STEALTH 1.23 ++ { "tcpstealthsecret", oTCPStealthSecret }, 1.24 ++#endif 1.25 + 1.26 + { NULL, oBadOption } 1.27 + }; 1.28 +@@ -1669,6 +1675,23 @@ 1.29 + charptr = &options->identity_agent; 1.30 + goto parse_string; 1.31 + 1.32 ++#ifdef TCP_STEALTH 1.33 ++ case oTCPStealthSecret: 1.34 ++ charptr = &options->tcp_stealth_secret; 1.35 ++ 1.36 ++ arg = strdelim(&s); 1.37 ++ if (!arg || *arg == '\0') 1.38 ++ fatal("%.200s line %d: Missing argument.", 1.39 ++ filename, linenum); 1.40 ++ 1.41 ++ if (*activep && *charptr == NULL) { 1.42 ++ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 1.43 ++ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 1.44 ++ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 1.45 ++ } 1.46 ++ 1.47 ++ break; 1.48 ++#endif 1.49 + case oDeprecated: 1.50 + debug("%s line %d: Deprecated option \"%s\"", 1.51 + filename, linenum, keyword); 1.52 +@@ -1869,6 +1892,9 @@ 1.53 + options->update_hostkeys = -1; 1.54 + options->hostbased_key_types = NULL; 1.55 + options->pubkey_key_types = NULL; 1.56 ++#ifdef TCP_STEALTH 1.57 ++ options->tcp_stealth_secret = NULL; 1.58 ++#endif 1.59 + } 1.60 + 1.61 + /* 1.62 +--- a/readconf.h 1.63 ++++ b/readconf.h 1.64 +@@ -164,6 +164,10 @@ 1.65 + char *jump_extra; 1.66 + 1.67 + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ 1.68 ++ 1.69 ++#ifdef TCP_STEALTH 1.70 ++ char *tcp_stealth_secret; 1.71 ++#endif 1.72 + } Options; 1.73 + 1.74 + #define SSH_CANONICALISE_NO 0 1.75 +--- a/servconf.c 1.76 ++++ b/servconf.c 1.77 +@@ -165,6 +165,9 @@ 1.78 + options->fingerprint_hash = -1; 1.79 + options->disable_forwarding = -1; 1.80 + options->expose_userauth_info = -1; 1.81 ++#ifdef TCP_STEALTH 1.82 ++ options->tcp_stealth_secret = NULL; 1.83 ++#endif 1.84 + } 1.85 + 1.86 + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 1.87 +@@ -422,6 +425,9 @@ 1.88 + sStreamLocalBindMask, sStreamLocalBindUnlink, 1.89 + sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 1.90 + sExposeAuthInfo, 1.91 ++#ifdef TCP_STEALTH 1.92 ++ sTCPStealthSecret, 1.93 ++#endif 1.94 + sDeprecated, sIgnore, sUnsupported 1.95 + } ServerOpCodes; 1.96 + 1.97 +@@ -566,6 +572,9 @@ 1.98 + { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 1.99 + { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 1.100 + { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 1.101 ++#ifdef TCP_STEALTH 1.102 ++ { "tcpstealthsecret", sTCPStealthSecret }, 1.103 ++#endif 1.104 + { NULL, sBadOption, 0 } 1.105 + }; 1.106 + 1.107 +@@ -1883,6 +1892,23 @@ 1.108 + intptr = &options->expose_userauth_info; 1.109 + goto parse_flag; 1.110 + 1.111 ++#ifdef TCP_STEALTH 1.112 ++ case sTCPStealthSecret: 1.113 ++ charptr = &options->tcp_stealth_secret; 1.114 ++ 1.115 ++ arg = strdelim(&cp); 1.116 ++ if (!arg || *arg == '\0') 1.117 ++ fatal("%s line %d: Missing argument.", 1.118 ++ filename, linenum); 1.119 ++ 1.120 ++ if (*activep && *charptr == NULL) { 1.121 ++ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 1.122 ++ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 1.123 ++ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 1.124 ++ } 1.125 ++ 1.126 ++ break; 1.127 ++#endif 1.128 + case sDeprecated: 1.129 + case sIgnore: 1.130 + case sUnsupported: 1.131 +--- a/servconf.h 1.132 ++++ b/servconf.h 1.133 +@@ -198,6 +198,10 @@ 1.134 + 1.135 + int fingerprint_hash; 1.136 + int expose_userauth_info; 1.137 ++ 1.138 ++#ifdef TCP_STEALTH 1.139 ++ char *tcp_stealth_secret; 1.140 ++#endif 1.141 + } ServerOptions; 1.142 + 1.143 + /* Information about the incoming connection as used by Match */ 1.144 +@@ -219,6 +223,11 @@ 1.145 + * NB. an option must appear in servconf.c:copy_set_server_options() or 1.146 + * COPY_MATCH_STRING_OPTS here but never both. 1.147 + */ 1.148 ++#ifdef TCP_STEALTH 1.149 ++#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X); 1.150 ++#else 1.151 ++#define M_CP_STEALTHSCRT(X) 1.152 ++#endif 1.153 + #define COPY_MATCH_STRING_OPTS() do { \ 1.154 + M_CP_STROPT(banner); \ 1.155 + M_CP_STROPT(trusted_user_ca_keys); \ 1.156 +@@ -238,6 +247,7 @@ 1.157 + M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 1.158 + M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 1.159 + M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \ 1.160 ++ M_CP_STEALTHSCRT(tcp_stealth_secret); \ 1.161 + } while (0) 1.162 + 1.163 + struct connection_info *get_connection_info(int, int); 1.164 +--- a/ssh.c 1.165 ++++ b/ssh.c 1.166 +@@ -191,6 +191,14 @@ 1.167 + extern int muxserver_sock; 1.168 + extern u_int muxclient_command; 1.169 + 1.170 ++#ifdef TCP_STEALTH 1.171 ++#define OPT_STEALTH "[-z tcp_stealth_secret] " 1.172 ++#define GETOPT_STEALTH "z:" 1.173 ++#else 1.174 ++#define OPT_STEALTH "" 1.175 ++#define GETOPT_STEALTH "" 1.176 ++#endif 1.177 ++ 1.178 + /* Prints a help message to the user. This function never returns. */ 1.179 + 1.180 + static void 1.181 +@@ -203,7 +211,7 @@ 1.182 + " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" 1.183 + " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n" 1.184 + " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n" 1.185 +-" [user@]hostname [command]\n" 1.186 ++" " OPT_STEALTH "[user@]hostname [command]\n" 1.187 + ); 1.188 + exit(255); 1.189 + } 1.190 +@@ -612,7 +620,7 @@ 1.191 + 1.192 + again: 1.193 + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 1.194 +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 1.195 ++ "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 1.196 + switch (opt) { 1.197 + case '1': 1.198 + fatal("SSH protocol v.1 is no longer supported"); 1.199 +@@ -921,6 +929,14 @@ 1.200 + case 'F': 1.201 + config = optarg; 1.202 + break; 1.203 ++#ifdef TCP_STEALTH 1.204 ++ case 'z': 1.205 ++ options.tcp_stealth_secret = 1.206 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.207 ++ strncpy(options.tcp_stealth_secret, optarg, 1.208 ++ TCP_STEALTH_SECRET_SIZE); 1.209 ++ break; 1.210 ++#endif 1.211 + default: 1.212 + usage(); 1.213 + } 1.214 +--- a/sshd.c 1.215 ++++ b/sshd.c 1.216 +@@ -896,6 +896,14 @@ 1.217 + return (r < p) ? 1 : 0; 1.218 + } 1.219 + 1.220 ++#ifdef TCP_STEALTH 1.221 ++#define OPT_STEALTH " [-z tcp_stealth_secret]" 1.222 ++#define GETOPT_STEALTH "z:" 1.223 ++#else 1.224 ++#define OPT_STEALTH "" 1.225 ++#define GETOPT_STEALTH "" 1.226 ++#endif 1.227 ++ 1.228 + static void 1.229 + usage(void) 1.230 + { 1.231 +@@ -911,6 +919,7 @@ 1.232 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 1.233 + " [-E log_file] [-f config_file] [-g login_grace_time]\n" 1.234 + " [-h host_key_file] [-o option] [-p port] [-u len]\n" 1.235 ++" " OPT_STEALTH "\n" 1.236 + ); 1.237 + exit(1); 1.238 + } 1.239 +@@ -1057,6 +1066,15 @@ 1.240 + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 1.241 + &on, sizeof(on)) == -1) 1.242 + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 1.243 ++#ifdef TCP_STEALTH 1.244 ++ if (options.tcp_stealth_secret != NULL) { 1.245 ++ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 1.246 ++ options.tcp_stealth_secret, 1.247 ++ TCP_STEALTH_SECRET_SIZE) == -1) 1.248 ++ error("setsockopt TCP_STEALTH: %s", 1.249 ++ strerror(errno)); 1.250 ++ } 1.251 ++#endif 1.252 + 1.253 + /* Only communicate in IPv6 over AF_INET6 sockets. */ 1.254 + if (ai->ai_family == AF_INET6) 1.255 +@@ -1404,7 +1422,7 @@ 1.256 + 1.257 + /* Parse command-line arguments. */ 1.258 + while ((opt = getopt(ac, av, 1.259 +- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.260 ++ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.261 + switch (opt) { 1.262 + case '4': 1.263 + options.address_family = AF_INET; 1.264 +@@ -1512,6 +1530,14 @@ 1.265 + exit(1); 1.266 + free(line); 1.267 + break; 1.268 ++#ifdef TCP_STEALTH 1.269 ++ case 'z': 1.270 ++ options.tcp_stealth_secret = 1.271 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.272 ++ strncpy(options.tcp_stealth_secret, optarg, 1.273 ++ TCP_STEALTH_SECRET_SIZE); 1.274 ++ break; 1.275 ++#endif 1.276 + case '?': 1.277 + default: 1.278 + usage(); 1.279 +--- a/ssh_config.5 1.280 ++++ b/ssh_config.5 1.281 +@@ -1509,6 +1509,15 @@ 1.282 + .Pp 1.283 + To disable TCP keepalive messages, the value should be set to 1.284 + .Cm no . 1.285 ++.It Cm TCPStealthSecret 1.286 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 1.287 ++Server. Any string specified will be truncated to or padded with zeroes to 64 1.288 ++bytes. This option needs kernel support and is therefore only available if the 1.289 ++required 1.290 ++.Xr setsockopt 2 1.291 ++call is available. 1.292 ++.Pp 1.293 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.294 + .It Cm Tunnel 1.295 + Request 1.296 + .Xr tun 4 1.297 +--- a/sshd_config.5 1.298 ++++ b/sshd_config.5 1.299 +@@ -1444,6 +1444,18 @@ 1.300 + .Pp 1.301 + To disable TCP keepalive messages, the value should be set to 1.302 + .Cm no . 1.303 ++.It Cm TCPStealthSecret 1.304 ++Turns this SSH server into a stealth SSH TCP server. This configuration option 1.305 ++specifies the shared secret needed by the clients in order to be able to connect 1.306 ++to the port the SSH server is listening on. This means that port scanners will 1.307 ++receive a TCP RST and thus will not recognize this TCP port being open. Any 1.308 ++string specified will be truncated or padded with zeroes to 64 bytes. This 1.309 ++option needs kernel support and is therefore only available if the required 1.310 ++.Xr setsockopt 2 1.311 ++call is available. 1.312 ++.Pp 1.313 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.314 ++ 1.315 + .It Cm TrustedUserCAKeys 1.316 + Specifies a file containing public keys of certificate authorities that are 1.317 + trusted to sign user certificates for authentication, or 1.318 +--- a/sshd.0 1.319 ++++ b/sshd.0 1.320 +@@ -7,6 +7,7 @@ 1.321 + sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 1.322 + [-E log_file] [-f config_file] [-g login_grace_time] 1.323 + [-h host_key_file] [-o option] [-p port] [-u len] 1.324 ++ [-z tcp_stealth_secret] 1.325 + 1.326 + DESCRIPTION 1.327 + sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 1.328 +@@ -121,6 +122,20 @@ 1.329 + from="pattern-list" option in a key file. Configuration options 1.330 + that require DNS include using a USER@HOST pattern in AllowUsers 1.331 + or DenyUsers. 1.332 ++ -z tcp_stealth_secret 1.333 ++ Turns this SSH server into a Stealth SSH TCP Server. This option 1.334 ++ specifies the shared secret which is needed by the clients in order 1.335 ++ to be able to connect to the port the SSH server is listening on. 1.336 ++ Any string specified will be truncated or padded with zeroes to 64 1.337 ++ bytes. This option needs kernel support and is therefore only 1.338 ++ available if the required setsockopt() call is available. 1.339 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.340 ++ for details. 1.341 ++ 1.342 ++ IMPORTANT: This option should only be used for the purpose of 1.343 ++ testing as other users could easily read out the secret from the 1.344 ++ command line arguments. The TCPStealthSecret configuration option 1.345 ++ is the preferred way of specifying the TCP Stealth secret. 1.346 + 1.347 + AUTHENTICATION 1.348 + The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 1.349 +--- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400 1.350 ++++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500 1.351 +@@ -425,6 +425,20 @@ DESCRIPTION 1.352 + -y Send log information using the syslog(3) system module. By 1.353 + default this information is sent to stderr. 1.354 + 1.355 ++ -z tcp_stealth_secret 1.356 ++ Specifies the shared secret which is needed to connect to a stealth 1.357 ++ SSH TCP server. Any string specified will be truncated to or padded 1.358 ++ with zeroes to 64 bytes. This option needs kernel support and is 1.359 ++ therefore only available if the required setsockopt() call is 1.360 ++ available. 1.361 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.362 ++ for details. 1.363 ++ 1.364 ++ IMPORTANT: This option should only be used for the purpose of 1.365 ++ testing as other users could easily read out the secret from the 1.366 ++ command line arguments. The TCPStealthSecret configuration option 1.367 ++ is the preferred way of specifying the TCP Stealth secret. 1.368 ++ 1.369 + ssh may additionally obtain configuration data from a per-user 1.370 + configuration file and a system-wide configuration file. The file format 1.371 + and configuration options are described in ssh_config(5). 1.372 +--- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400 1.373 ++++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500 1.374 +@@ -64,6 +64,7 @@ 1.375 + .Op Fl S Ar ctl_path 1.376 + .Op Fl W Ar host : Ns Ar port 1.377 + .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun 1.378 ++.Op Fl z Ar tcp_stealth_secret 1.379 + .Oo Ar user Ns @ Oc Ns Ar hostname 1.380 + .Op Ar command 1.381 + .Ek 1.382 +@@ -528,6 +529,7 @@ For full details of the options listed b 1.383 + .It StreamLocalBindUnlink 1.384 + .It StrictHostKeyChecking 1.385 + .It TCPKeepAlive 1.386 ++.It TCPStealthSecret 1.387 + .It Tunnel 1.388 + .It TunnelDevice 1.389 + .It UpdateHostKeys 1.390 +@@ -777,6 +779,21 @@ Send log information using the 1.391 + .Xr syslog 3 1.392 + system module. 1.393 + By default this information is sent to stderr. 1.394 ++.It Fl z Ar tcp_stealth_secret 1.395 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 1.396 ++server. Any string specified will be truncated to or padded with zeroes to 64 1.397 ++bytes. This option needs kernel support and is therefore only available if the 1.398 ++required 1.399 ++.Xr setsockopt 2 1.400 ++call is available. 1.401 ++.Pp 1.402 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.403 ++.Pp 1.404 ++.Cm IMPORTANT: 1.405 ++This option should only be used for the purpose of testing as other users could 1.406 ++easily read out the secret from the command line arguments. The 1.407 ++.Cm TCPStealthSecret 1.408 ++configuration option is the preferred way of specifying the TCP Stealth secret. 1.409 + .El 1.410 + .Pp 1.411 + .Nm 1.412 +--- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400 1.413 ++++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500 1.414 +@@ -919,6 +919,15 @@ DESCRIPTION 1.415 + 1.416 + To disable TCP keepalive messages, the value should be set to no. 1.417 + 1.418 ++ TCPStealthSecret 1.419 ++ Specifies the shared secret which is needed to connect to a stealth 1.420 ++ SSH TCP Server. Any string specified will be truncated to or padded 1.421 ++ with zeroes to 64 bytes. This option needs kernel support and is 1.422 ++ therefore only available if the required setsockopt() call is 1.423 ++ available. 1.424 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.425 ++ for details. 1.426 ++ 1.427 + Tunnel Request tun(4) device forwarding between the client and the 1.428 + server. The argument must be yes, point-to-point (layer 3), 1.429 + ethernet (layer 2), or no (the default). Specifying yes requests 1.430 +--- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400 1.431 ++++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500 1.432 +@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct 1.433 + } 1.434 + fcntl(sock, F_SETFD, FD_CLOEXEC); 1.435 + 1.436 ++#ifdef TCP_STEALTH 1.437 ++ if (options.tcp_stealth_secret) { 1.438 ++ if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH, 1.439 ++ options.tcp_stealth_secret, 1.440 ++ TCP_STEALTH_SECRET_SIZE) == -1) { 1.441 ++ error("setsockopt TCP_STEALTH: %s", strerror(errno)); 1.442 ++ close(sock); 1.443 ++ return -1; 1.444 ++ } 1.445 ++ } 1.446 ++#endif 1.447 ++ 1.448 + /* Bind the socket to an alternative local IP address */ 1.449 + if (options.bind_address == NULL && !privileged) 1.450 + return sock; 1.451 +--- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400 1.452 ++++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500 1.453 +@@ -53,6 +53,7 @@ 1.454 + .Op Fl o Ar option 1.455 + .Op Fl p Ar port 1.456 + .Op Fl u Ar len 1.457 ++.Op Fl z Ar tcp_stealth_secret 1.458 + .Ek 1.459 + .Sh DESCRIPTION 1.460 + .Nm 1.461 +@@ -243,6 +244,24 @@ USER@HOST pattern in 1.462 + .Cm AllowUsers 1.463 + or 1.464 + .Cm DenyUsers . 1.465 ++.It Fl z Ar tcp_stealth_secret 1.466 ++Turns this SSH server into a stealth SSH TCP server. This option specifies the 1.467 ++shared secret which is needed by the clients in order to be able to connect to 1.468 ++the port the SSH server is listening on. Any string specified will be truncated 1.469 ++or padded with zeroes to 64 bytes. This option needs kernel support and is 1.470 ++therefore only available if the required 1.471 ++.Xr setsockopt 2 1.472 ++call is available. 1.473 ++.Pp 1.474 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.475 ++ 1.476 ++.Cm IMPORTANT: 1.477 ++This option should only be used for the purpose of 1.478 ++testing as other users could easily read out the secret from the 1.479 ++command line arguments. The 1.480 ++.Cm TCPStealthSecret 1.481 ++configuration option 1.482 ++is the preferred way of specifying the TCP Stealth secret. 1.483 + .El 1.484 + .Sh AUTHENTICATION 1.485 + The OpenSSH SSH daemon supports SSH protocol 2 only. 1.486 +--- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400 1.487 ++++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500 1.488 +@@ -872,6 +872,19 @@ DESCRIPTION 1.489 + 1.490 + To disable TCP keepalive messages, the value should be set to no. 1.491 + 1.492 ++ TCPStealthSecret 1.493 ++ Turns this SSH server into a stealth SSH TCP server. This 1.494 ++ configuration option specifies the shared secret needed by the 1.495 ++ clients in order to be able to connect to the port the SSH server 1.496 ++ is listening on. This means that port scanners will receive a 1.497 ++ TCP RST and thus will not recognize this TCP port being open. 1.498 ++ 1.499 ++ Any string specified will be truncated or padded with zeroes to 64 1.500 ++ bytes. This option needs kernel support and is therefore only 1.501 ++ available if the required setsockopt() call is available. 1.502 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.503 ++ for details. 1.504 ++ 1.505 + TrustedUserCAKeys 1.506 + Specifies a file containing public keys of certificate 1.507 + authorities that are trusted to sign user certificates for