For security-conscious engineers, port knocking remains a low-cost, effective method to obscure SSH ports from random scans. By requiring a specific sequence of connection attempts to closed ports before the true SSH port unlocks, it adds a stealthy layer of protection. Yet, as one developer recently highlighted, integrating this technique transparently into daily workflows reveals a stubborn limitation in the OpenSSH client:

"My use case is simply that I do port knocking to expose my ssh port, and want this working automatically at the SSH config level so that I can use it transparently from other utilities (e.g. Ansible inventory, Emacs over TRAMP)."

This isn't just about convenience—it's about automation integrity. Tools like Ansible rely on SSH for orchestration, while Emacs TRAMP enables remote file editing. Without native pre-connection hooks in SSH, engineers face three untenable choices:

  1. Manual Knocking: Defeats automation and breaks scripts.
  2. Wrapper Scripts: Forces replacing ssh with custom bash/Python scripts that handle knocking first. This complicates PATH management and tool integration.
  3. Network-Level Hacks: Using firewall rules or VPNs to bypass the need, weakening security posture.

Why SSH Resists This Pattern

OpenSSH's architecture prioritizes cryptographic handshakes and protocol integrity over pre-connection flexibility. The ProxyCommand directive allows mid-connection jumps but lacks pre-session trigger capabilities. As one Hacker News commenter noted: "It’s shocking this isn’t solvable via ~/.ssh/config after decades."

Workarounds and Their Costs

A common approach uses a bash wrapper:

#!/bin/bash
knock -v host 7000 8000 9000  # Sequence to 'knock'
/usr/bin/ssh "$@"             # Then execute real SSH

But this fractures toolchain compatibility. Ansible inventories demand SSH binary paths, and TRAMP’s ssh: method won’t invoke custom scripts. Alternatives like netcat-based proxies or systemd socket activation introduce new dependencies and failure points.

The Bigger Picture: Security vs. Usability

This gap underscores a tension in infrastructure tooling. As zero-trust and ephemeral access gain traction, the lack of extensibility in foundational tools like SSH forces engineers into brittle solutions. Until OpenSSH adds formal pre-connection hooks—or a KnockCommand directive—security through obscurity will remain frustratingly manual for automated workflows. The community’s persistence in seeking elegance speaks volumes: true security shouldn’t compromise usability.