.knockcf(5) Doorman & Knocker .knockcf(5)
NAME
.knockcf - The knock configuration file
DESCRIPTION
The port-knocker client knock requires a configuration file named
".knockcf" to be in the user's home directory. Any value in the file
may be overridden by command-line parameters to knock
The file consists of simple keyword-value pairs, one pair per line.
The keyword and value must be separated by one or more space or tab
characters. Keywords are not case-sensitive, though most values are.
Any part of a line following a '#' character is ignored, and may be
used as a comment. Blank lines are ignored.
The file MUST be readable and writeable ONLY by the owner.
RECORDS
group <name>
This specifies the group name (guest name) used to identify
yourself. Group names may be up to 32 characters in length.
Both group names and secrets may contain any alphanumeric
character, as well as the characters:
!@#$%^&*()_-+=|{};:'"<>,?/
Note that whitespace and the "." character (period, or decimal
point) are not permitted.
secret <password>
This is the password used to authenticate you to the doorman.
Secrets may be up to 64 characters in length, and use the same
character set as group names. The secret is catenated with the
IP address of the client machine and the seconds-of-epoch, and
put through an MD5 hash before being sent to the doorman.
This record may be omitted from .knockcf; if it is missing, and
the secret is not included as an option on the command line
(generally not a bright idea, anyway), 'knock' will prompt you
for one.
port <integer, 1-65534>
Knock on the specified UDP port. The default is port 1001.
run "program arg1 arg2 ... "
Run this program after sending the knock packet, and after a
1/10th second pause. Note that the entire command must be
enclosed in either single or double quotes. Two special
strings may be included to substitute for command-line parame-
ters. %H% substitutes for the hostname or IP address, and %P%
substitutes for the requested port number or service name.
AN EXAMPLE
#
# If any of these records is missing, its value may be
# specified with a command-line option.
# (You may omit the secret from both, and wait to be prompted;
# this is perhaps the safest [or most paranoid] way on a unix host)
#
group marketeers # "Who you are" to the doorman
secret b1g%Hairy_[seCret}! # <- This is why no one else should
# be able to read this file...
# A PLAINTEXT PASSWORD!
#
port 1001 # The UDP port the doorman is watching
#
run "ssh -lmyname %H%" # Run 'ssh' after knocking.
# The hostname used in the knock command
# will be subsituted in place of '%H%'.
SEE ALSO
knock(1), doormand(8), doormand.cf(5), guestlist(5)
ACKNOWLEDGEMENT
doormand and knock are an implementation of an original idea by Martin
Krzywinski. See his site at http://www.portknocking.org
COPYRIGHT
Copyright (c) 2003-2005, J.B.Ward
<bward2@users.sourceforge.net>
Port-knocker, V0.81 Aug 14 2005 .knockcf(5)