Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
.knockcf(5)		       Doorman & Knocker		   .knockcf(5)

       .knockcf	- The knock configuration file

       The  port-knocker  client  knock	 requires  a  configuration file named
       ".knockcf" to be	in the user's home directory.  Any value in  the  file
       may be overridden by command-line parameters to knock

       The  file  consists  of	simple keyword-value pairs, one	pair per line.
       The keyword and value must be separated by one or  more	space  or  tab
       characters.    Keywords are not case-sensitive, though most values are.
       Any part	of a line following a '#' character is	ignored,  and  may  be
       used as a comment.  Blank lines are ignored.

       The file	MUST be	readable and writeable ONLY by the owner.

	group  <name>
	      This  specifies  the  group  name	 (guest	name) used to identify
	      yourself.	 Group names may be up to  32  characters  in  length.
	      Both  group  names  and  secrets	may  contain  any alphanumeric
	      character,      as      well	as	 the	   characters:

	      Note  that  whitespace and the "." character (period, or decimal
	      point) are not permitted.

	secret	<password>
	      This is the password used	to authenticate	you  to	 the  doorman.
	      Secrets	may be up to 64	characters in length, and use the same
	      character	set as group names.  The secret	is catenated with  the
	      IP  address  of the client machine and the seconds-of-epoch, and
	      put through an MD5 hash before being sent	to the doorman.

	      This record may be omitted from .knockcf;	if it is missing,  and
	      the  secret  is  not  included  as an option on the command line
	      (generally not a bright idea, anyway), 'knock' will  prompt  you
	      for one.

	port  <integer,	1-65534>
	      Knock on the specified UDP port.	The default is port 1001.

	run  "program  arg1 arg2 ... "
	      Run  this	 program  after	 sending the knock packet, and after a
	      1/10th second pause.  Note that the entire command must  be  en-
	      closed  in either	single or double quotes.   Two special strings
	      may be included to substitute for	command-line parameters.   %H%
	      substitutes  for the hostname or IP address, and %P% substitutes
	      for the requested	port number or service name.

       #  If any of these records is missing, its value	may be
       #  specified with a command-line	option.
       #  (You may omit	the secret from	both, and wait to be prompted;
       #   this	is perhaps the safest [or most paranoid] way on	a unix host)
       group	   marketeers		# "Who you are"	to the doorman
       secret	   b1g%Hairy_[seCret}!	# <- This is why no one	else should
       #				     be	able to	read this file...
       #				     A PLAINTEXT PASSWORD!
       port	   1001			# The UDP port the doorman is watching
       run	   "ssh	-lmyname %H%"	# Run 'ssh' after knocking.
       #				  The hostname used in the knock command
       #				  will be subsituted in	place of '%H%'.

       knock(1), doormand(8),, guestlist(5)

       doormand	and knock are an implementation	of an original idea by	Martin
       Krzywinski.  See	his site at

       Copyright (c) 2003-2005,	J.B.Ward

Port-knocker, V0.81		  Aug 14 2005			   .knockcf(5)


Want to link to this manual page? Use this URL:

home | help