ssh/VPN access from dynamic IPs / while travelling. knockd or dynDNS based authentication?
What are the advantages and disadvantages of using knockd vs. using dynamic DNS based authentication for ssh or VPN logins from a dynamic IP address or while travelling (i.e. some random hotel IP)? Ideally, any device with ssh/VPN client capability should be able to use whatever additional client software is necessary.
(The alternative, keeping the ssh / VPN ports open for everyone, isn't very attractive.)
I tend to favor knockd (or other port knocking daemons) because it does not rely on a 3rd party keeping its stuff uncompromised ...
Are you really afraid of keeping your SSH port open? What's going to happen?
You've denied root access, you've installed something like BFD or denyhosts, you only use public key authentication... do you really think that this is not secure?
The addition of something like knockd is, IMHO, likely to introduce a false sense of security.
Well, unless you use DNSSEC, DNS-based authentication is a rather bad idea. DNS is not secure and hotel providers very often munge with DNS.
Myself, I use ssh on a non-standard port, accepting only user logins with key files.
When I ran ssh on port 22, there was a lot of dictionary attacks, but they all used the 'root' user (who was not allowed to log in over ssh anyway).
Even if you keep SSH port closed, you could only leave openvpn's port open (and let openssh listen only on a vpn interface).