By robust and low-hassle I mean NOT involving complex iptables setups, NOT involving apache, NOT requiring an additional client program, NOT requiring fragile shell scripts running from cron, etc.
Does anybody have sshd & ssh (client) patches to enable some form of port-knocking built-in to the sshd service & client itself?
For instance, rejecting connections on Port 22 until a properly encrypted and verified UDP packet is received, would be nice.
I'm disappointed that all port-knocking solutions out there are shameless hacks, rather than a nicely integrated and tested patch to the programs in question.
knockd seems to be one of the more established implementations, although doesn't fit your criteria of being a patch to sshd itself. Personally I'd favour an external program for reasons including: