It protects you from every zero day except the very limited set of preauth zero-days.
Look: it is legit to be paranoid about ssh zero-days (I am not, partly because that vulnerability is so valuable that I am very far down on the food chain for it). But if you're paranoid about those, be serious about them. Put an encrypted tunnel in front of sshd, not some goofy authentication scheme.
Remember: if there's a preauth sshd zero day, the SSH connections themselves are attack vectors. TCP is easily hijackable.
Sure.. but now you have to worry about vulnerabilities in whatever software you are using for that. Other than maybe something like a locked down spiped I wouldn't trust anything more than ssh in the first place.
From my perspective the nice thing about something like the 'simple non cryptographic knockd' was that other than decoding ip packet headers it did not read any data from the network.
> if there's a preauth sshd zero day, the SSH connections themselves are attack vectors. TCP is easily hijackable.
Hah, I am not that paranoid :-)
My main concern was always this sort of scenario:
I am on vacation with no internet access, an ssh (or openssl or openvpn) 0day is released, patches are not available. Do I come back from vacation to a compromised host? If I had not been using port knocking when the debian ssh key issue happened, I would have had multiple hosts compromised. So, you can call it goofy, but it made a very real difference in my experience.
I had a machine compromised in 2001 by script kiddies and worms scanning the internet on port 22 and compromising any host they could find with CVE-2001-0144. Not by attackers hijacking TCP connections.
In 2016 I am worried about a 0day being released and scripts kiddies or a worm compromising every host they can find running sshd. This effectively happened to debian systems in 2008. I don't know how you can say that it doesn't make sense when it happened.
I just don't understand the threat model that gives attackers the most valuable RCE vulnerability in a decade, but denies them an ability attackers have had since 1996.
Look: it is legit to be paranoid about ssh zero-days (I am not, partly because that vulnerability is so valuable that I am very far down on the food chain for it). But if you're paranoid about those, be serious about them. Put an encrypted tunnel in front of sshd, not some goofy authentication scheme.
Remember: if there's a preauth sshd zero day, the SSH connections themselves are attack vectors. TCP is easily hijackable.