said by Daniel:Ghost,
You mention turning SSH on and off, but the daemon stays running all the time. The only thing that's changing is the firewall configuration between the portknocking client and SSH server.
The key issue here is very simple, and you alluded to it earlier; risk drops
dramatically when you remove your daemon's presence from the Internet. It's just that simple, and that's what portknocking does...it effectively closes all Internet access to your daemon.
The concept of SPA is identical to me; only the implementation is different. I think it is a great layer as well. Again, because of the fact that it isolates you from zero-day exploits VERY effectively.
Sorry, I stand corrected on this. I was thinking more along the lines of a port being accessible by everyone whenever a single user entered the correct port sequence for access. Obviously I forgot that iptables can allow access to ports on a per IP address after a port knocking sequence. Hence, my previous questions do not apply. So it's possible to have thousands of users access a service remotely, but no indication to others that a remote service is listening on a certain port. 
