NOW, at last, I can once again access my network from the outside; and this is how I discovered that port-knocking had in effect completely closed all access to gitolite… except if you danced the right port-knocking dance, of course ;-)

To solve this situation, I opened a new port on the server: 2222, and I made OpenSSH listen to this new port in addition to the regular port 22. The lines added to sshd_config are these:

Port 2222

Match LocalPort 2222
AllowUsers gitolite

The last two lines are necessary, or port-knocking on port 22 becomes useless: if anyone can freely use port 2222, why bother with port-knocking on port 22, right? So OpenSSH will accept connections on both ports, but only gitolite can actually use the unprotected port.

I sincerely apologize to all the people who tried to access Git on my server and could not because of this. The article on Paperweb has been updated accordingly.