(A version of this page was published as an article in the Linux Gazette.)
Many other people have wanted to do this sort of thing, and have come up with other ways to accomplish the same ends. Some may be more suited to particular applications than Ostiary, so it might be worth it to check them out.
A daemon monitors firewall logs, looking for particular sequences of connection attempts to particular (closed) ports. When it sees a sequence it recognizes, it runs the associated command. This isn't terribly bandwidth-efficient, but it has the nice properties that:
Note further that, depending on where you're at (e.g. an Internet cafe or behind a business firewall), you might not be allowed to connect out to arbitrary ports. One advantage of Ostiary is that you can run it on a standard port like 80. It might confuse a lot of worms and spiders, but it'd be available for you to use.
(Linksys routers have had a simple version of this for a while, that they call port triggering.)
A daemon listens for a particular type of packet (e.g. a DNS request) and examines it for particular data (e.g. a specific address). If found, it can enable ssh temporarily. As written, it's vulnerable to replay attacks, etc., but clever encoding of the packet could extend this.
An interesting alternative is the Extended Ring Daemon, or "Xringd". It uses a modem to monitor rings on a phone line. It counts the number of rings, and the time between them. If a 'sequence' matches one of the ones that it has been set up to detect, Xringd will run an associated command. In many ways it's similar to Ostiary.
On the up side, since it has no network connection, it's even less likely to suffer a buffer overflow than Ostiary, it can be used even when a network connection is unavailable, and the only 'client' you need is a phone. On the down side, you need a modem and a phone line to the server, and things like answering machines or voicemail (or even other people answering the phone) can interrupt it.
Most of the mail-filtering programs have a way to invoke scripts when mail matching a pattern is received. There's nothing that Ostiary does that couldn't be done by sending a special email to the server, assuming the server is running an SMTP daemon. But if the box you want to talk to doesn't accept email, this obviously won't work.
A program to do this with added security is ClairVoyanT SysAdmin, or CVTSA. I haven't fully analyzed this yet but it appears that in some configurations it may be vulnerable to 'replay' attacks.
Some people depend on things like IPSec or CIPE to first encrypt their connection, and then use ssh on top of that. This has the advantage that there must be a hole in both the VPN software and ssh at the same time for someone to break in.
Unfortunately, this actually happened in 2003, with exploitable holes in both CIPE and ssh coming within a day of each other. I'm not paid to work on my home boxes, and I can't afford the time to rocket the latest patch onto it on a moment's notice, though for a professional admin the story may well be different.
VPN-style packages like CIPE and FreeS/WAN are complex beasts and bugs do happen from time to time. Further, they tend to be resource-intensive; I'd never try to run one on my poor little 68030.
This program only has a Windows client, and uses password/PAM security, but is able to run commands with arguments, and may be more useful for LAN (i.e. local) operations, where you can (hopefully) trust the underlying network more than the Internet.
I personally believe Ostiary has a niche (or I wouldn't have written it). It's extremely simple (almost all of the other options above have to deal with variable data, with the attendant potential for bugs) and requires very few resources (I wouldn't run most of these on my 68030 box). But my needs may be rather specialized...