dépôts / lhc / ateliers.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f40b945)
Ajout : iodined tunnel IP sur DNS.
authorJulien Moutinho <julm+heureux-cyclage@autogeree.net>
Tue, 23 Apr 2013 19:37:04 +0000 (21:37 +0200)
committerJulien Moutinho <julm+heureux-cyclage@autogeree.net>
Wed, 24 Apr 2013 22:01:04 +0000 (00:01 +0200)
30 files changed:
etc/local.sh patch | blob | history
etc/nsd3/zone.d/wiklou.org.zone.m4 patch | blob | history
etc/openssh/known_hosts [deleted file] patch | blob | history
etc/remote.sh patch | blob | history
etc/shorewall/initdone [new file with mode: 0644] patch | blob
etc/shorewall/interfaces patch | blob | history
etc/shorewall/macro.d/macro.Iodine [new file with mode: 0644] patch | blob
etc/shorewall/policy patch | blob | history
etc/shorewall/rules patch | blob | history
etc/shorewall/zones patch | blob | history
etc/ssh/known_hosts [new file with mode: 0644] patch | blob
etc/ssh/remote.conf [new file with mode: 0644] patch | blob
etc/ssh/sshd_config.m4 patch | blob | history
etc/sv/iodined/local.sh [new file with mode: 0644] patch | blob
etc/sv/iodined/log/run [new file with mode: 0644] patch | blob
etc/sv/iodined/run [new file with mode: 0644] patch | blob
etc/sv/sshd/local.sh patch | blob | history
etc/tsocks/ateliers.heureux-cyclage.org.conf [new file with mode: 0644] patch | blob
etc/tsocks/i.wiklou.org.conf [new file with mode: 0644] patch | blob
local/initramfs-configure patch | blob | history
remote/duplicity-key-send patch | blob | history
remote/iodine [new file with mode: 0755] patch | blob
remote/iodine-mosh [new file with mode: 0755] patch | blob
remote/iodine-ssh [new file with mode: 0755] patch | blob
remote/iodine-tsocks [new file with mode: 0755] patch | blob
remote/iodined-key-send [new file with mode: 0755] patch | blob
remote/ssh patch | blob | history
remote/ssh-update-known-hosts patch | blob | history
remote/tsocks [new file with mode: 0755] patch | blob
var/.gitignore patch | blob | history

diff --git a/etc/local.sh b/etc/local.sh
index 991a27f..41a767a 100644 (file)
--- a/etc/local.sh
+++ b/etc/local.sh
@@ -87,3 +87,6 @@ readonly local_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grési
  # dans l'idée de ne pas s'embêter avec
  # une migration squeeze -> wheezy dans deux mois ;
  # et parce qu'on juge wheezy « suffisamment stable ».
  # dans l'idée de ne pas s'embêter avec
  # une migration squeeze -> wheezy dans deux mois ;
  # et parce qu'on juge wheezy « suffisamment stable ».
+
+readonly local_iodine_ns="i.wiklou.org"
+readonly local_iodine_gateway="10.0.42.1"
diff --git a/etc/nsd3/zone.d/wiklou.org.zone.m4 b/etc/nsd3/zone.d/wiklou.org.zone.m4
index d70fffa..f466ff6 100644 (file)
--- a/etc/nsd3/zone.d/wiklou.org.zone.m4
+++ b/etc/nsd3/zone.d/wiklou.org.zone.m4
@@ -43,3 +43,4 @@ www A IP4(LAUTRENET)
 ; ENREGISTREMENTS « NS » (Name Server)
 @ NS ns
 @ NS ns6.gandi.net.
 ; ENREGISTREMENTS « NS » (Name Server)
 @ NS ns
 @ NS ns6.gandi.net.
+i NS ns
diff --git a/etc/openssh/known_hosts b/etc/openssh/known_hosts
deleted file mode 100644 (file)
index 197fe6c..0000000
--- a/etc/openssh/known_hosts
+++ /dev/null
@@ -1,4 +0,0 @@
-rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN/uHTAoQFIylOOC9sixbd4i0CNxAcGN0Ht7Z7HpquzwAmRj4JHNgRRTkUFnW0GBOB/E3Py5ckU1CZ8SBZyqt3zrBwO0xybZ6ZWNlzebdgiMU3Ke2p9WfZsAd0HKG9oJjeNJFDVATI/ez0IT8pKFR0AT5wO1u5HHDX3szPl19F5Blk8S3XYc//ZypVTokpH7EDgq+tj8FPERAuwIYl3qAJesR0omwn5Gro87pUhTgqK+9mkXcWacUYsLA6m0uR+1DhdTIHwcsHFoVI+DjwOGmfeI5ZallbgRdmoeTUi1lf1RVu5myoBl6eRob9dLWCtp+7zjp0fmPEDaJ root@rouf
-init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAwCTomO9DkShIBMIHtP2dQZ8H7tbw3biU0wHEyYkY/eGnf0EKIUsrzOIFgGTq31IO4L8Sqqc8XfeiwJ1EM9keZN22wMpnz0S0y+H0VM+B3s5V64zequaqiKhBDtTln4N1yDIiR9ZIUvekY/NfdUTtrP/Cbo06vWXJlwF+SwR1HWAtlgoMqYG0ST4xCQ9BKi7k8PooX8Elfdx/zZMnsy6X+JFu6nqhMDlaCeIHk3s5zleoULTR/jIw3RHwjtGM3cParv8umm30wTIKFms8ZX9oi6CEcp0rdynrB2HTy02vYQHv+PLIoOXdY4C/Pt4Nar0qsxoeYiMJEr1rnyPq5EYHTOXIKcmST5mVleiFWnq5xJDTtKR29EF+dbepQ07m70E2wOvavgkNuSvNEYeVWpKEWFQwr2k+C/QcDgCI3MRLxTIT+qr91zdG6HhhTapxKGEEr2H6WLpNgoUXIvzZii9dpbt6dC2A33n/qI5aB64HQFgCs4f3Qkrsbdv6BMBhmUlrfD1ea8O8/Kh6JNORwuXKLXyAm3TB9LeVLoFEWeSbtxHaw2DNEi1J1bxaNa6XuTcADEsAnp3yR38JaVfzEDuU2MzcFnj8e+V82dlL1+mlZKPHx6LWxCjbOQI+3SCugn+YNtBC7gCC07iRouocBaTMoF/cInK7pJKvqr/YOipfaClQQ6/ root@ateliers
-ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
-91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
diff --git a/etc/remote.sh b/etc/remote.sh
index c4d10f9..2dc554e 100644 (file)
--- a/etc/remote.sh
+++ b/etc/remote.sh
@@ -1 +1,4 @@
 . "$tool"/etc/local.sh
 . "$tool"/etc/local.sh
+
+readonly remote_tsocks_port=2242
+readonly remote_iodine_tsocks_port=5342
diff --git a/etc/shorewall/initdone b/etc/shorewall/initdone
new file mode 100644 (file)
index 0000000..40d389f
--- /dev/null
+++ b/etc/shorewall/initdone
@@ -0,0 +1,11 @@
+use Shorewall::Chains;
+
+insert_rule $nat_table->{PREROUTING}, 1, "-p udp --dport 53 -m string --algo kmp --from 40 --hex-string |01|i|06|wiklou|03|org|00| -j DNAT --to-destination :5353";
+ # NOTE: redirige les requêtes DNS concernant i.wiklou.org et ses sous-domaines vers iodined.
+ # NOTE: --from 40 == 20(IP) + 8(UDP) + 12(entête DNS jusqu'aux requêtes).
+ # XXX: --algo bm effectue une recherche de la fin vers le début du paquet IP
+ # XXX: et par conséquent, bien que plus performant, manque des occurences
+ # XXX: dès qu'il y a de la fragmentation au niveau IP ; --algo kmp n'a pas ce souci.
+ # XXX: VOIR: http://autogeree.net/~julm/txt/iptables-xt_string-bm-fails-on-fragmented-ip.sh
+
+1;
diff --git a/etc/shorewall/interfaces b/etc/shorewall/interfaces
index 293bc27..5a61815 100644 (file)
--- a/etc/shorewall/interfaces
+++ b/etc/shorewall/interfaces
@@ -3,4 +3,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE          OPTIONS
 FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE          OPTIONS
+dns     dns0               arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
 net     eth0               arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
 net     eth0               arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
diff --git a/etc/shorewall/macro.d/macro.Iodine b/etc/shorewall/macro.d/macro.Iodine
new file mode 100644 (file)
index 0000000..145b8fa
--- /dev/null
+++ b/etc/shorewall/macro.d/macro.Iodine
@@ -0,0 +1,3 @@
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       udp     5353
diff --git a/etc/shorewall/policy b/etc/shorewall/policy
index 4c9f3d8..5b450eb 100644 (file)
--- a/etc/shorewall/policy
+++ b/etc/shorewall/policy
@@ -1,7 +1,8 @@
 # DOC: shorewall-policy(5)
 ###############################################################################
 #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
 # DOC: shorewall-policy(5)
 ###############################################################################
 #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
-$FW             net             DROP
+dns             all             DROP
+$FW             all             DROP
 net             all             DROP            info
 # XXX: the following policy must be last
 all             all             REJECT          info
 net             all             DROP            info
 # XXX: the following policy must be last
 all             all             REJECT          info
diff --git a/etc/shorewall/rules b/etc/shorewall/rules
index f3e0c33..1798ad1 100644 (file)
--- a/etc/shorewall/rules
+++ b/etc/shorewall/rules
@@ -7,10 +7,27 @@
 #SECTION RELATED
 SECTION NEW
 
 #SECTION RELATED
 SECTION NEW
 
+Ping(ACCEPT)                  dns    $FW
+Mosh(ACCEPT)                  dns    $FW
+SSH(ACCEPT)                   dns    $FW
+
+Ping(ACCEPT)                  $FW    dns
+
+ACCEPT                        $FW    net         icmp
+DNS(ACCEPT)                   $FW    net
+Git(ACCEPT)                   $FW    net
+HTTP(ACCEPT)                  $FW    net
+HTTPS(ACCEPT)                 $FW    net
+NTP(ACCEPT)                   $FW    net
+SMTP(ACCEPT)                  $FW    net
+SMTPS(ACCEPT)                 $FW    net
+SSH(ACCEPT)                   $FW    net
+
 DNS(ACCEPT)                   net    $FW
 Git(ACCEPT)                   net    $FW
 HTTP(ACCEPT)                  net    $FW
 HTTPS(ACCEPT)                 net    $FW
 DNS(ACCEPT)                   net    $FW
 Git(ACCEPT)                   net    $FW
 HTTP(ACCEPT)                  net    $FW
 HTTPS(ACCEPT)                 net    $FW
+Iodine(ACCEPT)                net    $FW
 Limit(IMAPS,5,60):info        net    $FW         tcp   imaps
 IMAPS(ACCEPT)                 net    $FW
 Fanout(ACCEPT)                net    $FW
 Limit(IMAPS,5,60):info        net    $FW         tcp   imaps
 IMAPS(ACCEPT)                 net    $FW
 Fanout(ACCEPT)                net    $FW
@@ -23,13 +40,3 @@ SSH(ACCEPT)                   net    $FW
 Limit(SSH,10,60):info         net    $FW         tcp   ssh
 Submission(ACCEPT)            net    $FW
 Limit(Submission,10,60):info  net    $FW         tcp   submission
 Limit(SSH,10,60):info         net    $FW         tcp   ssh
 Submission(ACCEPT)            net    $FW
 Limit(Submission,10,60):info  net    $FW         tcp   submission
-
-ACCEPT                        $FW    net         icmp
-DNS(ACCEPT)                   $FW    net
-Git(ACCEPT)                   $FW    net
-HTTP(ACCEPT)                  $FW    net
-HTTPS(ACCEPT)                 $FW    net
-NTP(ACCEPT)                   $FW    net
-SMTP(ACCEPT)                  $FW    net
-SMTPS(ACCEPT)                 $FW    net
-SSH(ACCEPT)                   $FW    net
diff --git a/etc/shorewall/zones b/etc/shorewall/zones
index 1c410f0..2bba467 100644 (file)
--- a/etc/shorewall/zones
+++ b/etc/shorewall/zones
@@ -2,5 +2,6 @@
 ###############################################################################
 #ZONE   TYPE    OPTIONS                 IN                      OUT
 #                                       OPTIONS                 OPTIONS
 ###############################################################################
 #ZONE   TYPE    OPTIONS                 IN                      OUT
 #                                       OPTIONS                 OPTIONS
+dns     ipv4
 fw      firewall
 net     ipv4
 fw      firewall
 net     ipv4
diff --git a/etc/ssh/known_hosts b/etc/ssh/known_hosts
new file mode 100644 (file)
index 0000000..ff3a9a5
--- /dev/null
+++ b/etc/ssh/known_hosts
@@ -0,0 +1,5 @@
+rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN/uHTAoQFIylOOC9sixbd4i0CNxAcGN0Ht7Z7HpquzwAmRj4JHNgRRTkUFnW0GBOB/E3Py5ckU1CZ8SBZyqt3zrBwO0xybZ6ZWNlzebdgiMU3Ke2p9WfZsAd0HKG9oJjeNJFDVATI/ez0IT8pKFR0AT5wO1u5HHDX3szPl19F5Blk8S3XYc//ZypVTokpH7EDgq+tj8FPERAuwIYl3qAJesR0omwn5Gro87pUhTgqK+9mkXcWacUYsLA6m0uR+1DhdTIHwcsHFoVI+DjwOGmfeI5ZallbgRdmoeTUi1lf1RVu5myoBl6eRob9dLWCtp+7zjp0fmPEDaJ root@rouf
+init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAwCTomO9DkShIBMIHtP2dQZ8H7tbw3biU0wHEyYkY/eGnf0EKIUsrzOIFgGTq31IO4L8Sqqc8XfeiwJ1EM9keZN22wMpnz0S0y+H0VM+B3s5V64zequaqiKhBDtTln4N1yDIiR9ZIUvekY/NfdUTtrP/Cbo06vWXJlwF+SwR1HWAtlgoMqYG0ST4xCQ9BKi7k8PooX8Elfdx/zZMnsy6X+JFu6nqhMDlaCeIHk3s5zleoULTR/jIw3RHwjtGM3cParv8umm30wTIKFms8ZX9oi6CEcp0rdynrB2HTy02vYQHv+PLIoOXdY4C/Pt4Nar0qsxoeYiMJEr1rnyPq5EYHTOXIKcmST5mVleiFWnq5xJDTtKR29EF+dbepQ07m70E2wOvavgkNuSvNEYeVWpKEWFQwr2k+C/QcDgCI3MRLxTIT+qr91zdG6HhhTapxKGEEr2H6WLpNgoUXIvzZii9dpbt6dC2A33n/qI5aB64HQFgCs4f3Qkrsbdv6BMBhmUlrfD1ea8O8/Kh6JNORwuXKLXyAm3TB9LeVLoFEWeSbtxHaw2DNEi1J1bxaNa6XuTcADEsAnp3yR38JaVfzEDuU2MzcFnj8e+V82dlL1+mlZKPHx6LWxCjbOQI+3SCugn+YNtBC7gCC07iRouocBaTMoF/cInK7pJKvqr/YOipfaClQQ6/ root@ateliers
+ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
+91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
+10.0.42.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
diff --git a/etc/ssh/remote.conf b/etc/ssh/remote.conf
new file mode 100644 (file)
index 0000000..86708e1
--- /dev/null
+++ b/etc/ssh/remote.conf
@@ -0,0 +1,4 @@
+Host 91.216.110.42
+       DynamicForward 127.0.0.1:2242
+Host 10.0.42.1
+       DynamicForward 127.0.0.1:5342
diff --git a/etc/ssh/sshd_config.m4 b/etc/ssh/sshd_config.m4
index 219b335..6c7298e 100644 (file)
--- a/etc/ssh/sshd_config.m4
+++ b/etc/ssh/sshd_config.m4
@@ -11,9 +11,10 @@ IgnoreRhosts yes
 IgnoreUserKnownHosts no
 KerberosAuthentication no
 KeyRegenerationInterval 3600
 IgnoreUserKnownHosts no
 KerberosAuthentication no
 KeyRegenerationInterval 3600
-Port 22
-ListenAddress 127.0.0.1
-ListenAddress LOCAL_IPV4
+#ListenAddress 127.0.0.1:22
+#ListenAddress 10.0.42.1:22
+#ListenAddress LOCAL_IPV4:22
+ListenAddress 0.0.0.0:22
 LogLevel INFO
 LoginGraceTime 120
 MaxAuthTries 3
 LogLevel INFO
 LoginGraceTime 120
 MaxAuthTries 3
diff --git a/etc/sv/iodined/local.sh b/etc/sv/iodined/local.sh
new file mode 100644 (file)
index 0000000..3fd7715
--- /dev/null
+++ b/etc/sv/iodined/local.sh
@@ -0,0 +1,2 @@
+"$tool"/local/apt-get-install iodine
+"$tool"/local/insserv-remove  iodined
diff --git a/etc/sv/iodined/log/run b/etc/sv/iodined/log/run
new file mode 100644 (file)
index 0000000..369030c
--- /dev/null
+++ b/etc/sv/iodined/log/run
@@ -0,0 +1,6 @@
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+
+exec chpst -u root:adm \
+       logger -p auth.1 -t "$sv"
diff --git a/etc/sv/iodined/run b/etc/sv/iodined/run
new file mode 100644 (file)
index 0000000..d3e15c7
--- /dev/null
+++ b/etc/sv/iodined/run
@@ -0,0 +1,17 @@
+#!/bin/sh -eux
+exec 2>&1
+sv=${PWD#/etc/sv/}
+
+install -d -m 750 -o iodine -g nogroup \
+ /run/iodine
+
+exec /usr/sbin/iodined \
+ </root/.iodined_pass \
+ -c \
+ -f \
+ -l 91.216.110.42 \
+ -p 5353 \
+ -t /run/iodine \
+ -u iodine \
+ 10.0.42.1/27 \
+ i.wiklou.org
diff --git a/etc/sv/sshd/local.sh b/etc/sv/sshd/local.sh
index 2abe7d1..8bb2f33 100644 (file)
--- a/etc/sv/sshd/local.sh
+++ b/etc/sv/sshd/local.sh
@@ -1,6 +1,6 @@
 "$tool"/local/apt-get-install openssh-server
 "$tool"/local/insserv-remove      ssh
 "$tool"/local/apt-get-install openssh-server
 "$tool"/local/insserv-remove      ssh
-ssh-keygen -F "$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
diff --git a/etc/tsocks/ateliers.heureux-cyclage.org.conf b/etc/tsocks/ateliers.heureux-cyclage.org.conf
new file mode 100644 (file)
index 0000000..a7369e4
--- /dev/null
+++ b/etc/tsocks/ateliers.heureux-cyclage.org.conf
@@ -0,0 +1,4 @@
+local = 91.216.110.42/255.255.255.255
+server = 127.0.0.1
+server_port = 2242
+server_type = 5
diff --git a/etc/tsocks/i.wiklou.org.conf b/etc/tsocks/i.wiklou.org.conf
new file mode 100644 (file)
index 0000000..03f6adc
--- /dev/null
+++ b/etc/tsocks/i.wiklou.org.conf
@@ -0,0 +1,4 @@
+local = 10.0.42.0/255.255.255.224
+server = 127.0.0.1
+server_port = 5342
+server_type = 5
diff --git a/local/initramfs-configure b/local/initramfs-configure
index 683a0f7..1d0b26b 100755 (executable)
--- a/local/initramfs-configure
+++ b/local/initramfs-configure
@@ -31,7 +31,7 @@ sudo install -m 644 -o root -g root /dev/stdin \
 sudo sed -e '/^configure_networking /s/ &$//' \
  -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
  # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
 sudo sed -e '/^configure_networking /s/ &$//' \
  -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
  # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
-ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
diff --git a/remote/duplicity-key-send b/remote/duplicity-key-send
index 52ff14a..c576ec9 100755 (executable)
--- a/remote/duplicity-key-send
+++ b/remote/duplicity-key-send
@@ -7,7 +7,7 @@ PATH=/usr/lib/gnupg2:"$PATH"
 IFS= read -r pass <<-EOF
        $(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
        EOF
 IFS= read -r pass <<-EOF
        $(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
        EOF
-for fpr in $(remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
+for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
  -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
  do gpg-preset-passphrase --preset -v $fpr <<-EOF
        $pass
  -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
  do gpg-preset-passphrase --preset -v $fpr <<-EOF
        $pass
diff --git a/remote/iodine b/remote/iodine
new file mode 100755 (executable)
index 0000000..2c124c1
--- /dev/null
+++ b/remote/iodine
@@ -0,0 +1,9 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+sudo install -d -m 750 -o iodine -g nogroup \
+ /var/run/iodine
+
+gpg --decrypt "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+sudo iodine -f -t /var/run/iodine/ -u iodine "$@" "$local_iodine_ns"
diff --git a/remote/iodine-mosh b/remote/iodine-mosh
new file mode 100755 (executable)
index 0000000..416ac01
--- /dev/null
+++ b/remote/iodine-mosh
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+mosh --ssh="$tool/remote/iodine-ssh ${ssh_options-}" -- $local_iodine_gateway "$@"
diff --git a/remote/iodine-ssh b/remote/iodine-ssh
new file mode 100755 (executable)
index 0000000..028d988
--- /dev/null
+++ b/remote/iodine-ssh
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+"$tool"/remote/ssh -v "$@" "$local_iodine_gateway"
diff --git a/remote/iodine-tsocks b/remote/iodine-tsocks
new file mode 100755 (executable)
index 0000000..a289645
--- /dev/null
+++ b/remote/iodine-tsocks
@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_iodine_ns".conf \
+exec tsocks "$@"
diff --git a/remote/iodined-key-send b/remote/iodined-key-send
new file mode 100755 (executable)
index 0000000..b1a2a77
--- /dev/null
+++ b/remote/iodined-key-send
@@ -0,0 +1,20 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+install -d -m 700 \
+ "$tool"/var/sec \
+ "$tool"/var/sec/iodine
+if test ! -e "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg <<-EOF
+               $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 32)
+               EOF
+ fi
+
+gpg --decrypt ${gpg_options-} "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+"$tool"/remote/ssh root@"$local_fqdn" '
+       set -eux
+       test ! -e /root/.iodined_pass
+       install -m 400 -o root -g root /dev/stdin \
+        /root/.iodined_pass
+ '
diff --git a/remote/ssh b/remote/ssh
index b506244..d6bea1e 100755 (executable)
--- a/remote/ssh
+++ b/remote/ssh
@@ -2,8 +2,15 @@
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
+install -d -m 750 \
+ "$tool"/var/run \
+ "$tool"/var/run/ssh
 ssh \
 ssh \
- -o StrictHostKeyChecking=yes \
- -o UserKnownHostsFile="$tool"/etc/openssh/known_hosts \
+ -F "$tool"/etc/ssh/remote.conf \
+ -o ControlMaster=autoask \
+ -o ControlPath="$tool"/var/run/ssh/"%h-%p-%r" \
+ -o ControlPersist=no \
  -o HashKnownHosts=no \
  -o HashKnownHosts=no \
- "$@"
+ -o StrictHostKeyChecking=yes \
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ "${@:-$local_ipv4}"
diff --git a/remote/ssh-update-known-hosts b/remote/ssh-update-known-hosts
index 33b75de..929619f 100755 (executable)
--- a/remote/ssh-update-known-hosts
+++ b/remote/ssh-update-known-hosts
@@ -1,9 +1,12 @@
-#!/bin/sh -eux
+#!/bin/sh -eu
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
-"$tool"/remote/ssh \
+ssh \
  -o CheckHostIP=no \
  -o CheckHostIP=no \
- -o HashKnownHosts=no \
+ -o ControlMaster=no \
  -o StrictHostKeyChecking=no \
  -o StrictHostKeyChecking=no \
- whoami
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ -o HashKnownHosts=no \
+ "$@" \
+ true
diff --git a/remote/tsocks b/remote/tsocks
new file mode 100755 (executable)
index 0000000..43cb5fa
--- /dev/null
+++ b/remote/tsocks
@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_fqdn".conf \
+exec tsocks "$@"
diff --git a/var/.gitignore b/var/.gitignore
index ec001c7..bd10a34 100644 (file)
--- a/var/.gitignore
+++ b/var/.gitignore
@@ -1,2 +1,3 @@
 backup
 backup
+run
 sec
 sec
outils d'administration d'ateliers.heureux-cyclage.org