From 6647e7fb851e2dbe5a5c7ec60358f7371bf17183 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+heureux-cyclage@autogeree.net>
Date: Tue, 23 Apr 2013 21:37:04 +0200
Subject: [PATCH] Ajout : iodined tunnel IP sur DNS.

---
 etc/local.sh                                 |  3 +++
 etc/nsd3/zone.d/wiklou.org.zone.m4           |  1 +
 etc/remote.sh                                |  3 +++
 etc/shorewall/initdone                       | 11 ++++++++
 etc/shorewall/interfaces                     |  1 +
 etc/shorewall/macro.d/macro.Iodine           |  3 +++
 etc/shorewall/policy                         |  3 ++-
 etc/shorewall/rules                          | 27 ++++++++++++--------
 etc/shorewall/zones                          |  1 +
 etc/{openssh => ssh}/known_hosts             |  1 +
 etc/ssh/remote.conf                          |  4 +++
 etc/ssh/sshd_config.m4                       |  7 ++---
 etc/sv/iodined/local.sh                      |  2 ++
 etc/sv/iodined/log/run                       |  6 +++++
 etc/sv/iodined/run                           | 17 ++++++++++++
 etc/sv/sshd/local.sh                         |  2 +-
 etc/tsocks/ateliers.heureux-cyclage.org.conf |  4 +++
 etc/tsocks/i.wiklou.org.conf                 |  4 +++
 local/initramfs-configure                    |  2 +-
 remote/duplicity-key-send                    |  2 +-
 remote/iodine                                |  9 +++++++
 remote/iodine-mosh                           |  5 ++++
 remote/iodine-ssh                            |  5 ++++
 remote/iodine-tsocks                         |  6 +++++
 remote/iodined-key-send                      | 20 +++++++++++++++
 remote/ssh                                   | 13 +++++++---
 remote/ssh-update-known-hosts                | 11 +++++---
 remote/tsocks                                |  6 +++++
 var/.gitignore                               |  1 +
 29 files changed, 156 insertions(+), 24 deletions(-)
 create mode 100644 etc/shorewall/initdone
 create mode 100644 etc/shorewall/macro.d/macro.Iodine
 rename etc/{openssh => ssh}/known_hosts (78%)
 create mode 100644 etc/ssh/remote.conf
 create mode 100644 etc/sv/iodined/local.sh
 create mode 100644 etc/sv/iodined/log/run
 create mode 100644 etc/sv/iodined/run
 create mode 100644 etc/tsocks/ateliers.heureux-cyclage.org.conf
 create mode 100644 etc/tsocks/i.wiklou.org.conf
 create mode 100755 remote/iodine
 create mode 100755 remote/iodine-mosh
 create mode 100755 remote/iodine-ssh
 create mode 100755 remote/iodine-tsocks
 create mode 100755 remote/iodined-key-send
 create mode 100755 remote/tsocks

diff --git a/etc/local.sh b/etc/local.sh
index 991a27f..41a767a 100644
--- a/etc/local.sh
+++ b/etc/local.sh
@@ -87,3 +87,6 @@ readonly local_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grési
  # dans l'idée de ne pas s'embêter avec
  # une migration squeeze -> wheezy dans deux mois ;
  # et parce qu'on juge wheezy « suffisamment stable ».
+
+readonly local_iodine_ns="i.wiklou.org"
+readonly local_iodine_gateway="10.0.42.1"
diff --git a/etc/nsd3/zone.d/wiklou.org.zone.m4 b/etc/nsd3/zone.d/wiklou.org.zone.m4
index d70fffa..f466ff6 100644
--- a/etc/nsd3/zone.d/wiklou.org.zone.m4
+++ b/etc/nsd3/zone.d/wiklou.org.zone.m4
@@ -43,3 +43,4 @@ www A IP4(LAUTRENET)
 ; ENREGISTREMENTS « NS » (Name Server)
 @ NS ns
 @ NS ns6.gandi.net.
+i NS ns
diff --git a/etc/remote.sh b/etc/remote.sh
index c4d10f9..2dc554e 100644
--- a/etc/remote.sh
+++ b/etc/remote.sh
@@ -1 +1,4 @@
 . "$tool"/etc/local.sh
+
+readonly remote_tsocks_port=2242
+readonly remote_iodine_tsocks_port=5342
diff --git a/etc/shorewall/initdone b/etc/shorewall/initdone
new file mode 100644
index 0000000..40d389f
--- /dev/null
+++ b/etc/shorewall/initdone
@@ -0,0 +1,11 @@
+use Shorewall::Chains;
+
+insert_rule $nat_table->{PREROUTING}, 1, "-p udp --dport 53 -m string --algo kmp --from 40 --hex-string |01|i|06|wiklou|03|org|00| -j DNAT --to-destination :5353";
+ # NOTE: redirige les requêtes DNS concernant i.wiklou.org et ses sous-domaines vers iodined.
+ # NOTE: --from 40 == 20(IP) + 8(UDP) + 12(entête DNS jusqu'aux requêtes).
+ # XXX: --algo bm effectue une recherche de la fin vers le début du paquet IP
+ # XXX: et par conséquent, bien que plus performant, manque des occurences
+ # XXX: dès qu'il y a de la fragmentation au niveau IP ; --algo kmp n'a pas ce souci.
+ # XXX: VOIR: http://autogeree.net/~julm/txt/iptables-xt_string-bm-fails-on-fragmented-ip.sh
+
+1;
diff --git a/etc/shorewall/interfaces b/etc/shorewall/interfaces
index 293bc27..5a61815 100644
--- a/etc/shorewall/interfaces
+++ b/etc/shorewall/interfaces
@@ -3,4 +3,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE          OPTIONS
+dns     dns0               arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
 net     eth0               arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
diff --git a/etc/shorewall/macro.d/macro.Iodine b/etc/shorewall/macro.d/macro.Iodine
new file mode 100644
index 0000000..145b8fa
--- /dev/null
+++ b/etc/shorewall/macro.d/macro.Iodine
@@ -0,0 +1,3 @@
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       udp     5353
diff --git a/etc/shorewall/policy b/etc/shorewall/policy
index 4c9f3d8..5b450eb 100644
--- a/etc/shorewall/policy
+++ b/etc/shorewall/policy
@@ -1,7 +1,8 @@
 # DOC: shorewall-policy(5)
 ###############################################################################
 #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
-$FW             net             DROP
+dns             all             DROP
+$FW             all             DROP
 net             all             DROP            info
 # XXX: the following policy must be last
 all             all             REJECT          info
diff --git a/etc/shorewall/rules b/etc/shorewall/rules
index f3e0c33..1798ad1 100644
--- a/etc/shorewall/rules
+++ b/etc/shorewall/rules
@@ -7,10 +7,27 @@
 #SECTION RELATED
 SECTION NEW
 
+Ping(ACCEPT)                  dns    $FW
+Mosh(ACCEPT)                  dns    $FW
+SSH(ACCEPT)                   dns    $FW
+
+Ping(ACCEPT)                  $FW    dns
+
+ACCEPT                        $FW    net         icmp
+DNS(ACCEPT)                   $FW    net
+Git(ACCEPT)                   $FW    net
+HTTP(ACCEPT)                  $FW    net
+HTTPS(ACCEPT)                 $FW    net
+NTP(ACCEPT)                   $FW    net
+SMTP(ACCEPT)                  $FW    net
+SMTPS(ACCEPT)                 $FW    net
+SSH(ACCEPT)                   $FW    net
+
 DNS(ACCEPT)                   net    $FW
 Git(ACCEPT)                   net    $FW
 HTTP(ACCEPT)                  net    $FW
 HTTPS(ACCEPT)                 net    $FW
+Iodine(ACCEPT)                net    $FW
 Limit(IMAPS,5,60):info        net    $FW         tcp   imaps
 IMAPS(ACCEPT)                 net    $FW
 Fanout(ACCEPT)                net    $FW
@@ -23,13 +40,3 @@ SSH(ACCEPT)                   net    $FW
 Limit(SSH,10,60):info         net    $FW         tcp   ssh
 Submission(ACCEPT)            net    $FW
 Limit(Submission,10,60):info  net    $FW         tcp   submission
-
-ACCEPT                        $FW    net         icmp
-DNS(ACCEPT)                   $FW    net
-Git(ACCEPT)                   $FW    net
-HTTP(ACCEPT)                  $FW    net
-HTTPS(ACCEPT)                 $FW    net
-NTP(ACCEPT)                   $FW    net
-SMTP(ACCEPT)                  $FW    net
-SMTPS(ACCEPT)                 $FW    net
-SSH(ACCEPT)                   $FW    net
diff --git a/etc/shorewall/zones b/etc/shorewall/zones
index 1c410f0..2bba467 100644
--- a/etc/shorewall/zones
+++ b/etc/shorewall/zones
@@ -2,5 +2,6 @@
 ###############################################################################
 #ZONE   TYPE    OPTIONS                 IN                      OUT
 #                                       OPTIONS                 OPTIONS
+dns     ipv4
 fw      firewall
 net     ipv4
diff --git a/etc/openssh/known_hosts b/etc/ssh/known_hosts
similarity index 78%
rename from etc/openssh/known_hosts
rename to etc/ssh/known_hosts
index 197fe6c..ff3a9a5 100644
--- a/etc/openssh/known_hosts
+++ b/etc/ssh/known_hosts
@@ -2,3 +2,4 @@ rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN
 init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAwCTomO9DkShIBMIHtP2dQZ8H7tbw3biU0wHEyYkY/eGnf0EKIUsrzOIFgGTq31IO4L8Sqqc8XfeiwJ1EM9keZN22wMpnz0S0y+H0VM+B3s5V64zequaqiKhBDtTln4N1yDIiR9ZIUvekY/NfdUTtrP/Cbo06vWXJlwF+SwR1HWAtlgoMqYG0ST4xCQ9BKi7k8PooX8Elfdx/zZMnsy6X+JFu6nqhMDlaCeIHk3s5zleoULTR/jIw3RHwjtGM3cParv8umm30wTIKFms8ZX9oi6CEcp0rdynrB2HTy02vYQHv+PLIoOXdY4C/Pt4Nar0qsxoeYiMJEr1rnyPq5EYHTOXIKcmST5mVleiFWnq5xJDTtKR29EF+dbepQ07m70E2wOvavgkNuSvNEYeVWpKEWFQwr2k+C/QcDgCI3MRLxTIT+qr91zdG6HhhTapxKGEEr2H6WLpNgoUXIvzZii9dpbt6dC2A33n/qI5aB64HQFgCs4f3Qkrsbdv6BMBhmUlrfD1ea8O8/Kh6JNORwuXKLXyAm3TB9LeVLoFEWeSbtxHaw2DNEi1J1bxaNa6XuTcADEsAnp3yR38JaVfzEDuU2MzcFnj8e+V82dlL1+mlZKPHx6LWxCjbOQI+3SCugn+YNtBC7gCC07iRouocBaTMoF/cInK7pJKvqr/YOipfaClQQ6/ root@ateliers
 ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
 91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
+10.0.42.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
diff --git a/etc/ssh/remote.conf b/etc/ssh/remote.conf
new file mode 100644
index 0000000..86708e1
--- /dev/null
+++ b/etc/ssh/remote.conf
@@ -0,0 +1,4 @@
+Host 91.216.110.42
+	DynamicForward 127.0.0.1:2242
+Host 10.0.42.1
+	DynamicForward 127.0.0.1:5342
diff --git a/etc/ssh/sshd_config.m4 b/etc/ssh/sshd_config.m4
index 219b335..6c7298e 100644
--- a/etc/ssh/sshd_config.m4
+++ b/etc/ssh/sshd_config.m4
@@ -11,9 +11,10 @@ IgnoreRhosts yes
 IgnoreUserKnownHosts no
 KerberosAuthentication no
 KeyRegenerationInterval 3600
-Port 22
-ListenAddress 127.0.0.1
-ListenAddress LOCAL_IPV4
+#ListenAddress 127.0.0.1:22
+#ListenAddress 10.0.42.1:22
+#ListenAddress LOCAL_IPV4:22
+ListenAddress 0.0.0.0:22
 LogLevel INFO
 LoginGraceTime 120
 MaxAuthTries 3
diff --git a/etc/sv/iodined/local.sh b/etc/sv/iodined/local.sh
new file mode 100644
index 0000000..3fd7715
--- /dev/null
+++ b/etc/sv/iodined/local.sh
@@ -0,0 +1,2 @@
+"$tool"/local/apt-get-install iodine
+"$tool"/local/insserv-remove  iodined
diff --git a/etc/sv/iodined/log/run b/etc/sv/iodined/log/run
new file mode 100644
index 0000000..369030c
--- /dev/null
+++ b/etc/sv/iodined/log/run
@@ -0,0 +1,6 @@
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+
+exec chpst -u root:adm \
+	logger -p auth.1 -t "$sv"
diff --git a/etc/sv/iodined/run b/etc/sv/iodined/run
new file mode 100644
index 0000000..d3e15c7
--- /dev/null
+++ b/etc/sv/iodined/run
@@ -0,0 +1,17 @@
+#!/bin/sh -eux
+exec 2>&1
+sv=${PWD#/etc/sv/}
+
+install -d -m 750 -o iodine -g nogroup \
+ /run/iodine
+
+exec /usr/sbin/iodined \
+ </root/.iodined_pass \
+ -c \
+ -f \
+ -l 91.216.110.42 \
+ -p 5353 \
+ -t /run/iodine \
+ -u iodine \
+ 10.0.42.1/27 \
+ i.wiklou.org
diff --git a/etc/sv/sshd/local.sh b/etc/sv/sshd/local.sh
index 2abe7d1..8bb2f33 100644
--- a/etc/sv/sshd/local.sh
+++ b/etc/sv/sshd/local.sh
@@ -1,6 +1,6 @@
 "$tool"/local/apt-get-install openssh-server
 "$tool"/local/insserv-remove      ssh
-ssh-keygen -F "$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
diff --git a/etc/tsocks/ateliers.heureux-cyclage.org.conf b/etc/tsocks/ateliers.heureux-cyclage.org.conf
new file mode 100644
index 0000000..a7369e4
--- /dev/null
+++ b/etc/tsocks/ateliers.heureux-cyclage.org.conf
@@ -0,0 +1,4 @@
+local = 91.216.110.42/255.255.255.255
+server = 127.0.0.1
+server_port = 2242
+server_type = 5
diff --git a/etc/tsocks/i.wiklou.org.conf b/etc/tsocks/i.wiklou.org.conf
new file mode 100644
index 0000000..03f6adc
--- /dev/null
+++ b/etc/tsocks/i.wiklou.org.conf
@@ -0,0 +1,4 @@
+local = 10.0.42.0/255.255.255.224
+server = 127.0.0.1
+server_port = 5342
+server_type = 5
diff --git a/local/initramfs-configure b/local/initramfs-configure
index 683a0f7..1d0b26b 100755
--- a/local/initramfs-configure
+++ b/local/initramfs-configure
@@ -31,7 +31,7 @@ sudo install -m 644 -o root -g root /dev/stdin \
 sudo sed -e '/^configure_networking /s/ &$//' \
  -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
  # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
-ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
 ( while IFS= read -r line
  do case $line in (*" RSA") return 0; break;; esac
  done; return 1 ) ||
diff --git a/remote/duplicity-key-send b/remote/duplicity-key-send
index 52ff14a..c576ec9 100755
--- a/remote/duplicity-key-send
+++ b/remote/duplicity-key-send
@@ -7,7 +7,7 @@ PATH=/usr/lib/gnupg2:"$PATH"
 IFS= read -r pass <<-EOF
 	$(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
 	EOF
-for fpr in $(remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
+for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
  -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
  do gpg-preset-passphrase --preset -v $fpr <<-EOF
 	$pass
diff --git a/remote/iodine b/remote/iodine
new file mode 100755
index 0000000..2c124c1
--- /dev/null
+++ b/remote/iodine
@@ -0,0 +1,9 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+sudo install -d -m 750 -o iodine -g nogroup \
+ /var/run/iodine
+
+gpg --decrypt "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+sudo iodine -f -t /var/run/iodine/ -u iodine "$@" "$local_iodine_ns"
diff --git a/remote/iodine-mosh b/remote/iodine-mosh
new file mode 100755
index 0000000..416ac01
--- /dev/null
+++ b/remote/iodine-mosh
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+mosh --ssh="$tool/remote/iodine-ssh ${ssh_options-}" -- $local_iodine_gateway "$@"
diff --git a/remote/iodine-ssh b/remote/iodine-ssh
new file mode 100755
index 0000000..028d988
--- /dev/null
+++ b/remote/iodine-ssh
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+"$tool"/remote/ssh -v "$@" "$local_iodine_gateway"
diff --git a/remote/iodine-tsocks b/remote/iodine-tsocks
new file mode 100755
index 0000000..a289645
--- /dev/null
+++ b/remote/iodine-tsocks
@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_iodine_ns".conf \
+exec tsocks "$@"
diff --git a/remote/iodined-key-send b/remote/iodined-key-send
new file mode 100755
index 0000000..b1a2a77
--- /dev/null
+++ b/remote/iodined-key-send
@@ -0,0 +1,20 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+install -d -m 700 \
+ "$tool"/var/sec \
+ "$tool"/var/sec/iodine
+if test ! -e "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg <<-EOF
+		$(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 32)
+		EOF
+ fi
+
+gpg --decrypt ${gpg_options-} "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+"$tool"/remote/ssh root@"$local_fqdn" '
+	set -eux
+	test ! -e /root/.iodined_pass
+	install -m 400 -o root -g root /dev/stdin \
+	 /root/.iodined_pass
+ '
diff --git a/remote/ssh b/remote/ssh
index b506244..d6bea1e 100755
--- a/remote/ssh
+++ b/remote/ssh
@@ -2,8 +2,15 @@
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
+install -d -m 750 \
+ "$tool"/var/run \
+ "$tool"/var/run/ssh
 ssh \
- -o StrictHostKeyChecking=yes \
- -o UserKnownHostsFile="$tool"/etc/openssh/known_hosts \
+ -F "$tool"/etc/ssh/remote.conf \
+ -o ControlMaster=autoask \
+ -o ControlPath="$tool"/var/run/ssh/"%h-%p-%r" \
+ -o ControlPersist=no \
  -o HashKnownHosts=no \
- "$@"
+ -o StrictHostKeyChecking=yes \
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ "${@:-$local_ipv4}"
diff --git a/remote/ssh-update-known-hosts b/remote/ssh-update-known-hosts
index 33b75de..929619f 100755
--- a/remote/ssh-update-known-hosts
+++ b/remote/ssh-update-known-hosts
@@ -1,9 +1,12 @@
-#!/bin/sh -eux
+#!/bin/sh -eu
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
-"$tool"/remote/ssh \
+ssh \
  -o CheckHostIP=no \
- -o HashKnownHosts=no \
+ -o ControlMaster=no \
  -o StrictHostKeyChecking=no \
- whoami
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ -o HashKnownHosts=no \
+ "$@" \
+ true
diff --git a/remote/tsocks b/remote/tsocks
new file mode 100755
index 0000000..43cb5fa
--- /dev/null
+++ b/remote/tsocks
@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_fqdn".conf \
+exec tsocks "$@"
diff --git a/var/.gitignore b/var/.gitignore
index ec001c7..bd10a34 100644
--- a/var/.gitignore
+++ b/var/.gitignore
@@ -1,2 +1,3 @@
 backup
+run
 sec
-- 
2.20.1