diff options
author | root <root@samizdat> | 2021-09-28 23:31:38 -0400 |
---|---|---|
committer | root <root@samizdat> | 2021-09-28 23:31:38 -0400 |
commit | a1880f4ff17c1224f4f56bb78d5b161483de61e7 (patch) | |
tree | c993f4d2f8351f8205982a5e6c1862cac9d69faa | |
parent | 7189cefd81bbdb1d0caf0dad887c7cc0d8181089 (diff) |
more
-rw-r--r-- | andy.conf | 579 | ||||
-rw-r--r-- | gai.conf | 65 | ||||
-rw-r--r-- | keycopy.sh | 15 |
3 files changed, 659 insertions, 0 deletions
diff --git a/andy.conf b/andy.conf new file mode 100644 index 0000000..39f2337 --- /dev/null +++ b/andy.conf | |||
@@ -0,0 +1,579 @@ | |||
1 | # conn andy | ||
2 | # type=tunnel | ||
3 | # auto=add | ||
4 | # | ||
5 | # left=%any | ||
6 | # leftsourceip=%config | ||
7 | # leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" | ||
8 | # leftid=dd6c:fbfd:eeb8:4709 | ||
9 | # right=%any | ||
10 | # right=68.48.18.140 | ||
11 | # #rightsubnet=2601:401:8200:2d4c::1/64 | ||
12 | # rightsubnet=0::0/0 | ||
13 | # rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" | ||
14 | |||
15 | # Section defining IKE connection configurations. | ||
16 | connections { | ||
17 | |||
18 | # Section for an IKE connection named andy. | ||
19 | andy { | ||
20 | |||
21 | # IKE major version to use for connection. | ||
22 | # version = 0 | ||
23 | |||
24 | # Local address(es) to use for IKE communication, comma separated. | ||
25 | local_addrs = %any | ||
26 | |||
27 | # Remote address(es) to use for IKE communication, comma separated. | ||
28 | remote_addrs = 68.48.18.140 | ||
29 | |||
30 | # Local UDP port for IKE communication. | ||
31 | # local_port = 500 | ||
32 | |||
33 | # Remote UDP port for IKE communication. | ||
34 | # remote_port = 500 | ||
35 | |||
36 | # Comma separated proposals to accept for IKE. | ||
37 | # proposals = default | ||
38 | |||
39 | # Virtual IPs to request in configuration payload / Mode Config. | ||
40 | vips = :: | ||
41 | |||
42 | # Use Aggressive Mode in IKEv1. | ||
43 | # aggressive = no | ||
44 | |||
45 | # Set the Mode Config mode to use. | ||
46 | # pull = yes | ||
47 | |||
48 | # Differentiated Services Field Codepoint to set on outgoing IKE packets | ||
49 | # (six binary digits). | ||
50 | # dscp = 000000 | ||
51 | |||
52 | # Enforce UDP encapsulation by faking NAT-D payloads. | ||
53 | # encap = no | ||
54 | |||
55 | # Enables MOBIKE on IKEv2 connections. | ||
56 | # mobike = yes | ||
57 | |||
58 | # Interval of liveness checks (DPD). | ||
59 | # dpd_delay = 0s | ||
60 | |||
61 | # Timeout for DPD checks (IKEV1 only). | ||
62 | # dpd_timeout = 0s | ||
63 | |||
64 | # Use IKE UDP datagram fragmentation (yes, accept, no or force). | ||
65 | # fragmentation = yes | ||
66 | |||
67 | # Use childless IKE_SA initiation (allow, force or never). | ||
68 | # childless = allow | ||
69 | |||
70 | # Send certificate requests payloads (yes or no). | ||
71 | # send_certreq = yes | ||
72 | |||
73 | # Send certificate payloads (always, never or ifasked). | ||
74 | # send_cert = ifasked | ||
75 | |||
76 | # String identifying the Postquantum Preshared Key (PPK) to be used. | ||
77 | # ppk_id = | ||
78 | |||
79 | # Whether a Postquantum Preshared Key (PPK) is required for this | ||
80 | # connection. | ||
81 | # ppk_required = no | ||
82 | |||
83 | # Number of retransmission sequences to perform during initial connect. | ||
84 | # keyingtries = 1 | ||
85 | |||
86 | # Connection uniqueness policy (never, no, keep or replace). | ||
87 | # unique = no | ||
88 | |||
89 | # Time to schedule IKE reauthentication. | ||
90 | # reauth_time = 0s | ||
91 | |||
92 | # Time to schedule IKE rekeying. | ||
93 | # rekey_time = 4h | ||
94 | |||
95 | # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. | ||
96 | # over_time = 10% of rekey_time/reauth_time | ||
97 | |||
98 | # Range of random time to subtract from rekey/reauth times. | ||
99 | # rand_time = over_time | ||
100 | |||
101 | # Comma separated list of named IP pools. | ||
102 | # pools = | ||
103 | |||
104 | # Default inbound XFRM interface ID for children. | ||
105 | # if_id_in = 0 | ||
106 | |||
107 | # Default outbound XFRM interface ID for children. | ||
108 | # if_id_out = 0 | ||
109 | |||
110 | # Whether this connection is a mediation connection. | ||
111 | # mediation = no | ||
112 | |||
113 | # The name of the connection to mediate this connection through. | ||
114 | # mediated_by = | ||
115 | |||
116 | # Identity under which the peer is registered at the mediation server. | ||
117 | # mediation_peer = | ||
118 | |||
119 | # Section for a local authentication round. | ||
120 | local1 { | ||
121 | |||
122 | # Optional numeric identifier by which authentication rounds are | ||
123 | # sorted. If not specified rounds are ordered by their position in | ||
124 | # the config file/VICI message. | ||
125 | # round = 0 | ||
126 | |||
127 | # Comma separated list of certificate candidates to use for | ||
128 | # authentication. | ||
129 | # certs = | ||
130 | |||
131 | # Section for a certificate candidate to use for authentication. | ||
132 | # cert<suffix> = | ||
133 | |||
134 | # Comma separated list of raw public key candidates to use for | ||
135 | # authentication. | ||
136 | pubkeys = ssh_host_rsa_key.pub | ||
137 | |||
138 | # Authentication to perform locally (pubkey, psk, xauth[-backend] or | ||
139 | # eap[-method]). | ||
140 | auth = pubkey | ||
141 | |||
142 | # IKE identity to use for authentication round. | ||
143 | id = dd6c:fbfd:eeb8:4709 | ||
144 | |||
145 | # Client EAP-Identity to use in EAP-Identity exchange and the EAP | ||
146 | # method. | ||
147 | # eap_id = id | ||
148 | |||
149 | # Server side EAP-Identity to expect in the EAP method. | ||
150 | # aaa_id = remote-id | ||
151 | |||
152 | # Client XAuth username used in the XAuth exchange. | ||
153 | # xauth_id = id | ||
154 | |||
155 | # cert<suffix> { | ||
156 | |||
157 | # Absolute path to the certificate to load. | ||
158 | # file = | ||
159 | |||
160 | # Hex-encoded CKA_ID of the certificate on a token. | ||
161 | # handle = | ||
162 | |||
163 | # Optional slot number of the token that stores the certificate. | ||
164 | # slot = | ||
165 | |||
166 | # Optional PKCS#11 module name. | ||
167 | # module = | ||
168 | |||
169 | # } | ||
170 | |||
171 | } | ||
172 | |||
173 | # Section for a remote authentication round. | ||
174 | remote1 { | ||
175 | |||
176 | # Optional numeric identifier by which authentication rounds are | ||
177 | # sorted. If not specified rounds are ordered by their position in | ||
178 | # the config file/VICI message. | ||
179 | # round = 0 | ||
180 | |||
181 | # IKE identity to expect for authentication round. | ||
182 | #id = %any | ||
183 | |||
184 | # Identity to use as peer identity during EAP authentication. | ||
185 | # eap_id = id | ||
186 | |||
187 | # Authorization group memberships to require. | ||
188 | # groups = | ||
189 | |||
190 | # Certificate policy OIDs the peer's certificate must have. | ||
191 | # cert_policy = | ||
192 | |||
193 | # Comma separated list of certificate to accept for authentication. | ||
194 | # certs = | ||
195 | |||
196 | # Section for a certificate to accept for authentication. | ||
197 | # cert<suffix> = | ||
198 | |||
199 | # Comma separated list of CA certificates to accept for | ||
200 | # authentication. | ||
201 | # cacerts = | ||
202 | |||
203 | # Section for a CA certificate to accept for authentication. | ||
204 | # cacert<suffix> = | ||
205 | |||
206 | # Identity in CA certificate to accept for authentication. | ||
207 | # ca_id = | ||
208 | |||
209 | # Comma separated list of raw public keys to accept for | ||
210 | # authentication. | ||
211 | pubkeys = andy.pub | ||
212 | |||
213 | # Certificate revocation policy, (strict, ifuri or relaxed). | ||
214 | # revocation = relaxed | ||
215 | |||
216 | # Authentication to expect from remote (pubkey, psk, xauth[-backend] | ||
217 | # or eap[-method]). | ||
218 | auth = pubkey | ||
219 | |||
220 | # cert<suffix> { | ||
221 | |||
222 | # Absolute path to the certificate to load. | ||
223 | # file = | ||
224 | |||
225 | # Hex-encoded CKA_ID of the certificate on a token. | ||
226 | # handle = | ||
227 | |||
228 | # Optional slot number of the token that stores the certificate. | ||
229 | # slot = | ||
230 | |||
231 | # Optional PKCS#11 module name. | ||
232 | # module = | ||
233 | |||
234 | # } | ||
235 | |||
236 | # cacert<suffix> { | ||
237 | |||
238 | # Absolute path to the certificate to load. | ||
239 | # file = | ||
240 | |||
241 | # Hex-encoded CKA_ID of the CA certificate on a token. | ||
242 | # handle = | ||
243 | |||
244 | # Optional slot number of the token that stores the CA | ||
245 | # certificate. | ||
246 | # slot = | ||
247 | |||
248 | # Optional PKCS#11 module name. | ||
249 | # module = | ||
250 | |||
251 | # } | ||
252 | |||
253 | } | ||
254 | |||
255 | children { | ||
256 | |||
257 | # CHILD_SA configuration sub-section. | ||
258 | child1 { | ||
259 | |||
260 | # AH proposals to offer for the CHILD_SA. | ||
261 | # ah_proposals = | ||
262 | |||
263 | # ESP proposals to offer for the CHILD_SA. | ||
264 | # esp_proposals = default | ||
265 | |||
266 | # Use incorrect 96-bit truncation for HMAC-SHA-256. | ||
267 | # sha256_96 = no | ||
268 | |||
269 | # Local traffic selectors to include in CHILD_SA. | ||
270 | local_ts = dynamic | ||
271 | |||
272 | # Remote selectors to include in CHILD_SA. | ||
273 | remote_ts = 0::0/0 | ||
274 | |||
275 | # Time to schedule CHILD_SA rekeying. | ||
276 | # rekey_time = 1h | ||
277 | |||
278 | # Maximum lifetime before CHILD_SA gets closed, as time. | ||
279 | # life_time = rekey_time + 10% | ||
280 | |||
281 | # Range of random time to subtract from rekey_time. | ||
282 | # rand_time = life_time - rekey_time | ||
283 | |||
284 | # Number of bytes processed before initiating CHILD_SA rekeying. | ||
285 | # rekey_bytes = 0 | ||
286 | |||
287 | # Maximum bytes processed before CHILD_SA gets closed. | ||
288 | # life_bytes = rekey_bytes + 10% | ||
289 | |||
290 | # Range of random bytes to subtract from rekey_bytes. | ||
291 | # rand_bytes = life_bytes - rekey_bytes | ||
292 | |||
293 | # Number of packets processed before initiating CHILD_SA | ||
294 | # rekeying. | ||
295 | # rekey_packets = 0 | ||
296 | |||
297 | # Maximum number of packets processed before CHILD_SA gets | ||
298 | # closed. | ||
299 | # life_packets = rekey_packets + 10% | ||
300 | |||
301 | # Range of random packets to subtract from packets_bytes. | ||
302 | # rand_packets = life_packets - rekey_packets | ||
303 | |||
304 | # Updown script to invoke on CHILD_SA up and down events. | ||
305 | # updown = | ||
306 | |||
307 | # Hostaccess variable to pass to updown script. | ||
308 | # hostaccess = no | ||
309 | |||
310 | # IPsec Mode to establish (tunnel, transport, transport_proxy, | ||
311 | # beet, pass or drop). | ||
312 | mode = tunnel | ||
313 | |||
314 | # Whether to install IPsec policies or not. | ||
315 | # policies = yes | ||
316 | |||
317 | # Whether to install outbound FWD IPsec policies or not. | ||
318 | # policies_fwd_out = no | ||
319 | |||
320 | # Action to perform on DPD timeout (clear, trap or restart). | ||
321 | dpd_action = restart | ||
322 | |||
323 | # Enable IPComp compression before encryption. | ||
324 | # ipcomp = no | ||
325 | |||
326 | # Timeout before closing CHILD_SA after inactivity. | ||
327 | # inactivity = 0s | ||
328 | |||
329 | # Fixed reqid to use for this CHILD_SA. | ||
330 | # reqid = 0 | ||
331 | |||
332 | # Optional fixed priority for IPsec policies. | ||
333 | # priority = 0 | ||
334 | |||
335 | # Optional interface name to restrict IPsec policies. | ||
336 | # interface = | ||
337 | |||
338 | # Netfilter mark and mask for input traffic. | ||
339 | # mark_in = 0/0x00000000 | ||
340 | |||
341 | # Whether to set *mark_in* on the inbound SA. | ||
342 | # mark_in_sa = no | ||
343 | |||
344 | # Netfilter mark and mask for output traffic. | ||
345 | # mark_out = 0/0x00000000 | ||
346 | |||
347 | # Netfilter mark applied to packets after the inbound IPsec SA | ||
348 | # processed them. | ||
349 | # set_mark_in = 0/0x00000000 | ||
350 | |||
351 | # Netfilter mark applied to packets after the outbound IPsec SA | ||
352 | # processed them. | ||
353 | # set_mark_out = 0/0x00000000 | ||
354 | |||
355 | # Inbound XFRM interface ID. | ||
356 | # if_id_in = 0 | ||
357 | |||
358 | # Outbound XFRM interface ID. | ||
359 | # if_id_out = 0 | ||
360 | |||
361 | # Traffic Flow Confidentiality padding. | ||
362 | # tfc_padding = 0 | ||
363 | |||
364 | # IPsec replay window to configure for this CHILD_SA. | ||
365 | # replay_window = 32 | ||
366 | |||
367 | # Enable hardware offload for this CHILD_SA, if supported by the | ||
368 | # IPsec implementation. | ||
369 | # hw_offload = no | ||
370 | |||
371 | # Whether to copy the DF bit to the outer IPv4 header in tunnel | ||
372 | # mode. | ||
373 | # copy_df = yes | ||
374 | |||
375 | # Whether to copy the ECN header field to/from the outer IP | ||
376 | # header in tunnel mode. | ||
377 | # copy_ecn = yes | ||
378 | |||
379 | # Whether to copy the DSCP header field to/from the outer IP | ||
380 | # header in tunnel mode. | ||
381 | # copy_dscp = out | ||
382 | |||
383 | # Action to perform after loading the configuration (none, trap, | ||
384 | # start). | ||
385 | # start_action = none | ||
386 | |||
387 | # Action to perform after a CHILD_SA gets closed (none, trap, | ||
388 | # start). | ||
389 | # close_action = none | ||
390 | |||
391 | } | ||
392 | |||
393 | } | ||
394 | |||
395 | } | ||
396 | |||
397 | } | ||
398 | |||
399 | # Section defining secrets for IKE/EAP/XAuth authentication and private key | ||
400 | # decryption. | ||
401 | secrets { | ||
402 | |||
403 | # EAP secret section for a specific secret. | ||
404 | # eap<suffix> { | ||
405 | |||
406 | # Value of the EAP/XAuth secret. | ||
407 | # secret = | ||
408 | |||
409 | # Identity the EAP/XAuth secret belongs to. | ||
410 | # id<suffix> = | ||
411 | |||
412 | # } | ||
413 | |||
414 | # XAuth secret section for a specific secret. | ||
415 | # xauth<suffix> { | ||
416 | |||
417 | # } | ||
418 | |||
419 | # NTLM secret section for a specific secret. | ||
420 | # ntlm<suffix> { | ||
421 | |||
422 | # Value of the NTLM secret. | ||
423 | # secret = | ||
424 | |||
425 | # Identity the NTLM secret belongs to. | ||
426 | # id<suffix> = | ||
427 | |||
428 | # } | ||
429 | |||
430 | # IKE preshared secret section for a specific secret. | ||
431 | # ike<suffix> { | ||
432 | |||
433 | # Value of the IKE preshared secret. | ||
434 | # secret = | ||
435 | |||
436 | # IKE identity the IKE preshared secret belongs to. | ||
437 | # id<suffix> = | ||
438 | |||
439 | # } | ||
440 | |||
441 | # Postquantum Preshared Key (PPK) section for a specific secret. | ||
442 | # ppk<suffix> { | ||
443 | |||
444 | # Value of the PPK. | ||
445 | # secret = | ||
446 | |||
447 | # PPK identity the PPK belongs to. | ||
448 | # id<suffix> = | ||
449 | |||
450 | # } | ||
451 | |||
452 | # Private key decryption passphrase for a key in the private folder. | ||
453 | private1 { | ||
454 | |||
455 | # File name in the private folder for which this passphrase should be | ||
456 | # used. | ||
457 | file = ssh_host_rsa_key | ||
458 | |||
459 | # Value of decryption passphrase for private key. | ||
460 | # secret = | ||
461 | |||
462 | } | ||
463 | |||
464 | # Private key decryption passphrase for a key in the rsa folder. | ||
465 | # rsa<suffix> { | ||
466 | |||
467 | # File name in the rsa folder for which this passphrase should be used. | ||
468 | # file = | ||
469 | |||
470 | # Value of decryption passphrase for RSA key. | ||
471 | # secret = | ||
472 | |||
473 | # } | ||
474 | |||
475 | # Private key decryption passphrase for a key in the ecdsa folder. | ||
476 | # ecdsa<suffix> { | ||
477 | |||
478 | # File name in the ecdsa folder for which this passphrase should be | ||
479 | # used. | ||
480 | # file = | ||
481 | |||
482 | # Value of decryption passphrase for ECDSA key. | ||
483 | # secret = | ||
484 | |||
485 | # } | ||
486 | |||
487 | # Private key decryption passphrase for a key in the pkcs8 folder. | ||
488 | # pkcs8<suffix> { | ||
489 | |||
490 | # File name in the pkcs8 folder for which this passphrase should be | ||
491 | # used. | ||
492 | # file = | ||
493 | |||
494 | # Value of decryption passphrase for PKCS#8 key. | ||
495 | # secret = | ||
496 | |||
497 | # } | ||
498 | |||
499 | # PKCS#12 decryption passphrase for a container in the pkcs12 folder. | ||
500 | # pkcs12<suffix> { | ||
501 | |||
502 | # File name in the pkcs12 folder for which this passphrase should be | ||
503 | # used. | ||
504 | # file = | ||
505 | |||
506 | # Value of decryption passphrase for PKCS#12 container. | ||
507 | # secret = | ||
508 | |||
509 | # } | ||
510 | |||
511 | # Definition for a private key that's stored on a token/smartcard. | ||
512 | # token<suffix> { | ||
513 | |||
514 | # Hex-encoded CKA_ID of the private key on the token. | ||
515 | # handle = | ||
516 | |||
517 | # Optional slot number to access the token. | ||
518 | # slot = | ||
519 | |||
520 | # Optional PKCS#11 module name to access the token. | ||
521 | # module = | ||
522 | |||
523 | # Optional PIN required to access the key on the token. If none is | ||
524 | # provided the user is prompted during an interactive --load-creds call. | ||
525 | # pin = | ||
526 | |||
527 | # } | ||
528 | |||
529 | } | ||
530 | |||
531 | # Section defining named pools. | ||
532 | # pools { | ||
533 | |||
534 | # Section defining a single pool with a unique name. | ||
535 | # <name> { | ||
536 | |||
537 | # Addresses allocated in pool. | ||
538 | # addrs = | ||
539 | |||
540 | # Comma separated list of additional attributes from type <attr>. | ||
541 | # <attr> = | ||
542 | |||
543 | # } | ||
544 | |||
545 | # } | ||
546 | |||
547 | # Section defining attributes of certification authorities. | ||
548 | # authorities { | ||
549 | |||
550 | # Section defining a certification authority with a unique name. | ||
551 | # <name> { | ||
552 | |||
553 | # CA certificate belonging to the certification authority. | ||
554 | # cacert = | ||
555 | |||
556 | # Absolute path to the certificate to load. | ||
557 | # file = | ||
558 | |||
559 | # Hex-encoded CKA_ID of the CA certificate on a token. | ||
560 | # handle = | ||
561 | |||
562 | # Optional slot number of the token that stores the CA certificate. | ||
563 | # slot = | ||
564 | |||
565 | # Optional PKCS#11 module name. | ||
566 | # module = | ||
567 | |||
568 | # Comma-separated list of CRL distribution points. | ||
569 | # crl_uris = | ||
570 | |||
571 | # Comma-separated list of OCSP URIs. | ||
572 | # ocsp_uris = | ||
573 | |||
574 | # Defines the base URI for the Hash and URL feature supported by IKEv2. | ||
575 | # cert_uri_base = | ||
576 | |||
577 | # } | ||
578 | |||
579 | # } | ||
diff --git a/gai.conf b/gai.conf new file mode 100644 index 0000000..1a1770b --- /dev/null +++ b/gai.conf | |||
@@ -0,0 +1,65 @@ | |||
1 | # Configuration for getaddrinfo(3). | ||
2 | # | ||
3 | # So far only configuration for the destination address sorting is needed. | ||
4 | # RFC 3484 governs the sorting. But the RFC also says that system | ||
5 | # administrators should be able to overwrite the defaults. This can be | ||
6 | # achieved here. | ||
7 | # | ||
8 | # All lines have an initial identifier specifying the option followed by | ||
9 | # up to two values. Information specified in this file replaces the | ||
10 | # default information. Complete absence of data of one kind causes the | ||
11 | # appropriate default information to be used. The supported commands include: | ||
12 | # | ||
13 | # reload <yes|no> | ||
14 | # If set to yes, each getaddrinfo(3) call will check whether this file | ||
15 | # changed and if necessary reload. This option should not really be | ||
16 | # used. There are possible runtime problems. The default is no. | ||
17 | # | ||
18 | # label <mask> <value> | ||
19 | # Add another rule to the RFC 3484 label table. See section 2.1 in | ||
20 | # RFC 3484. The default is: | ||
21 | # | ||
22 | #label ::1/128 0 | ||
23 | #label ::/0 1 | ||
24 | #label 2002::/16 2 | ||
25 | #label ::/96 3 | ||
26 | #label ::ffff:0:0/96 4 | ||
27 | #label fec0::/10 5 | ||
28 | #label fc00::/7 6 | ||
29 | #label 2001:0::/32 7 | ||
30 | # | ||
31 | # This default differs from the tables given in RFC 3484 by handling | ||
32 | # (now obsolete) site-local IPv6 addresses and Unique Local Addresses. | ||
33 | # The reason for this difference is that these addresses are never | ||
34 | # NATed while IPv4 site-local addresses most probably are. Given | ||
35 | # the precedence of IPv6 over IPv4 (see below) on machines having only | ||
36 | # site-local IPv4 and IPv6 addresses a lookup for a global address would | ||
37 | # see the IPv6 be preferred. The result is a long delay because the | ||
38 | # site-local IPv6 addresses cannot be used while the IPv4 address is | ||
39 | # (at least for the foreseeable future) NATed. We also treat Teredo | ||
40 | # tunnels special. | ||
41 | # | ||
42 | # precedence <mask> <value> | ||
43 | # Add another rule to the RFC 3484 precedence table. See section 2.1 | ||
44 | # and 10.3 in RFC 3484. The default is: | ||
45 | # | ||
46 | precedence ::1/128 50 | ||
47 | precedence ::/0 40 | ||
48 | precedence 2002::/16 30 | ||
49 | precedence ::/96 20 | ||
50 | #precedence ::ffff:0:0/96 10 | ||
51 | # | ||
52 | # For sites which prefer IPv4 connections change the last line to | ||
53 | # | ||
54 | precedence ::ffff:0:0/96 100 | ||
55 | |||
56 | # | ||
57 | # scopev4 <mask> <value> | ||
58 | # Add another rule to the RFC 6724 scope table for IPv4 addresses. | ||
59 | # By default the scope IDs described in section 3.2 in RFC 6724 are | ||
60 | # used. Changing these defaults should hardly ever be necessary. | ||
61 | # The defaults are equivalent to: | ||
62 | # | ||
63 | #scopev4 ::ffff:169.254.0.0/112 2 | ||
64 | #scopev4 ::ffff:127.0.0.0/104 2 | ||
65 | #scopev4 ::ffff:0.0.0.0/96 14 | ||
diff --git a/keycopy.sh b/keycopy.sh new file mode 100644 index 0000000..29f8423 --- /dev/null +++ b/keycopy.sh | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/bin/sh | ||
2 | h=marble.tj5tzswz7isfavggdjsiwxdjswrg6tadlzuf3j3q.ed25519.cryptonomic.net | ||
3 | n=andy | ||
4 | |||
5 | key_basename=ssh_host_rsa_key | ||
6 | input_key=/etc/ssh/$key_basename | ||
7 | openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" | ||
8 | openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub | ||
9 | |||
10 | t=$(mktemp) | ||
11 | ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done | ||
12 | |||
13 | ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub | ||
14 | |||
15 | ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub | ||