--- /dev/null
+- /aquota.user
+- /aquota.group
+
+- /*/.cache/
+- /*/.ccache/
+- /*/.local/share/Trash/
+- /*/.thumbnails/
+- /*/tmp/
--- /dev/null
+- squid/
+- squid3/
+- lpd/
--- /dev/null
+#! /usr/bin/python
+###
+### Efficiently construct canonical digests of filesystems
+###
+### (c) 2012 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This file is part of the `rsync-backup' program.
+###
+### rsync-backup is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### rsync-backup is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with rsync-backup; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+from sys import argv, exit, stdin, stdout, stderr
+import os as OS
+import re as RX
+import time as T
+import stat as ST
+import optparse as OP
+import hashlib as H
+import sqlite3 as DB
+import zlib as Z
+
+PACKAGE = 'rsync-backup'
+VERSION = '0.99.1-8-ga844'
+
+###--------------------------------------------------------------------------
+### Utilities.
+
+QUIS = OS.path.basename(argv[0])
+
+def moan(msg):
+ stderr.write('%s: %s\n' % (QUIS, msg))
+
+def die(msg, rc = 1):
+ moan(msg)
+ exit(rc)
+
+SYSERR = 0
+def syserr(msg):
+ global SYSERR
+ moan(msg)
+ SYSERR += 1
+
+###--------------------------------------------------------------------------
+### File system enumeration.
+
+class FileInfo (object):
+ def __init__(me, file, st = None):
+ me.name = file
+ if st:
+ me.st = st
+ me.err = None
+ else:
+ try:
+ me.st = OS.lstat(file)
+ me.err = None
+ except OSError, err:
+ me.st = None
+ me.err = err
+
+def enum_walk(file, func):
+
+ def dirents(name):
+ try:
+ return OS.listdir(name)
+ except OSError, err:
+ syserr("failed to read directory `%s': %s" % (name, err.strerror))
+ return []
+
+ def dir(ee, dev):
+ ff = []
+ dd = []
+ for e in ee:
+ fi = FileInfo(e)
+ if fi.st and fi.st.st_dev != dev: pass
+ if fi.st and ST.S_ISDIR(fi.st.st_mode): dd.append(fi)
+ else: ff.append(fi)
+ ff.sort(key = lambda fi: fi.name)
+ dd.sort(key = lambda fi: fi.name + '/')
+ for f in ff:
+ func(f)
+ for d in dd:
+ if d.st.st_dev == dev:
+ func(d)
+ dir([OS.path.join(d.name, e) for e in dirents(d.name)], dev)
+
+ if file.endswith('/'):
+ cwd = OS.open('.', OS.O_RDONLY)
+ try:
+ OS.chdir(file)
+ fi = FileInfo('.')
+ func(fi)
+ dir(dirents('.'), fi.st.st_dev)
+ finally:
+ OS.fchdir(cwd)
+ OS.close(cwd)
+ else:
+ fi = FileInfo(file)
+ func(fi)
+ if fi.st and ST.S_ISDIR(fi.st.st_mode):
+ dir([OS.path.join(fi.name, e) for e in dirents(fi.name)],
+ fi.st.st_dev)
+
+def enum_find0(f, func):
+ tail = ""
+ while True:
+ buf = f.read(8192)
+ last = len(buf) == 0
+ names = (tail + buf).split('\0')
+ tail = names.pop()
+ for n in names:
+ func(FileInfo(n))
+ if last:
+ break
+ if len(tail):
+ moan("ignored trailing junk after last filename")
+
+RX_RSYNCESC = RX.compile(r'\\ \# ([0-7]{3})', RX.VERBOSE)
+def enum_rsync(f, func):
+
+ ## The format is a little fiddly. Each line consists of PERMS SIZE DATE
+ ## TIME NAME, separated by runs of whitespace, but the NAME starts exactly
+ ## one space character after the TIME and may begin with a space.
+ ## Sequences of the form `\#OOO' where OOO are three octal digits, stand
+ ## for a byte with that value. Newlines and backslashes which would be
+ ## ambiguous are converted into this form; all other characters are
+ ## literal.
+ ##
+ ## We ignore the stat information and retrieve it ourselves, because it's
+ ## incomplete. Hopefully the dcache is still warm.
+
+ for line in f:
+ if line.endswith('\n'): line = line[:-1]
+
+ ## Extract the escaped name.
+ ff = line.split(None, 3)
+ if len(ff) != 4:
+ syserr("ignoring invalid line from rsync: `%s'" % line)
+ continue
+ tail = ff[3]
+ try:
+ spc = tail.index(' ')
+ except ValueError:
+ syserr("ignoring invalid line from rsync: `%s'" % line)
+ continue
+ name = tail[spc + 1:]
+
+ ## Now translate escape sequences.
+ name = RX_RSYNCESC.sub(lambda m: chr(int(m.group(1), 8)), name)
+
+ ## Call the client.
+ try:
+ fi = FileInfo(name)
+ except OSError, err:
+ syserr("failed to stat `%s': %s" % (name, err.strerror))
+ continue
+ func(fi)
+
+###--------------------------------------------------------------------------
+### The hash cache.
+
+class HashCache (object):
+
+ VERSION = 0
+ BUFSZ = 128*1024
+
+ INIT = [
+ """CREATE TABLE meta (
+ version INTEGER NOT NULL,
+ hash TEXT NOT NULL
+ );""",
+ """CREATE TABLE hash (
+ ino INTEGER PRIMARY KEY,
+ mtime INTEGER NOT NULL,
+ ctime INTEGER NOT NULL,
+ size INTEGER NOT NULL,
+ hash TEXT NOT NULL,
+ seen BOOLEAN NOT NULL DEFAULT TRUE
+ );""",
+ """PRAGMA journal_mode = WAL;"""
+ ]
+
+ def __init__(me, file, hash = None):
+
+ if file is None:
+
+ ## We're going this alone, with no cache.
+ db = None
+ if hash is None:
+ die("no hash specified and no database cache to read from")
+ else:
+
+ ## Connect to the database.
+ db = DB.connect(file)
+ db.text_factory = str
+
+ ## See whether we can understand the cache database.
+ c = db.cursor()
+ v = h = None
+ try:
+ c.execute('SELECT version, hash FROM meta')
+ v, h = c.fetchone()
+ if c.fetchone() is not None:
+ die("cache database corrupt: meta table has mutliple rows")
+ except (DB.Error, TypeError):
+ pass
+
+ ## If that didn't work, we'd better clear the thing and start again.
+ ## But only if we know how to initialize it.
+ if v != me.VERSION:
+
+ ## Explain the situation.
+ moan("cache version %s not understood" % v)
+ if hash is None:
+ if h is None:
+ die("can't initialize cache: no hash function set")
+ else:
+ hash = h
+ try:
+ H.new(hash)
+ except Exception:
+ die("unknown hash function `%s'" % hash)
+
+ ## Drop old things.
+ c.execute('SELECT type, name FROM sqlite_master')
+ for type, name in c.fetchall():
+ c.execute('DROP %s IF EXISTS %s' % (type, name))
+
+ ## Now we're ready to go.
+ for stmt in me.INIT:
+ c.execute(stmt)
+ c.execute('INSERT INTO meta VALUES (?, ?)', [me.VERSION, hash])
+ db.commit()
+
+ ## Check the hash function if necessary.
+ if hash is None:
+ hash = h
+ elif h is not None and h != hash:
+ die("hash mismatch: cache uses %s but %s requested" % (h, hash))
+
+ ## All done.
+ me.hash = hash
+ me._db = db
+ me._pend = 0
+
+ def hashfile(me, fi):
+
+ ## If this isn't a proper file then don't try to hash it.
+ if fi.err or not ST.S_ISREG(fi.st.st_mode):
+ return None
+
+ ## See whether there's a valid entry in the cache.
+ if me._db:
+ c = me._db.cursor()
+ c.execute(
+ 'SELECT mtime, size, hash, seen FROM hash WHERE ino = ?;',
+ [fi.st.st_ino])
+ r = c.fetchone()
+ if r is not None:
+ mt, sz, h, s = r
+ if mt == fi.st.st_mtime and \
+ sz == fi.st.st_size:
+ if not s:
+ c.execute('UPDATE hash SET seen = 1 WHERE ino = ?',
+ [fi.st.st_ino])
+ me._update()
+ return h
+
+ ## Hash the file. Beware raciness: update the file information from the
+ ## open descriptor, but set the size from what we actually read.
+ h = H.new(me.hash)
+ try:
+ with open(fi.name, 'rb') as f:
+ sz = 0
+ while True:
+ buf = f.read(me.BUFSZ)
+ if len(buf) == 0:
+ break
+ sz += len(buf)
+ h.update(buf)
+ fi.st = OS.fstat(f.fileno())
+ ##fi.st.st_size = sz
+ hash = h.digest()
+ except (OSError, IOError), err:
+ fi.st = None
+ fi.err = err
+ return None
+ hash = hash.encode('hex')
+
+ ## Insert a record into the database.
+ if me._db:
+ c.execute("""
+ INSERT OR REPLACE INTO hash
+ (ino, mtime, ctime, size, hash, seen)
+ VALUES
+ (?, ?, ?, ?, ?, 1);
+ """, [fi.st.st_ino,
+ fi.st.st_mtime,
+ fi.st.st_ctime,
+ fi.st.st_size,
+ hash])
+ me._update()
+
+ ## Done.
+ return hash
+
+ def _update(me):
+ me._pend += 1
+ if me._pend >= 1024:
+ me.flush()
+
+ def flush(me):
+ if me._db:
+ me._db.commit()
+ me._pend = 0
+
+ def need_db(me):
+ if not me._db:
+ die("no cache database")
+
+ def reset(me):
+ me.need_db()
+ c = me._db.cursor()
+ c.execute('UPDATE hash SET seen = 0 WHERE seen')
+ me.flush()
+
+ def prune(me):
+ me.need_db()
+ c = me._db.cursor()
+ c.execute('DELETE FROM hash WHERE NOT seen')
+ me.flush()
+
+###--------------------------------------------------------------------------
+### Printing output.
+
+class GenericFormatter (object):
+ def __init__(me, fi):
+ me.fi = fi
+ def _fmt_time(me, t):
+ tm = T.gmtime(t)
+ return T.strftime('%Y-%m-%dT%H:%M:%SZ', tm)
+ def _enc_name(me, n):
+ return ' \\-> '.join(n.encode('string_escape').split(' -> '))
+ def name(me):
+ return me._enc_name(me.fi.name)
+ def info(me):
+ return me.TYPE
+ def mode(me):
+ return '%06o' % me.fi.st.st_mode
+ def size(me):
+ return me.fi.st.st_size
+ def mtime(me):
+ return me._fmt_time(me.fi.st.st_mtime)
+ def owner(me):
+ return '%5d:%d' % (me.fi.st.st_uid, me.fi.st.st_gid)
+
+class ErrorFormatter (GenericFormatter):
+ def info(me):
+ return 'E%d %s' % (me.fi.err.errno, me.fi.err.strerror)
+ def error(me): return 'error'
+ mode = size = mtime = owner = error
+
+class SocketFormatter (GenericFormatter):
+ TYPE = 'socket'
+class PipeFormatter (GenericFormatter):
+ TYPE = 'fifo'
+
+class LinkFormatter (GenericFormatter):
+ TYPE = 'symbolic-link'
+ def name(me):
+ n = GenericFormatter.name(me)
+ try:
+ d = OS.readlink(me.fi.name)
+ return '%s -> %s' % (n, me._enc_name(d))
+ except OSError, err:
+ return '%s -> <E%d %s>' % (n, err.errno, err.strerror)
+
+class DirectoryFormatter (GenericFormatter):
+ TYPE = 'directory'
+ def name(me): return GenericFormatter.name(me) + '/'
+ def size(me): return 'dir'
+
+class DeviceFormatter (GenericFormatter):
+ def info(me):
+ return '%s %d:%d' % (me.TYPE,
+ OS.major(me.fi.st.st_rdev),
+ OS.minor(me.fi.st.st_rdev))
+class BlockDeviceFormatter (DeviceFormatter):
+ TYPE = 'block-device'
+class CharDeviceFormatter (DeviceFormatter):
+ TYPE = 'character-device'
+
+class FileFormatter (GenericFormatter):
+ TYPE = 'regular-file'
+
+class Reporter (object):
+
+ TYMAP = {
+ ST.S_IFSOCK: SocketFormatter,
+ ST.S_IFDIR: DirectoryFormatter,
+ ST.S_IFLNK: LinkFormatter,
+ ST.S_IFREG: FileFormatter,
+ ST.S_IFBLK: BlockDeviceFormatter,
+ ST.S_IFCHR: CharDeviceFormatter,
+ ST.S_IFIFO: PipeFormatter,
+ }
+
+ def __init__(me, db):
+ me._inomap = {}
+ me._vinomap = {}
+ me._db = db
+ me._hsz = int(H.new(db.hash).digest_size)
+
+ def file(me, fi):
+ h = me._db.hashfile(fi)
+ if fi.err:
+ fmt = ErrorFormatter(fi)
+ vino = 'error'
+ else:
+ fmt = me.TYMAP[ST.S_IFMT(fi.st.st_mode)](fi)
+ inoidx = fi.st.st_dev, fi.st.st_ino
+ try:
+ vino = me._inomap[inoidx]
+ except KeyError:
+ suffix = ''
+ seq = 0
+ while True:
+ vino = '%08x' % (Z.crc32(fi.name + suffix) & 0xffffffff)
+ if vino not in me._vinomap: break
+ suffix = '\0%d' % seq
+ seq += 1
+ me._inomap[inoidx] = vino
+ if h: info = h
+ else: info = '[%-*s]' % (2*me._hsz - 2, fmt.info())
+ print '%s %8s %6s %-12s %-20s %20s %s' % (
+ info, vino, fmt.mode(), fmt.owner(),
+ fmt.mtime(), fmt.size(), fmt.name())
+
+###--------------------------------------------------------------------------
+### Main program.
+
+FMTMAP = {
+ 'rsync': lambda f: enum_rsync(stdin, f),
+ 'find0': lambda f: enum_find0(stdin, f)
+}
+op = OP.OptionParser(
+ usage = '%prog [-a] [-c CACHE] [-f FORMAT] [-H HASH] [FILE ...]',
+ version = '%%prog, version %s' % VERSION,
+ description = '''\
+Print a digest of a filesystem (or a collection of specified files) to
+standard output. The idea is that the digest should be mostly /complete/
+(i.e., any `interesting\' change to the filesystem results in a different
+digest) and /canonical/ (i.e., identical filesystem contents result in
+identical output).
+''')
+
+for short, long, props in [
+ ('-a', '--all', { 'action': 'store_true', 'dest': 'all',
+ 'help': 'clear cache of all files not seen' }),
+ ('-c', '--cache', { 'dest': 'cache', 'metavar': 'FILE',
+ 'help': 'use FILE as a cache for file hashes' }),
+ ('-f', '--files', { 'dest': 'files', 'metavar': 'FORMAT',
+ 'type': 'choice', 'choices': FMTMAP.keys(),
+ 'help': 'read files to report in the given FORMAT' }),
+ ('-H', '--hash', { 'dest': 'hash', 'metavar': 'HASH',
+ ##'type': 'choice', 'choices': H.algorithms,
+ 'help': 'use HASH as the hash function' })]:
+ op.add_option(short, long, **props)
+opts, args = op.parse_args(argv)
+
+if not opts.files and len(args) <= 1:
+ die("no filename sources: nothing to do")
+db = HashCache(opts.cache, opts.hash)
+if opts.all:
+ db.reset()
+rep = Reporter(db)
+if opts.files:
+ FMTMAP[opts.files](rep.file)
+for dir in args[1:]:
+ enum_walk(dir, rep.file)
+if opts.all:
+ db.prune()
+db.flush()
+
+###----- That's all, folks --------------------------------------------------
--- /dev/null
+## -*-conf-*-
+### Statically defined hosts.
+###
+### This file is maintained on ibanez: edit it there and run `update-slaves'.
+
+###--------------------------------------------------------------------------
+### Standard infrastructural names.
+
+## IPv4 names.
+127.0.0.1 localhost
+224.0.0.1 all-hosts.mcast.net all-hosts
+224.0.0.2 all-routers.mcast.net all-routers
+
+## IPv6 names.
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+
+###--------------------------------------------------------------------------
+### Hosts on the local network.
+
+## Globally routable addresses.
+62.49.204.145 guvnor.dmz.distorted.org.uk guvnor.dmz
+2001:470:1f09:1b98::1 guvnor.dmz.distorted.org.uk guvnor.dmz
+62.49.204.146 radius.dmz.distorted.org.uk radius.dmz rd
+2001:470:1f09:1b98::2 radius.dmz.distorted.org.uk radius.dmz rd
+62.49.204.147 roadstar.dmz.distorted.org.uk roadstar.dmz rgd
+2001:470:1f09:1b98::3 roadstar.dmz.distorted.org.uk roadstar.dmz rgd
+62.49.204.148 jem.dmz.distorted.org.uk jem.dmz jd
+2001:470:1f09:1b98::4 jem.dmz.distorted.org.uk jem.dmz jd
+62.49.204.149 artist.dmz.distorted.org.uk artist.dmz ad
+2001:470:1f09:1b98::5 artist.dmz.distorted.org.uk artist.dmz ad
+62.49.204.150 vampire.dmz.distorted.org.uk vampire.dmz vd
+2001:470:1f09:1b98::6 vampire.dmz.distorted.org.uk vampire.dmz vd
+62.49.204.153 ibanez.dmz.distorted.org.uk ibanez.dmz id
+2001:470:1f09:1b98::9 ibanez.dmz.distorted.org.uk ibanez.dmz id
+62.49.204.156 anon.dmz.distorted.org.uk anon.dmz
+2001:470:1f09:1b98::c anon.dmz.distorted.org.uk anon.dmz
+62.49.204.158 nat.distorted.org.uk nat.dmz nat
+
+## Unsafe but trusted network.
+172.29.199.1 radius.distorted.org.uk radius.unsafe radius r ru
+2001:470:9740:1::1 radius.distorted.org.uk radius.unsafe radius r ru
+172.29.199.2 roadstar.distorted.org.uk roadstar.unsafe roadstar rg rgu
+2001:470:9740:1::2 roadstar.distorted.org.uk roadstar.unsafe roadstar rg rgu
+172.29.199.3 jem.distorted.org.uk jem.unsafe jem j ju
+2001:470:9740:1::3 jem.distorted.org.uk jem.unsafe jem j ju
+172.29.199.4 artist.distorted.org.uk artist.unsafe artist a au
+2001:470:9740:1::4 artist.distorted.org.uk artist.unsafe artist a au
+172.29.199.5 vampire.distorted.org.uk vampire.unsafe vampire v vu
+2001:470:9740:1::5 vampire.distorted.org.uk vampire.unsafe vampire v vu
+172.29.199.14 ibanez.distorted.org.uk ibanez.unsafe ibanez i iu
+2001:470:9740:1::e ibanez.distorted.org.uk ibanez.unsafe ibanez i iu
+172.29.199.17 groove.distorted.org.uk groove.vpn groove gr
+2001:470:9740:1::11 groove.distorted.org.uk groove.vpn groove gr
+
+## Safe, trusted network.
+172.29.199.193 radius.safe.distorted.org.uk radius.safe rs
+2001:470:9740:4001::1 radius.safe.distorted.org.uk radius.safe rs
+172.29.199.194 vampire.safe.distorted.org.uk vampire.safe vs
+2001:470:9740:4001::2 vampire.safe.distorted.org.uk vampire.safe vs
+172.29.199.195 evolution.distorted.org.uk evolution.safe evolution evo
+2001:470:9740:4001::3 evolution.distorted.org.uk evolution.safe evolution evo
+172.29.199.196 grigsby.distorted.org.uk grigsby tp0.distorted.org.uk tp0
+2001:470:9740:4001::4 grigsby.distorted.org.uk grigsby tp0.distorted.org.uk tp0
+172.29.199.197 carling.distorted.org.uk carling tp1.distorted.org.uk tp1
+2001:470:9740:4001::5 carling.distorted.org.uk carling tp1.distorted.org.uk tp1
+172.29.199.198 tritan.distorted.org.uk tritan tp2.distorted.org.uk tp2
+2001:470:9740:4001::6 tritan.distorted.org.uk tritan tp2.distorted.org.uk tp2
+
+## Untrusted network.
+172.29.198.1 radius.untrusted.distorted.org.uk radius.untrusted rx
+2001:470:9740:8001::1 radius.untrusted.distorted.org.uk radius.untrusted rx
+172.29.198.2 artist.untrusted.distorted.org.uk artist.untrusted ax
+2001:470:9740:8001::2 artist.untrusted.distorted.org.uk artist.untrusted ax
+172.29.198.3 vampire.untrusted.distorted.org.uk vampire.untrusted vx
+2001:470:9740:8001::3 vampire.untrusted.distorted.org.uk vampire.untrusted vx
+
+## Colocated border network.
+212.13.198.69 fender.jump.distorted.org.uk fender.jump fj
+2001:ba8:0:1d9::5 fender.jump.distorted.org.uk fender.jump fj
+212.13.198.70 precision.jump.distorted.org.uk precision.jump pj
+2001:ba8:0:1d9::6 precision.jump.distorted.org.uk precision.jump pj
+212.13.198.71 telecaster.jump.distorted.org.uk telecaster.jump tele.jump tj
+2001:ba8:0:1d9::7 telecaster.jump.distorted.org.uk telecaster.jump tele.jump tj
+212.13.198.72 stratocaster.jump.distorted.org.uk stratocaster.jump strat.jump sj
+2001:ba8:0:1d9::8 stratocaster.jump.distorted.org.uk stratocaster.jump strat.jump sj
+212.13.198.73 jazz.jump.distorted.org.uk jazz.jump zj
+2001:ba8:0:1d9::9 jazz.jump.distorted.org.uk jazz.jump zj
+212.13.198.75 jaguar.distorted.org.uk jaguar.jump.distorted.org.uk jaguar jaguar.jump jag
+2001:ba8:0:1d9::2:1 jaguar.distorted.org.uk jaguar.jump.distorted.org.uk jaguar jaguar.jump jag
+
+## Colocated internal network.
+172.29.199.177 fender.distorted.org.uk fender.colo fender f fc
+2001:ba8:1d9:2::1 fender.distorted.org.uk fender.colo fender f fc
+172.29.199.178 precision.distorted.org.uk precision.colo precision p pc
+2001:ba8:1d9:2::2 precision.distorted.org.uk precision.colo precision p pc
+172.29.199.179 telecaster.distorted.org.uk telecaster.colo telecaster tele t tc
+2001:ba8:1d9:2::3 telecaster.distorted.org.uk telecaster.colo telecaster tele t tc
+172.29.199.180 stratocaster.distorted.org.uk stratocaster.colo stratocaster strat s sc
+2001:ba8:1d9:2::4 stratocaster.distorted.org.uk stratocaster.colo stratocaster strat s sc
+172.29.199.181 jazz.distorted.org.uk jazz.colo jazz jz z zc anon anon.colo
+2001:ba8:1d9:2::5 jazz.distorted.org.uk jazz.colo jazz jz z zc anon anon.colo
+
+## Virtual private network.
+172.29.199.129 crybaby.distorted.org.uk crybaby.vpn crybaby cb
+2001:ba8:1d9:6000::1:1 crybaby.distorted.org.uk crybaby.vpn crybaby cb
+172.29.199.130 terror.distorted.org.uk terror.vpn terror
+172.29.199.131 orange.distorted.org.uk orange.vpn orange o
+2001:ba8:1d9:6000::3:1 orange.distorted.org.uk orange.vpn orange o
+172.29.199.132 haze.distorted.org.uk haze.vpn haze h
+2001:ba8:1d9:6000::4:1 haze.distorted.org.uk haze.vpn haze h
+172.29.199.133 radius.vpn.distorted.org.uk radius.vpn rv
+2001:ba8:1d9:6000::5:1 radius.vpn.distorted.org.uk radius.vpn rv
+172.29.199.134 precision.vpn.distorted.org.uk precision.vpn pv
+2001:ba8:1d9:6000::6:1 precision.vpn.distorted.org.uk precision.vpn pv
+172.29.199.135 jazz.vpn.distorted.org.uk jazz.vpn zv
+2001:ba8:1d9:6000::7:1 jazz.vpn.distorted.org.uk jazz.vpn zv
+172.29.199.136 vampire.vpn.distorted.org.uk vampire.vpn vv
+2001:ba8:1d9:6000::8:1 vampire.vpn.distorted.org.uk vampire.vpn vv
+
+###--------------------------------------------------------------------------
+### Satellite networks.
+
+## binswood.org.uk
+10.165.27.1 binswrt.binswood.org.uk binswrt.binswood binswrt bw
+10.165.27.3 mango.binswood.org.uk mango.binswood mango
+
+###----- That's all, folks --------------------------------------------------
--- /dev/null
+default 0.0.0.0
+loopback 127.0.0.0
+link-local 169.254.0.0
+
--- /dev/null
+# Network services, Internet style
+#
+# Note that it is presently the policy of IANA to assign a single well-known
+# port number for both TCP and UDP; hence, officially ports have two entries
+# even if the protocol doesn't support UDP operations.
+#
+# Updated from http://www.iana.org/assignments/port-numbers and other
+# sources like http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/services .
+# New ports will be added on request if they have been officially assigned
+# by IANA and used in the real-world or are needed by a debian package.
+# If you need a huge list of used numbers please install the nmap package.
+
+### This file is maintained on ibanez: edit it there and run `update-slaves'.
+
+tcpmux 1/tcp # TCP port service multiplexer
+echo 7/tcp
+echo 7/udp
+discard 9/tcp sink null
+discard 9/udp sink null
+systat 11/tcp users
+daytime 13/tcp
+daytime 13/udp
+netstat 15/tcp
+qotd 17/tcp quote
+msp 18/tcp # message send protocol
+msp 18/udp
+chargen 19/tcp ttytst source
+chargen 19/udp ttytst source
+ftp-data 20/tcp
+ftp 21/tcp
+fsp 21/udp fspd
+ssh 22/tcp # SSH Remote Login Protocol
+ssh 22/udp
+telnet 23/tcp
+smtp 25/tcp mail
+time 37/tcp timserver
+time 37/udp timserver
+rlp 39/udp resource # resource location
+nameserver 42/tcp name # IEN 116
+whois 43/tcp nicname
+tacacs 49/tcp # Login Host Protocol (TACACS)
+tacacs 49/udp
+re-mail-ck 50/tcp # Remote Mail Checking Protocol
+re-mail-ck 50/udp
+domain 53/tcp # name-domain server
+domain 53/udp
+mtp 57/tcp # deprecated
+tacacs-ds 65/tcp # TACACS-Database Service
+tacacs-ds 65/udp
+bootps 67/tcp # BOOTP server
+bootps 67/udp
+bootpc 68/tcp # BOOTP client
+bootpc 68/udp
+tftp 69/udp
+gopher 70/tcp # Internet Gopher
+gopher 70/udp
+rje 77/tcp netrjs
+finger 79/tcp
+www 80/tcp http # WorldWideWeb HTTP
+www 80/udp # HyperText Transfer Protocol
+link 87/tcp ttylink
+kerberos 88/tcp kerberos5 krb5 kerberos-sec kdc # Kerberos v5
+kerberos 88/udp kerberos5 krb5 kerberos-sec kdc # Kerberos v5
+supdup 95/tcp
+hostnames 101/tcp hostname # usually from sri-nic
+iso-tsap 102/tcp tsap # part of ISODE
+acr-nema 104/tcp dicom # Digital Imag. & Comm. 300
+acr-nema 104/udp dicom # Digital Imag. & Comm. 300
+csnet-ns 105/tcp cso-ns # also used by CSO name server
+csnet-ns 105/udp cso-ns
+rtelnet 107/tcp # Remote Telnet
+rtelnet 107/udp
+pop2 109/tcp postoffice pop-2 # POP version 2
+pop2 109/udp pop-2
+pop3 110/tcp pop-3 # POP version 3
+pop3 110/udp pop-3
+sunrpc 111/tcp portmapper # RPC 4.0 portmapper
+sunrpc 111/udp portmapper
+auth 113/tcp authentication tap ident
+sftp 115/tcp
+uucp-path 117/tcp
+nntp 119/tcp readnews untp # USENET News Transfer Protocol
+ntp 123/tcp
+ntp 123/udp # Network Time Protocol
+pwdgen 129/tcp # PWDGEN service
+pwdgen 129/udp # PWDGEN service
+loc-srv 135/tcp epmap # Location Service
+loc-srv 135/udp epmap
+netbios-ns 137/tcp # NETBIOS Name Service
+netbios-ns 137/udp
+netbios-dgm 138/tcp # NETBIOS Datagram Service
+netbios-dgm 138/udp
+netbios-ssn 139/tcp # NETBIOS session service
+netbios-ssn 139/udp
+imap2 143/tcp imap # Interim Mail Access P 2 and 4
+imap2 143/udp imap
+snmp 161/tcp # Simple Net Mgmt Protocol
+snmp 161/udp # Simple Net Mgmt Protocol
+snmp-trap 162/tcp snmptrap # Traps for SNMP
+snmp-trap 162/udp snmptrap # Traps for SNMP
+cmip-man 163/tcp # ISO mgmt over IP (CMOT)
+cmip-man 163/udp
+cmip-agent 164/tcp
+cmip-agent 164/udp
+mailq 174/tcp # Mailer transport queue for Zmailer
+mailq 174/udp # Mailer transport queue for Zmailer
+xdmcp 177/tcp # X Display Mgr. Control Proto
+xdmcp 177/udp
+nextstep 178/tcp NeXTStep NextStep # NeXTStep window
+nextstep 178/udp NeXTStep NextStep # server
+bgp 179/tcp # Border Gateway Protocol
+bgp 179/udp
+prospero 191/tcp # Cliff Neuman's Prospero
+prospero 191/udp
+irc 194/tcp # Internet Relay Chat
+irc 194/udp
+smux 199/tcp # SNMP Unix Multiplexer
+smux 199/udp
+at-rtmp 201/tcp # AppleTalk routing
+at-rtmp 201/udp
+at-nbp 202/tcp # AppleTalk name binding
+at-nbp 202/udp
+at-echo 204/tcp # AppleTalk echo
+at-echo 204/udp
+at-zis 206/tcp # AppleTalk zone information
+at-zis 206/udp
+qmtp 209/tcp # Quick Mail Transfer Protocol
+qmtp 209/udp # Quick Mail Transfer Protocol
+z3950 210/tcp wais # NISO Z39.50 database
+z3950 210/udp wais
+ipx 213/tcp # IPX
+ipx 213/udp
+imap3 220/tcp # Interactive Mail Access
+imap3 220/udp # Protocol v3
+pawserv 345/tcp # Perf Analysis Workbench
+pawserv 345/udp
+zserv 346/tcp # Zebra server
+zserv 346/udp
+fatserv 347/tcp # Fatmen Server
+fatserv 347/udp
+rpc2portmap 369/tcp
+rpc2portmap 369/udp # Coda portmapper
+codaauth2 370/tcp
+codaauth2 370/udp # Coda authentication server
+clearcase 371/tcp Clearcase
+clearcase 371/udp Clearcase
+ulistserv 372/tcp # UNIX Listserv
+ulistserv 372/udp
+ldap 389/tcp # Lightweight Directory Access Protocol
+ldap 389/udp
+imsp 406/tcp # Interactive Mail Support Protocol
+imsp 406/udp
+svrloc 427/tcp # Server Location
+svrloc 427/udp # Server Location
+https 443/tcp # http protocol over TLS/SSL
+https 443/udp
+snpp 444/tcp # Simple Network Paging Protocol
+snpp 444/udp
+microsoft-ds 445/tcp # Microsoft Naked CIFS
+microsoft-ds 445/udp
+kpasswd 464/tcp
+kpasswd 464/udp
+saft 487/tcp # Simple Asynchronous File Transfer
+saft 487/udp
+isakmp 500/tcp # IPsec - Internet Security Association
+isakmp 500/udp # and Key Management Protocol
+rtsp 554/tcp # Real Time Stream Control Protocol
+rtsp 554/udp # Real Time Stream Control Protocol
+nqs 607/tcp # Network Queuing system
+nqs 607/udp
+npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS
+npmp-local 610/udp dqs313_qmaster
+npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS
+npmp-gui 611/udp dqs313_execd
+hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS
+hmmp-ind 612/udp dqs313_intercell
+qmqp 628/tcp
+qmqp 628/udp
+ipp 631/tcp # Internet Printing Protocol
+ipp 631/udp
+#
+# UNIX specific services
+#
+exec 512/tcp
+biff 512/udp comsat
+login 513/tcp
+who 513/udp whod
+shell 514/tcp cmd # no passwords used
+syslog 514/udp
+printer 515/tcp spooler # line printer spooler
+talk 517/udp
+ntalk 518/udp
+route 520/udp router routed # RIP
+timed 525/udp timeserver
+tempo 526/tcp newdate
+courier 530/tcp rpc
+conference 531/tcp chat
+netnews 532/tcp readnews
+netwall 533/udp # for emergency broadcasts
+gdomap 538/tcp # GNUstep distributed objects
+gdomap 538/udp
+uucp 540/tcp uucpd # uucp daemon
+klogin 543/tcp # Kerberized `rlogin' (v5)
+kshell 544/tcp krcmd # Kerberized `rsh' (v5)
+dhcpv6-client 546/tcp
+dhcpv6-client 546/udp
+dhcpv6-server 547/tcp
+dhcpv6-server 547/udp
+afpovertcp 548/tcp # AFP over TCP
+afpovertcp 548/udp
+idfp 549/tcp
+idfp 549/udp
+remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem
+nntps 563/tcp snntp # NNTP over SSL
+nntps 563/udp snntp
+submission 587/tcp # Submission [RFC4409]
+submission 587/udp
+ldaps 636/tcp # LDAP over SSL
+ldaps 636/udp
+tinc 655/tcp # tinc control port
+tinc 655/udp
+silc 706/tcp
+silc 706/udp
+kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
+#
+webster 765/tcp # Network dictionary
+webster 765/udp
+rsync 873/tcp
+rsync 873/udp
+ftps-data 989/tcp # FTP over SSL (data)
+ftps 990/tcp
+telnets 992/tcp # Telnet over SSL
+telnets 992/udp
+imaps 993/tcp # IMAP over SSL
+imaps 993/udp
+ircs 994/tcp # IRC over SSL
+ircs 994/udp
+pop3s 995/tcp # POP-3 over SSL
+pop3s 995/udp
+#
+# From ``Assigned Numbers'':
+#
+#> The Registered Ports are not controlled by the IANA and on most systems
+#> can be used by ordinary user processes or programs executed by ordinary
+#> users.
+#
+#> Ports are used in the TCP [45,106] to name the ends of logical
+#> connections which carry long term conversations. For the purpose of
+#> providing services to unknown callers, a service contact port is
+#> defined. This list specifies the port used by the server process as its
+#> contact port. While the IANA can not control uses of these ports it
+#> does register or list uses of these ports as a convienence to the
+#> community.
+#
+socks 1080/tcp # socks proxy server
+socks 1080/udp
+proofd 1093/tcp
+proofd 1093/udp
+rootd 1094/tcp
+rootd 1094/udp
+openvpn 1194/tcp
+openvpn 1194/udp
+rmiregistry 1099/tcp # Java RMI Registry
+rmiregistry 1099/udp
+kazaa 1214/tcp
+kazaa 1214/udp
+nessus 1241/tcp # Nessus vulnerability
+nessus 1241/udp # assessment scanner
+lotusnote 1352/tcp lotusnotes # Lotus Note
+lotusnote 1352/udp lotusnotes
+ms-sql-s 1433/tcp # Microsoft SQL Server
+ms-sql-s 1433/udp
+ms-sql-m 1434/tcp # Microsoft SQL Monitor
+ms-sql-m 1434/udp
+ingreslock 1524/tcp
+ingreslock 1524/udp
+prospero-np 1525/tcp # Prospero non-privileged
+prospero-np 1525/udp
+datametrics 1645/tcp old-radius
+datametrics 1645/udp old-radius
+sa-msg-port 1646/tcp old-radacct
+sa-msg-port 1646/udp old-radacct
+kermit 1649/tcp
+kermit 1649/udp
+l2f 1701/tcp l2tp
+l2f 1701/udp l2tp
+radius 1812/tcp
+radius 1812/udp
+radius-acct 1813/tcp radacct # Radius Accounting
+radius-acct 1813/udp radacct
+msnp 1863/tcp # MSN Messenger
+msnp 1863/udp
+unix-status 1957/tcp # remstats unix-status server
+log-server 1958/tcp # remstats log server
+remoteping 1959/tcp # remstats remoteping server
+cisco-sccp 2000/tcp # Cisco SCCP
+cisco-sccp 2000/udp
+search 2010/tcp ndtp
+pipe_server 2010/tcp
+nfs 2049/tcp # Network File System
+nfs 2049/udp # Network File System
+gnunet 2086/tcp
+gnunet 2086/udp
+rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99
+rtcm-sc104 2101/udp
+gsigatekeeper 2119/tcp
+gsigatekeeper 2119/udp
+gris 2135/tcp # Grid Resource Information Server
+gris 2135/udp # Grid Resource Information Server
+cvspserver 2401/tcp # CVS client/server operations
+cvspserver 2401/udp
+venus 2430/tcp # codacon port
+venus 2430/udp # Venus callback/wbc interface
+venus-se 2431/tcp # tcp side effects
+venus-se 2431/udp # udp sftp side effect
+codasrv 2432/tcp # not used
+codasrv 2432/udp # server port
+codasrv-se 2433/tcp # tcp side effects
+codasrv-se 2433/udp # udp sftp side effect
+mon 2583/tcp # MON traps
+mon 2583/udp
+dict 2628/tcp # Dictionary server
+dict 2628/udp
+gsiftp 2811/tcp
+gsiftp 2811/udp
+gpsd 2947/tcp
+gpsd 2947/udp
+gds_db 3050/tcp # InterBase server
+gds_db 3050/udp
+icpv2 3130/tcp icp # Internet Cache Protocol
+icpv2 3130/udp icp
+mysql 3306/tcp
+mysql 3306/udp
+nut 3493/tcp # Network UPS Tools
+nut 3493/udp
+distcc 3632/tcp # distributed compiler
+distcc 3632/udp
+daap 3689/tcp # Digital Audio Access Protocol
+daap 3689/udp
+svn 3690/tcp subversion # Subversion protocol
+svn 3690/udp subversion
+suucp 4031/tcp # UUCP over SSL
+suucp 4031/udp # UUCP over SSL
+sysrqd 4094/tcp # sysrq daemon
+sysrqd 4094/udp # sysrq daemon
+sieve 4190/tcp # ManageSieve Protocol
+epmd 4369/tcp # Erlang Port Mapper Daemon
+epmd 4369/udp # Erlang Port Mapper Daemon
+remctl 4373/tcp # Remote Authenticated Command Service
+remctl 4373/udp # Remote Authenticated Command Service
+iax 4569/tcp # Inter-Asterisk eXchange
+iax 4569/udp
+mtn 4691/tcp # monotone Netsync Protocol
+mtn 4691/udp # monotone Netsync Protocol
+radmin-port 4899/tcp # RAdmin Port
+radmin-port 4899/udp
+rfe 5002/udp # Radio Free Ethernet
+rfe 5002/tcp
+mmcc 5050/tcp # multimedia conference control tool (Yahoo IM)
+mmcc 5050/udp
+sip 5060/tcp # Session Initiation Protocol
+sip 5060/udp
+sip-tls 5061/tcp
+sip-tls 5061/udp
+aol 5190/tcp # AIM
+aol 5190/udp
+xmpp-client 5222/tcp jabber-client # Jabber Client Connection
+xmpp-client 5222/udp jabber-client
+xmpp-server 5269/tcp jabber-server # Jabber Server Connection
+xmpp-server 5269/udp jabber-server
+cfengine 5308/tcp
+cfengine 5308/udp
+mdns 5353/tcp # Multicast DNS
+mdns 5353/udp # Multicast DNS
+postgresql 5432/tcp postgres # PostgreSQL Database
+postgresql 5432/udp postgres
+freeciv 5556/tcp rptp # Freeciv gameplay
+freeciv 5556/udp
+amqp 5672/tcp
+amqp 5672/udp
+amqp 5672/sctp
+ggz 5688/tcp # GGZ Gaming Zone
+ggz 5688/udp # GGZ Gaming Zone
+x11 6000/tcp x11-0 # X Window System
+x11 6000/udp x11-0
+x11-1 6001/tcp
+x11-1 6001/udp
+x11-2 6002/tcp
+x11-2 6002/udp
+x11-3 6003/tcp
+x11-3 6003/udp
+x11-4 6004/tcp
+x11-4 6004/udp
+x11-5 6005/tcp
+x11-5 6005/udp
+x11-6 6006/tcp
+x11-6 6006/udp
+x11-7 6007/tcp
+x11-7 6007/udp
+gnutella-svc 6346/tcp # gnutella
+gnutella-svc 6346/udp
+gnutella-rtr 6347/tcp # gnutella
+gnutella-rtr 6347/udp
+sge_qmaster 6444/tcp # Grid Engine Qmaster Service
+sge_qmaster 6444/udp # Grid Engine Qmaster Service
+sge_execd 6445/tcp # Grid Engine Execution Service
+sge_execd 6445/udp # Grid Engine Execution Service
+mysql-proxy 6446/tcp # MySQL Proxy
+mysql-proxy 6446/udp # MySQL Proxy
+afs3-fileserver 7000/tcp bbs # file server itself
+afs3-fileserver 7000/udp bbs
+afs3-callback 7001/tcp # callbacks to cache managers
+afs3-callback 7001/udp
+afs3-prserver 7002/tcp # users & groups database
+afs3-prserver 7002/udp
+afs3-vlserver 7003/tcp # volume location database
+afs3-vlserver 7003/udp
+afs3-kaserver 7004/tcp # AFS/Kerberos authentication
+afs3-kaserver 7004/udp
+afs3-volser 7005/tcp # volume managment server
+afs3-volser 7005/udp
+afs3-errors 7006/tcp # error interpretation service
+afs3-errors 7006/udp
+afs3-bos 7007/tcp # basic overseer process
+afs3-bos 7007/udp
+afs3-update 7008/tcp # server-to-server updater
+afs3-update 7008/udp
+afs3-rmtsys 7009/tcp # remote cache manager service
+afs3-rmtsys 7009/udp
+font-service 7100/tcp xfs # X Font Service
+font-service 7100/udp xfs
+http-alt 8080/tcp webcache # WWW caching service
+http-alt 8080/udp # WWW caching service
+bacula-dir 9101/tcp # Bacula Director
+bacula-dir 9101/udp
+bacula-fd 9102/tcp # Bacula File Daemon
+bacula-fd 9102/udp
+bacula-sd 9103/tcp # Bacula Storage Daemon
+bacula-sd 9103/udp
+xmms2 9667/tcp # Cross-platform Music Multiplexing System
+xmms2 9667/udp # Cross-platform Music Multiplexing System
+nbd 10809/tcp # Linux Network Block Device
+zabbix-agent 10050/tcp # Zabbix Agent
+zabbix-agent 10050/udp # Zabbix Agent
+zabbix-trapper 10051/tcp # Zabbix Trapper
+zabbix-trapper 10051/udp # Zabbix Trapper
+amanda 10080/tcp # amanda backup services
+amanda 10080/udp
+hkp 11371/tcp # OpenPGP HTTP Keyserver
+hkp 11371/udp # OpenPGP HTTP Keyserver
+bprd 13720/tcp # VERITAS NetBackup
+bprd 13720/udp
+bpdbm 13721/tcp # VERITAS NetBackup
+bpdbm 13721/udp
+bpjava-msvc 13722/tcp # BP Java MSVC Protocol
+bpjava-msvc 13722/udp
+vnetd 13724/tcp # Veritas Network Utility
+vnetd 13724/udp
+bpcd 13782/tcp # VERITAS NetBackup
+bpcd 13782/udp
+vopied 13783/tcp # VERITAS NetBackup
+vopied 13783/udp
+dcap 22125/tcp # dCache Access Protocol
+gsidcap 22128/tcp # GSI dCache Access Protocol
+wnn6 22273/tcp # wnn6
+wnn6 22273/udp
+
+#
+# Datagram Delivery Protocol services
+#
+rtmp 1/ddp # Routing Table Maintenance Protocol
+nbp 2/ddp # Name Binding Protocol
+echo 4/ddp # AppleTalk Echo Protocol
+zip 6/ddp # Zone Information Protocol
+
+#=========================================================================
+# The remaining port numbers are not as allocated by IANA.
+#=========================================================================
+
+# Kerberos (Project Athena/MIT) services
+# Note that these are for Kerberos v4, and are unofficial. Sites running
+# v4 should uncomment these and comment out the v5 entries above.
+#
+kerberos4 750/udp kerberos-iv kdc # Kerberos (server)
+kerberos4 750/tcp kerberos-iv kdc
+kerberos_master 751/udp # Kerberos authentication
+kerberos_master 751/tcp
+passwd_server 752/udp # Kerberos passwd server
+krb_prop 754/tcp krb5_prop hprop # Kerberos slave propagation
+krbupdate 760/tcp kreg # Kerberos registration
+swat 901/tcp # swat
+kpop 1109/tcp # Pop with Kerberos
+knetd 2053/tcp # Kerberos de-multiplexor
+zephyr-srv 2102/udp # Zephyr server
+zephyr-clt 2103/udp # Zephyr serv-hm connection
+zephyr-hm 2104/udp # Zephyr hostmanager
+eklogin 2105/tcp # Kerberos encrypted rlogin
+# Hmmm. Are we using Kv4 or Kv5 now? Worrying.
+# The following is probably Kerberos v5 --- ajt@debian.org (11/02/2000)
+kx 2111/tcp # X over Kerberos
+iprop 2121/tcp # incremental propagation
+#
+# Unofficial but necessary (for NetBSD) services
+#
+supfilesrv 871/tcp # SUP server
+supfiledbg 1127/tcp # SUP debugging
+
+#
+# Services added for the Debian GNU/Linux distribution
+#
+linuxconf 98/tcp # LinuxConf
+poppassd 106/tcp # Eudora
+poppassd 106/udp
+ssmtp 465/tcp smtps # SMTP over SSL
+moira_db 775/tcp # Moira database
+moira_update 777/tcp # Moira update protocol
+moira_ureg 779/udp # Moira user registration
+spamd 783/tcp # spamassassin daemon
+omirr 808/tcp omirrd # online mirror
+omirr 808/udp omirrd
+customs 1001/tcp # pmake customs server
+customs 1001/udp
+skkserv 1178/tcp # skk jisho server port
+predict 1210/udp # predict -- satellite tracking
+rmtcfg 1236/tcp # Gracilis Packeten remote config server
+wipld 1300/tcp # Wipl network monitor
+xtel 1313/tcp # french minitel
+xtelw 1314/tcp # french minitel
+support 1529/tcp # GNATS
+cfinger 2003/tcp # GNU Finger
+frox 2121/tcp # frox: caching ftp proxy
+ninstall 2150/tcp # ninstall service
+ninstall 2150/udp
+zebrasrv 2600/tcp # zebra service
+zebra 2601/tcp # zebra vty
+ripd 2602/tcp # ripd vty (zebra)
+ripngd 2603/tcp # ripngd vty (zebra)
+ospfd 2604/tcp # ospfd vty (zebra)
+bgpd 2605/tcp # bgpd vty (zebra)
+ospf6d 2606/tcp # ospf6d vty (zebra)
+ospfapi 2607/tcp # OSPF-API
+isisd 2608/tcp # ISISd vty (zebra)
+afbackup 2988/tcp # Afbackup system
+afbackup 2988/udp
+afmbackup 2989/tcp # Afmbackup system
+afmbackup 2989/udp
+xtell 4224/tcp # xtell server
+fax 4557/tcp # FAX transmission service (old)
+hylafax 4559/tcp # HylaFAX client-server protocol (new)
+distmp3 4600/tcp # distmp3host daemon
+munin 4949/tcp lrrd # Munin
+enbd-cstatd 5051/tcp # ENBD client statd
+enbd-sstatd 5052/tcp # ENBD server statd
+pcrd 5151/tcp # PCR-1000 Daemon
+noclog 5354/tcp # noclogd with TCP (nocol)
+noclog 5354/udp # noclogd with UDP (nocol)
+hostmon 5355/tcp # hostmon uses TCP (nocol)
+hostmon 5355/udp # hostmon uses UDP (nocol)
+rplay 5555/udp # RPlay audio service
+nrpe 5666/tcp # Nagios Remote Plugin Executor
+nsca 5667/tcp # Nagios Agent - NSCA
+mrtd 5674/tcp # MRT Routing Daemon
+bgpsim 5675/tcp # MRT Routing Simulator
+canna 5680/tcp # cannaserver
+sane-port 6566/tcp sane saned # SANE network scanner daemon
+ircd 6667/tcp # Internet Relay Chat
+zope-ftp 8021/tcp # zope management by ftp
+tproxy 8081/tcp # Transparent Proxy
+omniorb 8088/tcp # OmniORB
+omniorb 8088/udp
+clc-build-daemon 8990/tcp # Common lisp build daemon
+xinetd 9098/tcp
+mandelspawn 9359/udp mandelbrot # network mandelbrot
+git 9418/tcp # Git Version Control System
+zope 9673/tcp # zope server
+webmin 10000/tcp
+kamanda 10081/tcp # amanda backup services (Kerberos)
+kamanda 10081/udp
+amandaidx 10082/tcp # amanda backup services
+amidxtape 10083/tcp # amanda backup services
+smsqp 11201/tcp # Alamin SMS gateway
+smsqp 11201/udp
+xpilot 15345/tcp # XPilot Contact Port
+xpilot 15345/udp
+sgi-cmsd 17001/udp # Cluster membership services daemon
+sgi-crsd 17002/udp
+sgi-gcd 17003/udp # SGI Group membership daemon
+sgi-cad 17004/tcp # Cluster Admin daemon
+isdnlog 20011/tcp # isdn logging system
+isdnlog 20011/udp
+vboxd 20012/tcp # voice box system
+vboxd 20012/udp
+binkp 24554/tcp # binkp fidonet protocol
+asp 27374/tcp # Address Search Protocol
+asp 27374/udp
+csync2 30865/tcp # cluster synchronization tool
+dircproxy 57000/tcp # Detachable IRC Proxy
+tfido 60177/tcp # fidonet EMSI over telnet
+fido 60179/tcp # fidonet EMSI over TCP
+
+###--------------------------------------------------------------------------
+### Local services.
+
+## VPN. This one is allocated by IANA.
+tripe 4090/udp # Trivial IP Encryption (VPN)
+
+## Kerberos.
+kerberos-adm 749/tcp # Kerberos 5 admin/changepw
+kerberos-adm 749/udp # Kerberos 5 admin/changepw
+
+## Web proxy.
+wwwcache 3128/tcp # Squid proxy port
+
+## Remote management.
+ipmi 623/udp # IPMI network protocol
+
+## NFS-related services, as recommended in http://wiki.debian.org/SecuringNFS
+rpc.statd-bc 32765/tcp # RPC statd broadcast
+rpc.statd-bc 32765/udp # RPC statd broadcast
+rpc.statd 32766/tcp # RPC statd listen
+rpc.statd 32766/udp # RPC statd listen
+rpc.mountd 32767/tcp # RPC mountd
+rpc.mountd 32767/udp # RPC mountd
+rcp.lockd 32768/tcp # RPC lockd/nlockmgr
+rcp.lockd 32768/udp # RPC lockd/nlockmgr
+rpc.quotad 32769/tcp # RPC quotad
+rpc.quotad 32769/udp # RPC quotad
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 16570956933538312940 (0xe5f7dd88cbd8f2ec)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+ Validity
+ Not Before: Dec 1 14:27:13 2012 GMT
+ Not After : Nov 29 14:27:13 2022 GMT
+ Subject: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (3072 bit)
+ Modulus:
+ 00:ba:88:24:78:37:a2:42:8b:1a:03:88:28:46:d8:
+ dc:ad:3a:20:ba:2e:d0:fd:3b:b1:09:64:4a:63:35:
+ cb:ff:ab:c4:b3:31:19:80:00:ca:67:b8:90:86:3d:
+ fd:2c:72:c4:31:40:99:00:e8:cf:4e:72:54:9a:6e:
+ b1:11:ed:0b:c5:de:9d:88:f2:03:93:f1:ee:3a:d9:
+ 56:4e:cb:c7:5c:2e:c3:41:e4:d8:d3:a9:cd:54:b1:
+ 43:e4:4f:24:f4:1c:d6:3d:11:f1:12:b4:a5:89:4a:
+ d5:8e:99:6c:ef:85:ca:64:23:07:3b:f6:91:fa:86:
+ e9:db:55:5f:8d:2c:5f:8b:dd:0e:02:49:59:4a:31:
+ b9:57:6a:97:f9:50:e4:5a:f6:df:20:53:4f:53:bb:
+ 01:08:f6:2c:59:08:db:6b:ee:b9:e2:ef:db:f6:35:
+ 24:12:29:e7:10:49:52:80:8e:9f:d3:16:96:94:ae:
+ 68:bc:40:c9:a7:9a:08:9c:7e:4f:d0:c1:ae:45:b0:
+ 8a:da:a6:60:5d:29:06:8f:a3:af:ed:72:1a:ef:c6:
+ cf:bf:2b:3f:c0:2f:26:30:85:63:04:4b:61:8c:20:
+ da:0a:f9:c1:4a:10:66:bf:ab:fe:ef:41:55:d3:c9:
+ ab:29:a9:03:94:f0:13:08:a2:14:f3:e8:50:c4:01:
+ 31:41:61:06:e9:14:13:3b:52:bb:01:ef:09:40:4f:
+ 27:78:7b:6e:13:61:6c:24:ce:bf:60:c0:06:eb:87:
+ 31:ac:00:b0:f1:0a:5c:3b:72:92:3a:3c:ee:8a:69:
+ 22:25:af:87:21:5e:47:98:62:86:0e:2b:72:87:ad:
+ 7d:a9:79:5f:80:3b:52:1c:f8:9b:09:72:ce:9a:e9:
+ d2:07:3e:1e:58:d9:1c:5b:3f:e3:cc:4e:ef:9d:54:
+ 45:91:83:6a:99:92:9a:42:b1:54:ff:67:9d:fc:49:
+ 02:9f:b0:cd:7d:3a:d1:8f:5b:d3:69:dd:ba:eb:08:
+ c6:7e:4a:80:58:d6:0f:10:c5:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign
+ X509v3 Subject Key Identifier:
+ 73:9C:A1:60:E2:B2:1B:D0:F2:10:33:C1:11:97:73:9A:6E:5B:AB:CA
+ X509v3 Subject Alternative Name:
+ email:ca@distorted.org.uk
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.distorted.org.uk/ca/crl
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6b:1f:b0:49:bc:07:25:8a:75:47:03:b4:85:47:c8:b6:9b:93:
+ 6b:7c:aa:c9:15:74:eb:d2:81:57:10:e2:6c:b6:42:4a:4b:18:
+ 11:80:04:1b:1e:67:63:41:70:a1:b3:2a:6c:e6:82:77:9d:a4:
+ 83:9e:f0:e4:c7:0e:56:0f:f1:1e:61:ff:a3:27:f1:4b:aa:9a:
+ fd:27:a7:ba:13:f9:9a:b6:b8:e6:6d:78:fc:2b:21:5f:62:b7:
+ 73:3a:38:94:30:4e:80:b7:1f:84:dc:1a:68:da:fa:99:19:08:
+ c3:e0:7f:d2:08:8b:25:c1:69:e5:d5:24:5e:33:4c:5c:cc:d2:
+ a7:27:2b:01:da:3c:50:c3:58:64:73:f7:7f:88:12:b5:6e:41:
+ eb:07:8e:c5:79:e7:3d:e1:da:e6:9b:3c:c8:c4:b9:92:71:a1:
+ 5d:01:95:4e:92:9e:e5:7f:ed:71:e4:27:3e:97:10:de:5d:1a:
+ a1:37:a3:1f:f0:fe:09:fe:ce:72:e7:f5:a0:5c:54:19:6f:f7:
+ 62:a8:c8:66:09:77:6c:d8:73:d9:1d:c0:cd:65:c9:bd:27:9a:
+ 8a:10:dc:0b:1e:08:ec:39:99:50:89:2f:bc:ca:a2:13:55:c6:
+ 7f:2c:96:f1:2b:46:cf:9c:70:31:9d:7f:11:72:18:67:5d:a7:
+ c9:03:a7:1f:6b:cc:ac:a3:ae:e2:2e:01:bd:7f:a3:8d:ca:aa:
+ 20:72:9c:81:84:5b:34:c5:93:1a:bd:e7:52:4f:00:9a:dd:c3:
+ af:0a:a1:e4:64:aa:d9:62:80:ce:b9:c8:57:38:03:54:d0:e1:
+ ae:0c:a9:09:da:44:88:32:58:0d:58:1f:6d:f5:c8:9b:65:fe:
+ 02:57:44:ea:e1:ae:42:5f:63:24:b6:f2:99:d8:e0:3d:35:6c:
+ 64:da:f7:7f:1c:f7:31:96:a4:38:93:ca:10:bc:e6:bf:d8:92:
+ ae:bc:e2:c1:df:57:45:6b:71:7b:d0:ea:43:8e:c7:87:61:77:
+ 16:17:10:01:ef:6b
+-----BEGIN CERTIFICATE-----
+MIIFcjCCA9qgAwIBAgIJAOX33YjL2PLsMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
+VQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxEjAQBgNVBAcTCUNhbWJy
+aWRnZTEZMBcGA1UEChMQZGlzdG9ydGVkLm9yZy51azEvMC0GA1UEAxMmZGlzdG9y
+dGVkLm9yZy51ayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
+E2NhQGRpc3RvcnRlZC5vcmcudWswHhcNMTIxMjAxMTQyNzEzWhcNMjIxMTI5MTQy
+NzEzWjCBqjELMAkGA1UEBhMCR0IxFzAVBgNVBAgTDkNhbWJyaWRnZXNoaXJlMRIw
+EAYDVQQHEwlDYW1icmlkZ2UxGTAXBgNVBAoTEGRpc3RvcnRlZC5vcmcudWsxLzAt
+BgNVBAMTJmRpc3RvcnRlZC5vcmcudWsgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIw
+IAYJKoZIhvcNAQkBFhNjYUBkaXN0b3J0ZWQub3JnLnVrMIIBojANBgkqhkiG9w0B
+AQEFAAOCAY8AMIIBigKCAYEAuogkeDeiQosaA4goRtjcrTogui7Q/TuxCWRKYzXL
+/6vEszEZgADKZ7iQhj39LHLEMUCZAOjPTnJUmm6xEe0Lxd6diPIDk/HuOtlWTsvH
+XC7DQeTY06nNVLFD5E8k9BzWPRHxErSliUrVjpls74XKZCMHO/aR+obp21VfjSxf
+i90OAklZSjG5V2qX+VDkWvbfIFNPU7sBCPYsWQjba+654u/b9jUkEinnEElSgI6f
+0xaWlK5ovEDJp5oInH5P0MGuRbCK2qZgXSkGj6Ov7XIa78bPvys/wC8mMIVjBEth
+jCDaCvnBShBmv6v+70FV08mrKakDlPATCKIU8+hQxAExQWEG6RQTO1K7Ae8JQE8n
+eHtuE2FsJM6/YMAG64cxrACw8QpcO3KSOjzuimkiJa+HIV5HmGKGDityh619qXlf
+gDtSHPibCXLOmunSBz4eWNkcWz/jzE7vnVRFkYNqmZKaQrFU/2ed/EkCn7DNfTrR
+j1vTad266wjGfkqAWNYPEMU/AgMBAAGjgZgwgZUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFHOcoWDishvQ8hAzwRGXc5puW6vKMB4G
+A1UdEQQXMBWBE2NhQGRpc3RvcnRlZC5vcmcudWswMwYDVR0fBCwwKjAooCagJIYi
+aHR0cDovL3d3dy5kaXN0b3J0ZWQub3JnLnVrL2NhL2NybDANBgkqhkiG9w0BAQsF
+AAOCAYEAax+wSbwHJYp1RwO0hUfItpuTa3yqyRV069KBVxDibLZCSksYEYAEGx5n
+Y0FwobMqbOaCd52kg57w5McOVg/xHmH/oyfxS6qa/SenuhP5mra45m14/CshX2K3
+czo4lDBOgLcfhNwaaNr6mRkIw+B/0giLJcFp5dUkXjNMXMzSpycrAdo8UMNYZHP3
+f4gStW5B6weOxXnnPeHa5ps8yMS5knGhXQGVTpKe5X/tceQnPpcQ3l0aoTejH/D+
+Cf7Ocuf1oFxUGW/3YqjIZgl3bNhz2R3AzWXJvSeaihDcCx4I7DmZUIkvvMqiE1XG
+fyyW8StGz5xwMZ1/EXIYZ12nyQOnH2vMrKOu4i4BvX+jjcqqIHKcgYRbNMWTGr3n
+Uk8Amt3Drwqh5GSq2WKAzrnIVzgDVNDhrgypCdpEiDJYDVgfbfXIm2X+AldE6uGu
+Ql9jJLbymdjgPTVsZNr3fxz3MZakOJPKELzmv9iSrrziwd9XRWtxe9DqQ47Hh2F3
+FhcQAe9r
+-----END CERTIFICATE-----
--- /dev/null
+### key add -adh-param -Asha256-mgf -n128 -LS -b2053 -B224 tls-param
+keyid: 1d275741
+tag: <none>
+type: tls-param
+expiry: 2014-02-09 12:54:55 GMT
+delete: 2014-02-09 12:54:55 GMT
+comment: <none>
+attributes:
+ genseed = wi+aoJDdKOFT6dWEU4kI2Q==
+ seedalg = sha256-mgf
+ factors = 25628173794965459148662154755507710741791028195724330392802159422363,
+ 23811438124381247217321230401533611940976915392825052997536081610507,
+ 26275640499985683069419899154277340447423514251466047604672441535359,
+ 15744921865728376733504714056932687844736336554772813867027917373369,
+ 14571722492400529289497370737312585068735319010775321956515864166347,
+ 21818144882486013845852086942457160224413719464451247588201008896789,
+ 17162867383501409601861420964333397219709230017882544459910683886593,
+ 24864351326571479769690396762702924550061869223096319281017678709539,
+ 332484314929097640929322655956464533664591816173441051661092105906161372022243
+key: {
+ p = 22776865583712030790367384668088221584543419673920166884379692662984252870029859921034405747249167040667056325234151341282361256792042947039044164901553881759256888545670437638183519848216861454689725824445732202608093522096528797209029707704715051673914754751199015894007649263132043295955899305099369111705233363264874492115584860564160940283158668074340077531066436014005054259363495043312216798971787474791288757088129447384713646105528914634725020007328931507087348770461048545136523608574722819552686860923334787408823896388056590057944405567188617916405496780795175946735233906210408927704061739282164790656387
+ g = 6535512044329258663746685839550485727558099773690539635801549184488020961476332224800626537814730025495792072150140201611996005821244919688021282275232298087775965396463825259078046405157417614973898692445438447309185015577240016525153526431414428085869925456074716544216492418857668693561751830412213845544012946512175262020475004426125263500284425565949677587260328578319141926318492592560209940965848698920497777749069204212173216554124353412328082212662992818436664252025501254804880731042804592969527846247819850879366739906103217554952601493934303970385819986220354980965783318612371961374595592603464626324070
+ q = 25628173794965459148662154755507710741791028195724330392802159422363
+}
+ PKCS#3 DH Parameters: (2048 bit)
+ prime:
+ 00:b4:6d:72:9e:c8:db:21:69:96:34:f0:53:c8:5a:
+ e6:d0:0b:99:81:1d:ba:43:e1:7a:c8:48:96:00:6b:
+ cc:e8:f6:dc:be:a2:a4:ae:55:04:74:6f:91:b9:b2:
+ d4:48:9f:d6:77:d7:74:0b:b4:30:7b:c1:1a:45:6c:
+ 97:9d:0d:aa:5f:94:a8:ec:4a:f6:31:92:19:ef:13:
+ 65:6d:d9:fa:16:da:91:d9:80:5c:56:3b:58:77:47:
+ b3:58:ce:3a:3e:72:9b:c5:5d:17:ad:d1:ca:0a:57:
+ c4:ec:d7:ee:35:50:5d:24:b7:b8:bf:54:98:db:97:
+ 97:ee:c1:94:cf:e0:69:c8:04:bd:80:ff:3c:23:4e:
+ aa:e1:3f:b8:55:ae:df:f3:0a:d6:0c:8c:12:59:71:
+ 0e:1a:e2:52:f0:ac:7f:18:7a:fc:36:61:ab:77:9e:
+ 3c:33:84:cd:61:e6:2d:34:3e:9f:7d:17:0c:88:66:
+ c9:9e:90:db:f0:66:24:79:a3:c9:9d:96:5d:ee:d9:
+ aa:dc:74:43:b5:23:66:72:37:e3:04:74:a9:97:a3:
+ d4:41:94:9f:87:3a:3e:e7:b0:81:00:63:29:91:48:
+ d0:6a:dc:e2:5f:43:64:0a:eb:8f:1e:81:91:03:1a:
+ a1:d5:e9:32:d7:b0:1b:d8:fe:99:21:b2:51:9e:f4:
+ fd:83
+ generator: 2 (0x2)
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAtG1ynsjbIWmWNPBTyFrm0AuZgR26Q+F6yEiWAGvM6PbcvqKkrlUE
+dG+RubLUSJ/Wd9d0C7Qwe8EaRWyXnQ2qX5So7Er2MZIZ7xNlbdn6FtqR2YBcVjtY
+d0ezWM46PnKbxV0XrdHKClfE7NfuNVBdJLe4v1SY25eX7sGUz+BpyAS9gP88I06q
+4T+4Va7f8wrWDIwSWXEOGuJS8Kx/GHr8NmGrd548M4TNYeYtND6ffRcMiGbJnpDb
+8GYkeaPJnZZd7tmq3HRDtSNmcjfjBHSpl6PUQZSfhzo+57CBAGMpkUjQatziX0Nk
+CuuPHoGRAxqh1eky17Ab2P6ZIbJRnvT9gwIBAg==
+-----END DH PARAMETERS-----
--- /dev/null
+### key add -adh-param -Asha256-mgf -n128 -LS -b3076 -B256 tls-param
+keyid: 0241383a
+tag: <none>
+type: tls-param
+expiry: 2013-12-22 10:06:11 GMT
+delete: 2013-12-22 10:06:11 GMT
+comment: <none>
+attributes:
+ genseed = pmweI8TM8z97V5cMz4SxDw==
+ seedalg = sha256-mgf
+ factors = 76299672778585109227586065196249212078992548341882943096782659243409653858497,
+ 106903045773099875882710785046140136819321506108162412296688492762767548829253,
+ 103310011398334117850930711721790004717141991550731127510694599169210821154023,
+ 99804578699726663269664694004275215226052726441353242410431647509530422034749,
+ 109484260470875557519197828122260999595187616678246431195204478993922816483233,
+ 81910940141774088385926192272675341931808229422367067813481469672581662142449,
+ 78606395202673908605947290407730593907739810566754966671697770613580491969649,
+ 80233163018087394422493792459040510162632368175639082356993879272039858219171,
+ 60159484928028940229225637221687274639298282972458447117280310277994132829599,
+ 75333669283284144307719796310662061239471651079367770009826444327394649758349,
+ 61251876138930860888115739163978926628102666477542263877214306662534076129263,
+ 1703179010696044263906647663968752539806092657149536496044465707327663091986047
+key: {
+ p = 4497942938077873944425784618179827542237908003253752562448339127374337963339173762617167196593229056860981254852713354733150705016182121938157177099047797445952986544291728480506397810603716727582305708672246127016820686421039708003869632545374570778838193193653681987900197918264100644961404725742553728356758333762011972683455259277701265102348157894161679372345534271640171051704947847398664849540519114215430391883201139553487057243412219058944800228773431290081683289297551838860242423437300134326373978229574732053865317058316111231485398464882049385817132653104586614851574232122654802645405582810439488131396226472241200725681050288328548572718882115709228124057076604983380586967622808776365872349087844872079863912081981895749467076688435792247130013663105446904895498189663326586916135669162483431024008793117922671682696173929229421254914410849008384382400893167293948750619359569709195938261074036355642151422623
+ g = 4457305826154257890994837352846221000668547232771645349088105755729753535847065063871700989400379053703020868777776266229974100915565927638724808182369055966244413764305911426991692015981299184658681032074105368610736959558172581784430387524865954707013807524263592377900502489192272536286759497194012518932125689991702802383827937037704335949874249310793725165094655979093528678359319121511302499570771186712089259419662727297634887534518177922943995902656134867348829436485687386774595480597822952662719420611236295245974521549563124261912998312537637725225206343040203842528687055109100017875863997044182932356190341834865952893475699357135542012580224524776421622407614156924688023051208862785836798330892014189779227965088771245786143709214913494585661278201101968140934348912691533063187928261912391218363446650076697251000946020982809324463125191097399228754391008655057230057511830170366722450504534570604356113235339
+ q = 76299672778585109227586065196249212078992548341882943096782659243409653858497
+}
+
+ PKCS#3 DH Parameters: (3072 bit)
+ prime:
+ 00:c6:33:9e:2f:17:90:97:ef:6f:2d:6c:3b:a1:89:
+ 3b:2f:d6:d1:1e:51:1e:35:07:1e:0f:44:86:32:6f:
+ 4a:c8:bd:a6:76:99:a6:48:be:fa:10:fd:2b:64:73:
+ cd:bb:18:e4:26:28:84:ee:6f:bc:51:23:65:b1:18:
+ 46:40:67:bc:f3:6d:29:ef:12:6f:4b:5f:9d:45:72:
+ a4:04:e4:8d:de:ba:fc:de:4d:94:7d:90:91:5f:41:
+ 2d:6d:fd:dc:30:be:51:8e:a7:b5:98:ed:51:5e:50:
+ 2a:98:47:3c:03:56:c9:5b:73:d8:ec:4e:c9:98:e3:
+ 56:ef:18:57:d8:01:8d:ab:69:9f:fc:c6:62:ef:8f:
+ f0:8a:7d:53:44:92:6c:07:5e:81:d8:b5:46:b4:37:
+ 85:f9:ea:29:e0:f8:e6:50:90:6e:59:df:c6:ec:b4:
+ 48:16:f3:6c:2a:32:49:59:8c:a4:c1:7b:7d:83:55:
+ c6:f7:d2:e5:cb:eb:29:ca:0e:82:8c:28:ad:24:57:
+ 6f:de:e4:62:b9:f3:4c:ae:a8:2b:55:3c:73:c5:7a:
+ 40:d2:79:eb:bf:cb:68:f9:cb:df:03:51:98:97:23:
+ 05:09:69:80:44:3e:6b:d9:e2:5c:5c:21:72:02:52:
+ fc:97:d1:b5:1f:5c:36:4c:36:19:ec:29:ce:8b:b3:
+ b4:3b:ca:c5:5b:d0:e7:c3:c1:8b:5a:b6:2e:f3:51:
+ c4:a1:d9:83:2e:d1:8e:3c:e7:e7:09:03:a1:94:6d:
+ 70:6b:e4:3a:ce:8e:e7:e7:1f:b2:77:9e:86:ac:60:
+ 33:37:0c:8f:c8:55:a4:42:8f:57:46:f9:86:b3:67:
+ 55:b8:a7:f9:78:01:0b:c6:76:1d:48:20:59:ce:e5:
+ b4:3f:51:e1:a4:02:4f:f0:16:ea:dd:2c:d5:c4:60:
+ 27:3f:ed:37:22:3b:5a:b7:80:b4:76:e4:d4:99:65:
+ 80:b7:b8:9c:48:20:9c:9c:5a:ac:38:4c:49:c3:da:
+ 95:85:b7:de:a2:ef:ce:0c:4a:9f
+ generator: 5 (0x5)
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEAxjOeLxeQl+9vLWw7oYk7L9bRHlEeNQceD0SGMm9KyL2mdpmmSL76
+EP0rZHPNuxjkJiiE7m+8USNlsRhGQGe8820p7xJvS1+dRXKkBOSN3rr83k2UfZCR
+X0Etbf3cML5Rjqe1mO1RXlAqmEc8A1bJW3PY7E7JmONW7xhX2AGNq2mf/MZi74/w
+in1TRJJsB16B2LVGtDeF+eop4PjmUJBuWd/G7LRIFvNsKjJJWYykwXt9g1XG99Ll
+y+spyg6CjCitJFdv3uRiufNMrqgrVTxzxXpA0nnrv8to+cvfA1GYlyMFCWmARD5r
+2eJcXCFyAlL8l9G1H1w2TDYZ7CnOi7O0O8rFW9Dnw8GLWrYu81HEodmDLtGOPOfn
+CQOhlG1wa+Q6zo7n5x+yd56GrGAzNwyPyFWkQo9XRvmGs2dVuKf5eAELxnYdSCBZ
+zuW0P1HhpAJP8Bbq3SzVxGAnP+03Ijtat4C0duTUmWWAt7icSCCcnFqsOExJw9qV
+hbfeou/ODEqfAgEF
+-----END DH PARAMETERS-----
--- /dev/null
+### -*-conf-*-
+###
+### OpenSSL configuration for distorted.org.uk CA.
+
+###--------------------------------------------------------------------------
+### Defaults.
+
+RANDFILE = /dev/random
+db_suffix =
+
+###--------------------------------------------------------------------------
+### Certificate request configuration.
+
+[req]
+default_bits = 3072
+encrypt_key = no
+default_md = sha256
+utf8 = yes
+x509_extensions = ca-extensions
+distinguished_name = req-dn
+prompt = yes
+
+[req-dn]
+
+countryName = "Country name"
+countryName_default = "GB"
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = "State, province, or county"
+stateOrProvinceName_default = "Cambridgeshire"
+stateOrProvinceName_max = 64
+
+localityName = "Locality (e.g., city)"
+localityName_default = "Cambridge"
+localityName_max = 64
+
+organizationName = "Organization"
+organizationName_default = "distorted.org.uk"
+organizationName_max = 64
+organizationalUnitName = "Organizational unit"
+organizationalUnitName_max = 64
+
+commonName = "Common name"
+commonName_max = 64
+
+emailAddress = "Email address"
+emailAddress_max = 64
+
+###--------------------------------------------------------------------------
+### CA configuration.
+
+[ca]
+default_ca = distorted-ca
+preserve = yes
+
+[distorted-ca]
+default_days = 1825
+default_md = sha256
+unique_subject = no
+email_in_dn = no
+private_key = private/ca.key
+certificate = ca.cert
+database = state/db$ENV::db_suffix
+serial = state/serial
+crlnumber = state/crlnumber
+default_crl_hours = 28
+x509_extensions = tls-server-extensions
+crl_extensions = crl-extensions
+policy = distorted-policy
+name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
+cert_opt = no_header, ext_parse, no_pubkey
+copy_extensions = copy
+
+[distorted-policy]
+countryName = supplied
+stateOrProvinceName = optional
+localityName = optional
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[crl-extensions]
+issuerAltName = email:ca@distorted.org.uk
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[ca-extensions]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, keyCertSign
+subjectKeyIdentifier = hash
+subjectAltName = email:ca@distorted.org.uk
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[tls-server-extensions]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[tls-client-extensions]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+issuerAltName = issuer:copy
+subjectAltName = email:copy
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+###----- That's all, folks --------------------------------------------------
--- /dev/null
+[user]
+ name = root
+ email = root@distorted.org.uk
--- /dev/null
+#! /bin/sh
+###
+### Fetch an archive, and unpack it into a directory in a safe manner.
+
+set -e
+
+## Parse the command line.
+case $# in
+ 3) ;;
+ *) echo >&2 "usage: $0 DIR LABEL URL"; exit 1 ;;
+esac
+dir=$1 label=$2 url=$3
+cd "$dir"
+
+## Fetch the archive.
+rm -rf tmp; mkdir tmp
+curl -s -o tmp/"$label.tar.gz" "$url"
+
+## Check the archive for unpleasantness. The GNU and FreeBSD versions of
+## tar(1) do something vaguely sensible with `..' components in the pathnames
+## of archive members. (Specifically, FreeBSD simply ignores the affected
+## members; GNU strips leading components in a bizarre way.) But OpenBSD
+## gets a special security award for cheerily following the `..' components.
+## So we have to do this complicated laundering thing.
+##
+## The archive ought to unpack everything into a single directory and not
+## contain anythig weird. So check. Actually, this won't catch newlines in
+## member names, so we'll have to be careful about those. The regular
+## expression insists that everything be in a single directory identified by
+## the LABEL, and that the rest of the name contains no two adjacent dots.
+## We use the LABEL as part of an ERE, so it ought not contain bad things.
+if
+ tar tzf tmp/"$label.tar.gz" |
+ grep -Ev "^$label/([^.]+|\.[^.])*$" >&2
+then
+ echo >&2 "$0: archive has bad member pathnames"
+ exit 1
+fi
+
+## Unpack the archive now that we know it's safe.
+(cd tmp; tar xzf "$label.tar.gz")
+
+## Replace any existing tree with the new one.
+rm -rf "$label"
+mv tmp/"$label" .
+rm -rf tmp
--- /dev/null
+#! /bin/sh -e
+
+unset email unit key ext extra
+config=/etc/ca/openssl.conf
+good=t
+while getopts e:u:k:x: opt; do
+ case $opt in
+ e) email=$OPTARG ;;
+ u) unit=$OPTARG ;;
+ k) key=$OPTARG ;;
+ x) ext=$OPTARG ;;
+ *) good=nil ;;
+ esac
+done
+shift $(( $OPTIND - 1 ))
+
+case $#,$good in
+ 2,t) ;;
+ *) echo >&2 "usage: $0 [-e EMAIL] [-k KEY] [-u UNIT] [-x EXT] LABEL CN"; exit 1 ;;
+esac
+label=$1 cn=$2
+
+if [ ! -d private ]; then
+ mkdir -m700 private
+fi
+
+case ${ext+t} in
+ t)
+ { cat "$config"
+ echo
+ echo "[genx509-custom]"
+ cat "$ext"; } >"tmp.$label.conf"
+ config=tmp.$label.conf
+ extra="$extra -reqexts genx509-custom"
+ ;;
+esac
+
+name="/C=GB/ST=Cambridgeshire/L=Cambridge/O=distorted.org.uk"
+name="$name/${unit+OU=$unit/}CN=$cn${email+/emailAddress=$email}"
+case ${key+t} in
+ t)
+ openssl req -batch -config "$config" \
+ -new -subj "$name" -text -out "$label.req.new" \
+ -key "$key" $extra
+ ;;
+ *)
+ openssl req -batch -config "$config" \
+ -new -subj "$name" -text -out "$label.req.new" \
+ -nodes -keyout "private/$label.key.new" $extra
+ chmod 600 "private/$label.key.new"
+ mv "private/$label.key.new" "private/$label.key"
+ ;;
+esac
+rm -f "tmp.$label.conf"
+mv "$label.req.new" "$label.req"
+sha256sum "$label.req"
--- /dev/null
+### -*-conf-*-
+### sudoers file for distorted.org.uk
+###
+### This file is maintained on ibanez: edit it there and run `update-slaves'.
+
+###--------------------------------------------------------------------------
+### Thoughts.
+###
+### I'm not using `sudo' to give people limited access to privileged
+### commands. That's a mug's game, and anyway `userv' does it better.
+### So I'm not going to try to restrict what administrators can do.
+
+###--------------------------------------------------------------------------
+### Defaults.
+
+## The `authentication' -- making people type in their passwords -- will
+## only thwart an unimaginitive attacker. We have to face up to the fact
+## that `sudo' basically deals in `at-least-as-powerful-as' relationships:
+## if Alice can `sudo' to Bob, then Alice is at least as powerful as Bob,
+## and all of the molly guards and password typing won't help that.
+Defaults !authenticate
+
+## Again, with the idea that we're trusting the calling users, we don't
+## to scrub the environment.
+Defaults !always_set_home, !env_reset, !secure_path
+
+## Allow any editor with `visudo'. The idea that allowing a user to edit
+## the `sudoers' file is OK but letting him choose which editor he uses
+## isn't is obviously crazy. After all, he can change the editor list
+## if he likes.
+Defaults env_editor
+
+## Don't spam me with reports of people being turned away. I have logs for
+## that.
+Defaults !mailto
+
+## I'm going to assume that administrators already know how to behave
+## responsibly.
+Defaults lecture = never
+
+## Passing file descriptors into a program seems OK to me, given that
+## I'm assuming that the target user trusts the caller anyway.
+Defaults !closefrom_override
+
+###--------------------------------------------------------------------------
+### Administration.
+###
+### Summary:
+### FROM HOSTS = (TO-USERS [: TO-GROUPS]) [TAGS] COMMAND
+###
+### LIST ::= [!] ITEM, ...
+### USER ::= NAME | #UID | %GROUP
+### HOST ::= HOSTNAME | ADDR | NET/MASK
+### COMMAND ::= CMD | DIR/ | sudoedit
+### TAG ::= NOPASSWD: | PASSWD: | NOEXEC: | EXEC: | SETENV: | NOSETENV: |
+### LOG_INPUT: | NOLOG_INPUT: | LOG_OUTPUT: | NOLOG_OUTPUT:
+
+## Allow `root' and members of the `sudo' and `root' groups to do their
+## things.
+root, %sudo, %root, %wheel ALL = (ALL : ALL) ALL
+
+###----- That's all, folks --------------------------------------------------
### PKI machinery.
- name: install PKI maintenance scripts
- tags: [pki]
+ tags: [pki, pki-scripts]
copy: src=pki/{{ item }} dest=/etc/cron.daily
with_items:
- update-ca-certs
- check-x509-certs
+- name: install common PKI files
+ tags: [pki, pki-keys]
+ copy: src=pki/{{ item }} dest=/etc/ca
+ with_items:
+ - ca.cert
+ - dh-param.pem
+ - dh-param-2048.pem
+ - openssl.conf
+
+- name: install /etc/pki/CA link
+ tags: [pki, pki-link]
+ file: path=/etc/pki/CA/cacert.pem state=link src=../../ca/ca.cert
+
###--------------------------------------------------------------------------
### NTP configuration.
when: server is not defined or 'ntp' not in server
notify: restart ntpd
+###--------------------------------------------------------------------------
+### Network databases.
+
+- name: install netdb files
+ tags: netdb
+ copy: src=netdb/{{ item }} dest=/etc
+ with_items:
+ - hosts
+ - networks
+ - services
+
###--------------------------------------------------------------------------
### SSH configuration.
- config.m4
- known_hosts.extra
+###--------------------------------------------------------------------------
+### Backup machinery.
+
+- name: install backup filters
+ tags: [backup, backup-filters]
+ copy: src=backup/filter.{{ item.label }} dest={{ item.dest }}/.rsync-backup
+ with_items:
+ - { label: 'home', dest: '/home' }
+ - { label: 'var-spool', dest: '/var/spool' }
+
+- name: install required backup scripts on non-Debian hosts
+ tags: [backup, backup-scripts]
+ copy: src=backup/fshash dest=/usr/local/bin
+ when: os != 'debian'
+
+###--------------------------------------------------------------------------
+### Other miscellaneous files.
+
+- name: install sudo configuration
+ tags: [sudo]
+ copy: src=sudo/sudoers dest=/etc
+
+- name: install common scripts
+ tags: [scripts]
+ copy: src=scripts/{{ item }} dest=/usr/local/bin
+ with_items:
+ - fetch-unpack-archive
+ - genx509
+
+- name: install root Git configuration
+ tags: [root-files]
+ copy: src=root/gitconfig dest=/root/.gitconfig
+
###----- That's all, folks --------------------------------------------------