Merge branch 'master' into patch-1

.github/workflows/docker-image.yaml

@@ -17,10 +17,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -28,7 +28,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -36,7 +36,7 @@ jobs:
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true

.github/workflows/main.yml

@@ -6,10 +6,10 @@ jobs:
   lint:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v2.3.2
         with:
-          python-version: '3.9'
+          python-version: '3.11'
           cache: 'pip'
 
       - name: Install dependencies
@@ -34,10 +34,10 @@ jobs:
       matrix:
         UBUNTU_VERSION: ["22.04"]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v2.3.2
         with:
-          python-version: '3.9'
+          python-version: '3.11'
           cache: 'pip'
 
       - name: Install dependencies
@@ -98,10 +98,10 @@ jobs:
       matrix:
         UBUNTU_VERSION: ["22.04"]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v2.3.2
         with:
-          python-version: '3.9'
+          python-version: '3.11'
           cache: 'pip'
 
       - name: Install dependencies

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3-alpine
+FROM python:3.11-alpine
 
 ARG VERSION="git"
 ARG PACKAGES="bash libffi openssh-client openssl rsync tini gcc libffi-dev linux-headers make musl-dev openssl-dev rust cargo"

README.md

@@ -40,7 +40,7 @@ The easiest way to get an Algo server running is to run it on your local system
         git clone https://github.com/trailofbits/algo.git
         ```
 
-3. **Install Algo's core dependencies.** Algo requires that **Python 3.8 or later** and at least one supporting package are installed on your system.
+3. **Install Algo's core dependencies.** Algo requires that **Python 3.10 or later** and at least one supporting package are installed on your system.
 
     - **macOS:** Catalina (10.15) and higher includes Python 3 as part of the optional Command Line Developer Tools package. From Terminal run:
 
@@ -52,7 +52,7 @@ The easiest way to get an Algo server running is to run it on your local system
 
         For macOS versions prior to Catalina, see [Deploy from macOS](docs/deploy-from-macos.md) for information on installing Python 3 .
 
-    - **Linux:** Recent releases of Ubuntu, Debian, and Fedora come with Python 3 already installed. Make sure your system is up-to-date and install the supporting package(s):
+    - **Linux:** Recent releases of Ubuntu, Debian, and Fedora come with Python 3 already installed. If your Python version is not 3.10, then you will need to use pyenv to install Python 3.10. Make sure your system is up-to-date and install the supporting package(s):
         * Ubuntu and Debian:
             ```bash
             sudo apt install -y --no-install-recommends python3-virtualenv file lookup

SECURITY.md

@@ -0,0 +1,9 @@
+# Reporting Security Issues
+
+The Algo team and community take security bugs in Algo seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/trailofbits/algo/security/) tab.
+
+The Algo team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining the module.

config.cfg

@@ -176,6 +176,8 @@ cloud_providers:
       sku: minimal-22_04-daily-lts
       version: latest
   digitalocean:
+    # See docs for extended droplet options, pricing, and availability.
+    # Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
     size: s-1vcpu-1gb
     image: "ubuntu-22-04-x64"
   ec2:

docs/client-openwrt-router-wireguard.md

@@ -1,4 +1,4 @@
-# Using Router wıth OpenWRT as a Client with WireGuard
+# Using Router with OpenWRT as a Client with WireGuard
 This scenario is useful in case you want to use vpn with devices which has no vpn capability like smart tv, or make vpn connection available via router for multiple devices.
 This is a tested, working scenario with following environment: 
 
@@ -16,12 +16,12 @@ Make sure that you have
 - router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1 
 ### Install required packages(WebUI)
 - Open router web UI (mostly http://192.168.1.1 )
-- Login. (by default username: root, password:<empt
+- Login. (by default username: root, password:<empty>
 - System -> Software, click "Update lists"
 - Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
 - restart router
 
-### Aluternative Install required packages(ssh)
+### Alternative Install required packages(ssh)
 - Open router web UI (mostly http://192.168.1.1 )
 - ssh root@192.168.1.1
 - opkg update

docs/cloud-amazon-ec2.md

@@ -12,7 +12,7 @@ The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tie
 
 As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance  usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.
 
-Addtional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)
+Additional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)
 
 ### Create an AWS permissions policy
 

docs/cloud-cloudstack.md

@@ -1,6 +1,6 @@
 ### Configuration file
 
-Algo scripts will ask you for the API detail. You need to fetch the API credentials and the endpoint from the provider cocntrol panel.
+Algo scripts will ask you for the API detail. You need to fetch the API credentials and the endpoint from the provider control panel.
 
 Example for Exoscale (European cloud provider exposing CloudStack API), visit https://portal.exoscale.com/u/<your@account>/account/profile/api to gather the required information: CloudStack api key and secret.
 

docs/cloud-do.md

@@ -18,6 +18,18 @@ You will be returned to the **Tokens/Keys** tab, and your new key will be shown
 
 Copy or note down the hash that shows below the name you entered, as this will be necessary for the steps below. This value will disappear if you leave this page, and you'll need to regenerate it if you forget it.
 
+## Select a Droplet (optional)
+
+The default option is the `s-1vcpu-1gb` because it is available in all regions. However, you may want to switch to a cheaper droplet such as `s-1vcpu-512mb-10gb` even though it is not available in all regions. This can be edited in the [Configuration File](config.cfg) under `cloud_providers > digitalocean > size`. See this brief comparison between the two droplets below:
+
+| Droplet Type | Monthly Cost | Bandwidth | Availability |
+|:--|:-:|:-:|:--|
+| `s-1vcpu-512mb-10gb` | $4/month | 0.5 TB | Limited |
+| `s-1vcpu-1gb`        | $6/month | 1.0 TB | All regions |
+| ... | ... | ... | ... |
+
+*Note: Exceeding bandwidth limits costs $0.01/GiB at time of writing ([docs](https://docs.digitalocean.com/products/billing/bandwidth/#droplets)). See the live list of droplets [here](https://slugs.do-api.dev/).*
+
 ## Using DigitalOcean with Algo (interactive)
 
 These steps are for those who run Algo using Docker or using the `./algo` command.

docs/cloud-gce.md

@@ -38,4 +38,4 @@ gcloud services enable compute.googleapis.com
 **Attention:** take care of the `configs/gce.json` file, which contains the credentials to manage your Google Cloud account, including create and delete servers on this project.
 
 
-There are more advanced arguments available for deploynment [using ansible](deploy-from-ansible.md).
+There are more advanced arguments available for deployment [using ansible](deploy-from-ansible.md).

docs/deploy-from-ansible.md

@@ -115,7 +115,7 @@ Additional variables:
 - [image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-images.html) - AMI `describe-images` search parameters to find the OS for the hosted image. Each OS and architecture has a unique AMI-ID. The OS owner, for example [Ubuntu](https://cloud-images.ubuntu.com/locator/ec2/), updates these images often. If parameters below result in multiple results, the most recent AMI-ID is chosen
 
    ```
-   # Example of equivalent cli comand
+   # Example of equivalent cli command
    aws ec2 describe-images --owners "099720109477" --filters "Name=architecture,Values=arm64" "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*"
    ```
 

docs/troubleshooting.md

@@ -23,6 +23,7 @@ First of all, check [this](https://github.com/trailofbits/algo#features) and ens
      * [Wireguard: Unable to find 'configs/...' in expected paths](#wireguard-unable-to-find-configs-in-expected-paths)
      * [Ubuntu Error: "unable to write 'random state'" when generating CA password](#ubuntu-error-unable-to-write-random-state-when-generating-ca-password)
      * [Timeout when waiting for search string OpenSSH in xxx.xxx.xxx.xxx:4160](#old-networking-firewall-in-place)
+     * [Linode Error: "Unable to query the Linode API. Saw: 400: The requested distribution is not supported by this stackscript.; "](#linode-error-uable-to-query-the-linode-api-saw-400-the-requested-distribution-is-not-supported-by-this-stackscript)
   * [Connection Problems](#connection-problems)
      * [I'm blocked or get CAPTCHAs when I access certain websites](#im-blocked-or-get-captchas-when-i-access-certain-websites)
      * [I want to change the list of trusted Wifi networks on my Apple device](#i-want-to-change-the-list-of-trusted-wifi-networks-on-my-apple-device)
@@ -384,6 +385,11 @@ ok: [localhost] => {
 
 If you see this error then one possible explanation is that you have a previous firewall configured in your cloud hosting provider which needs to be either updated or ideally removed. Removing this can often fix this issue.
 
+### Linode Error: "Unable to query the Linode API. Saw: 400: The requested distribution is not supported by this stackscript.; "
+
+StackScript is a custom deployment script that defines a set of configurations for a Linode instance (e.g. which distribution, specs, etc.). if you used algo with default values in the past deployments, a stackscript that would've been created is 're-used' in the deployment process (in fact, go see 'create Linodes' and under 'StackScripts' tab). Thus, there's a little chance that your deployment process will generate this 'unsupported stackscript' error due to a pre-existing StackScript that doesn't support a particular configuration setting or value due to an 'old' stackscript. The quickest solution is just to change the name of your deployment from the default value of 'algo' (or any other name that you've used before, again see the dashboard) and re-run the deployment.
+
+
 ## Connection Problems
 
 Look here if you deployed an Algo server but now have a problem connecting to it with a client.

playbooks/cloud-pre.yml

@@ -32,7 +32,7 @@
     - name: Generate the SSH private key
       openssl_privatekey:
         path: "{{ SSH_keys.private }}"
-        size: 2048
+        size: 4096
         mode: "0600"
         type: RSA
 

requirements.txt

@@ -1,3 +1,3 @@
-ansible==6.1.0
+ansible==9.1.0
 jinja2~=3.0.3
 netaddr

roles/common/tasks/ubuntu.yml

@@ -98,6 +98,7 @@
       - cgroup-tools
       - openssl
       - gnupg2
+      - cron
     sysctl:
       - item: net.ipv4.ip_forward
         value: 1

roles/ssh_tunneling/templates/ssh_config.j2

@@ -2,6 +2,7 @@ Host algo
   DynamicForward 127.0.0.1:1080
   LogLevel quiet
   Compression yes
+  IdentitiesOnly yes
   IdentityFile {{ item }}.ssh.pem
   User {{ item }}
   Hostname {{ IP_subject_alt_name }}

server.yml

@@ -32,6 +32,7 @@
                     HostName {{ IP_subject_alt_name }}
                     User {{ ansible_ssh_user }}
                     Port {{ ansible_ssh_port }}
+                    IdentitiesOnly yes
                     IdentityFile {{ SSH_keys.private | realpath }}
                     KeepAlive yes
                     ServerAliveInterval 30