SSH tunneling role #77

2025-06-06 23:24:01 +02:00 · 2016-08-23 16:51:06 +03:00 · 2016-08-23 16:51:06 +03:00 · 1dcfe18055
commit 1dcfe18055
parent 19797bc020
10 changed files with 106 additions and 90 deletions
--- a/digitalocean.yml
+++ b/digitalocean.yml
@ -64,6 +64,11 @@
    default: "Y"
    private: no
    
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+    default: "Y"
+    private: no    
+    
  - name: "easyrsa_p12_export_password"
    prompt: "Enter the password for p12 certificates:\n"
    default: "vpn"
@ -129,6 +134,7 @@
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } 
    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } 

  handlers:
    - name: reload eth0
--- a/ec2.yml
+++ b/ec2.yml
@ -71,7 +71,12 @@
      prompt: "Do you want to use auditd ? (Y or N):\n"
      default: "Y"
      private: no
-      
+    
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+      default: "Y"
+      private: no
+         
    - name: "easyrsa_p12_export_password"
      prompt: "Enter the password for p12 certificates:\n"
      default: "vpn"
@ -100,3 +105,4 @@
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
--- a/gce.yml
+++ b/gce.yml
@ -68,6 +68,11 @@
    default: "Y"
    private: no
    
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+    default: "Y"
+    private: no
+    
  - name: "easyrsa_p12_export_password"
    prompt: "Enter the password for p12 certificates:\n"
    default: "vpn"
@ -96,3 +101,4 @@
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
--- a/non-cloud.yml
+++ b/non-cloud.yml
@ -29,6 +29,11 @@
      default: "Y"
      private: no
      
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+      default: "Y"
+      private: no
+      
    - name: "easyrsa_p12_export_password"
      prompt: "Enter the password for p12 certificates:\n"
      default: "vpn"
@ -47,6 +52,7 @@
        ansible_python_interpreter: "/usr/bin/python2.7"
        dns_enabled: "{{ dns_enabled }}"
        proxy_enabled: "{{ proxy_enabled }}"
+        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
        auditd_enabled: " {{ auditd_enabled }}"
        easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
        IP_subject: "{{ IP_subject }}"
@ -73,3 +79,4 @@
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
--- a/roles/cloud-digitalocean/tasks/main.yml
+++ b/roles/cloud-digitalocean/tasks/main.yml
@ -33,6 +33,7 @@
    do_droplet_id: "{{ do.droplet.id }}"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: digitalocean
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@ -71,6 +71,7 @@
    ansible_python_interpreter: "/usr/bin/python2.7"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: ec2
--- a/roles/cloud-gce/tasks/main.yml
+++ b/roles/cloud-gce/tasks/main.yml
@ -22,6 +22,7 @@
    ansible_python_interpreter: "/usr/bin/python2.7"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: gce
--- a/roles/common/templates/sshd_config.j2
+++ b/roles/common/templates/sshd_config.j2
@ -1,106 +1,71 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
 Port 22
-
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
+# ListenAddress ::
+# ListenAddress 0.0.0.0
 Protocol 2

-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Needed to have a clear audit log of which keys were used to log in.
+SyslogFacility AUTH
+LogLevel VERBOSE

-# Use kernel sandbox mechanisms where possible in unprivilegied processes
+# Use kernel sandbox mechanisms where possible
 # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
 UsePrivilegeSeparation sandbox

-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
+# Handy for keeping network connections alive
+TCPKeepAlive yes
+ClientAliveInterval 120

-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
+# Authentication
+UsePAM yes
 PermitRootLogin without-password
 StrictModes yes
-
-RSAAuthentication no
 PubkeyAuthentication yes
-#AuthorizedKeysFile	%h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-
-# similar for protocol version 2
-HostbasedAuthentication no
-
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

-# Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-# Added by DigitalOcean build process
-ClientAliveInterval 120
-ClientAliveCountMax 2
+# Turn off a lot of features
+AllowAgentForwarding no
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+RSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
 UseDNS no
+X11Forwarding no
+
+# Do not enable sftp
+# If you DO enable it, use this line to log which files sftp users read/write
+# Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# This makes ansible faster
+PrintMotd no
+PrintLastLog yes
+
+# Use only modern host keys
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Use only modern ciphers
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256

-# Password based logins are disabled - only public key based logins are allowed.
-AuthenticationMethods publickey
+###
+
+# TODO: I haven't seen anyone review these yet
+# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+
+# TODO: I haven't seen anyone review these yet
+# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+
+# TODO: I think we want to enable tunnels but disable stream local fowarding?
+# PermitTunnel yes
+# AllowStreamLocalForwarding no
+
+{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
+Match Group algo
+    AllowTcpForwarding remote
+    AllowStreamLocalForwarding no
+{% endif %}    
--- a/roles/ssh_tunneling/handlers/main.yml
+++ b/roles/ssh_tunneling/handlers/main.yml
@ -0,0 +1,2 @@
+- name: restart ssh
+  service: name=ssh state=restarted
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -0,0 +1,21 @@
+---
+
+- name: Ensure that the algo group exist
+  group: name=algo state=present
+  
+- name: Ensure that the jail directory exist
+  file: path=/var/jail/ state=directory mode=0755  owner=root group=root  
+  
+- name: Ensure that the SSH users exist
+  user: 
+    name: "{{ item }}"
+    group: algo
+    home: '/var/jail/{{ item }}'
+    createhome: yes
+    generate_ssh_key: yes
+    shell: /bin/false
+    ssh_key_type: ecdsa
+    ssh_key_bits: 521
+    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
+    state: present    
+  with_items: "{{ users }}"