From 1dcfe180551cb49b9a8037e6f60c2e9d592bd015 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 23 Aug 2016 16:51:06 +0300 Subject: [PATCH] SSH tunneling role #77 --- digitalocean.yml | 6 + ec2.yml | 8 +- gce.yml | 6 + non-cloud.yml | 7 ++ roles/cloud-digitalocean/tasks/main.yml | 1 + roles/cloud-ec2/tasks/main.yml | 1 + roles/cloud-gce/tasks/main.yml | 1 + roles/common/templates/sshd_config.j2 | 143 +++++++++--------------- roles/ssh_tunneling/handlers/main.yml | 2 + roles/ssh_tunneling/tasks/main.yml | 21 ++++ 10 files changed, 106 insertions(+), 90 deletions(-) create mode 100644 roles/ssh_tunneling/handlers/main.yml create mode 100644 roles/ssh_tunneling/tasks/main.yml diff --git a/digitalocean.yml b/digitalocean.yml index 4dbc3c9..7a7e40a 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -64,6 +64,11 @@ default: "Y" private: no + - name: "ssh_tunneling_enabled" + prompt: "Do you want to use SSH tunneling ? (Y or N):\n" + default: "Y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter the password for p12 certificates:\n" default: "vpn" @@ -129,6 +134,7 @@ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } handlers: - name: reload eth0 diff --git a/ec2.yml b/ec2.yml index d88296e..c906031 100644 --- a/ec2.yml +++ b/ec2.yml @@ -71,7 +71,12 @@ prompt: "Do you want to use auditd ? (Y or N):\n" default: "Y" private: no - + + - name: "ssh_tunneling_enabled" + prompt: "Do you want to use SSH tunneling ? (Y or N):\n" + default: "Y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter the password for p12 certificates:\n" default: "vpn" @@ -100,3 +105,4 @@ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } diff --git a/gce.yml b/gce.yml index 6f1b452..ff1c5e9 100644 --- a/gce.yml +++ b/gce.yml @@ -68,6 +68,11 @@ default: "Y" private: no + - name: "ssh_tunneling_enabled" + prompt: "Do you want to use SSH tunneling ? (Y or N):\n" + default: "Y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter the password for p12 certificates:\n" default: "vpn" @@ -96,3 +101,4 @@ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } diff --git a/non-cloud.yml b/non-cloud.yml index 0aca4fc..4ed42df 100644 --- a/non-cloud.yml +++ b/non-cloud.yml @@ -29,6 +29,11 @@ default: "Y" private: no + - name: "ssh_tunneling_enabled" + prompt: "Do you want to use SSH tunneling ? (Y or N):\n" + default: "Y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter the password for p12 certificates:\n" default: "vpn" @@ -47,6 +52,7 @@ ansible_python_interpreter: "/usr/bin/python2.7" dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" + ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" IP_subject: "{{ IP_subject }}" @@ -73,3 +79,4 @@ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index a7d5273..73e5c34 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -33,6 +33,7 @@ do_droplet_id: "{{ do.droplet.id }}" dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" + ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 13b897e..cb21189 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -71,6 +71,7 @@ ansible_python_interpreter: "/usr/bin/python2.7" dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" + ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 4bddb27..661d9cb 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -22,6 +22,7 @@ ansible_python_interpreter: "/usr/bin/python2.7" dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" + ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2 index d17d9f6..af66436 100644 --- a/roles/common/templates/sshd_config.j2 +++ b/roles/common/templates/sshd_config.j2 @@ -1,106 +1,71 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for Port 22 - -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 +# ListenAddress :: +# ListenAddress 0.0.0.0 Protocol 2 -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key +# LogLevel VERBOSE logs user's key fingerprint on login. +# Needed to have a clear audit log of which keys were used to log in. +SyslogFacility AUTH +LogLevel VERBOSE -# Use kernel sandbox mechanisms where possible in unprivilegied processes +# Use kernel sandbox mechanisms where possible # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. UsePrivilegeSeparation sandbox -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 +# Handy for keeping network connections alive +TCPKeepAlive yes +ClientAliveInterval 120 -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 +# Authentication +UsePAM yes PermitRootLogin without-password StrictModes yes - -RSAAuthentication no PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes - -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no - -# similar for protocol version 2 -HostbasedAuthentication no - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding no -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables AcceptEnv LANG LC_* -# Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin yes -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -# Added by DigitalOcean build process -ClientAliveInterval 120 -ClientAliveCountMax 2 +# Turn off a lot of features +AllowAgentForwarding no +IgnoreRhosts yes +RhostsRSAAuthentication no +RSAAuthentication no +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no UseDNS no +X11Forwarding no + +# Do not enable sftp +# If you DO enable it, use this line to log which files sftp users read/write +# Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO + +# This makes ansible faster +PrintMotd no +PrintLastLog yes + +# Use only modern host keys +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Use only modern ciphers +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 -# Password based logins are disabled - only public key based logins are allowed. -AuthenticationMethods publickey +### + +# TODO: I haven't seen anyone review these yet +# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 + +# TODO: I haven't seen anyone review these yet +# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 + +# TODO: I think we want to enable tunnels but disable stream local fowarding? +# PermitTunnel yes +# AllowStreamLocalForwarding no + +{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %} +Match Group algo + AllowTcpForwarding remote + AllowStreamLocalForwarding no +{% endif %} diff --git a/roles/ssh_tunneling/handlers/main.yml b/roles/ssh_tunneling/handlers/main.yml new file mode 100644 index 0000000..276ebfe --- /dev/null +++ b/roles/ssh_tunneling/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart ssh + service: name=ssh state=restarted diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml new file mode 100644 index 0000000..7d87c7e --- /dev/null +++ b/roles/ssh_tunneling/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: Ensure that the algo group exist + group: name=algo state=present + +- name: Ensure that the jail directory exist + file: path=/var/jail/ state=directory mode=0755 owner=root group=root + +- name: Ensure that the SSH users exist + user: + name: "{{ item }}" + group: algo + home: '/var/jail/{{ item }}' + createhome: yes + generate_ssh_key: yes + shell: /bin/false + ssh_key_type: ecdsa + ssh_key_bits: 521 + ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' + state: present + with_items: "{{ users }}"