SSH tunneling role #77

digitalocean.yml

@@ -64,6 +64,11 @@
     default: "Y"
     private: no
     
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+    default: "Y"
+    private: no    
+    
   - name: "easyrsa_p12_export_password"
     prompt: "Enter the password for p12 certificates:\n"
     default: "vpn"
@@ -129,6 +134,7 @@
     - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } 
     - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
     - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } 
 
   handlers:
     - name: reload eth0

ec2.yml

@@ -72,6 +72,11 @@
       default: "Y"
       private: no
     
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+      default: "Y"
+      private: no
+         
     - name: "easyrsa_p12_export_password"
       prompt: "Enter the password for p12 certificates:\n"
       default: "vpn"
@@ -100,3 +105,4 @@
     - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
     - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
     - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     

gce.yml

@@ -68,6 +68,11 @@
     default: "Y"
     private: no
     
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+    default: "Y"
+    private: no
+    
   - name: "easyrsa_p12_export_password"
     prompt: "Enter the password for p12 certificates:\n"
     default: "vpn"
@@ -96,3 +101,4 @@
     - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
     - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
     - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     

non-cloud.yml

@@ -29,6 +29,11 @@
       default: "Y"
       private: no
       
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
+      default: "Y"
+      private: no
+      
     - name: "easyrsa_p12_export_password"
       prompt: "Enter the password for p12 certificates:\n"
       default: "vpn"
@@ -47,6 +52,7 @@
         ansible_python_interpreter: "/usr/bin/python2.7"
         dns_enabled: "{{ dns_enabled }}"
         proxy_enabled: "{{ proxy_enabled }}"
+        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
         auditd_enabled: " {{ auditd_enabled }}"
         easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
         IP_subject: "{{ IP_subject }}"
@@ -73,3 +79,4 @@
     - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
     - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
     - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     

roles/cloud-digitalocean/tasks/main.yml

@@ -33,6 +33,7 @@
     do_droplet_id: "{{ do.droplet.id }}"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: digitalocean

roles/cloud-ec2/tasks/main.yml

@@ -71,6 +71,7 @@
     ansible_python_interpreter: "/usr/bin/python2.7"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: ec2

roles/cloud-gce/tasks/main.yml

@@ -22,6 +22,7 @@
     ansible_python_interpreter: "/usr/bin/python2.7"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: gce

roles/common/templates/sshd_config.j2

@@ -1,106 +1,71 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
 Port 22
-
-# Use these options to restrict which interfaces/protocols sshd will bind to
 # ListenAddress ::
 # ListenAddress 0.0.0.0
 Protocol 2
 
-# HostKeys for protocol version 2
+# LogLevel VERBOSE logs user's key fingerprint on login.
-#HostKey /etc/ssh/ssh_host_rsa_key
+# Needed to have a clear audit log of which keys were used to log in.
-#HostKey /etc/ssh/ssh_host_dsa_key
+SyslogFacility AUTH
-HostKey /etc/ssh/ssh_host_ecdsa_key
+LogLevel VERBOSE
-HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Use kernel sandbox mechanisms where possible in unprivilegied processes
+# Use kernel sandbox mechanisms where possible
 # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
 UsePrivilegeSeparation sandbox
 
-# Lifetime and size of ephemeral version 1 server key
+# Handy for keeping network connections alive
-KeyRegenerationInterval 3600
+TCPKeepAlive yes
-ServerKeyBits 1024
+ClientAliveInterval 120
 
-# Logging
+# Authentication
-SyslogFacility AUTH
+UsePAM yes
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
-
-RSAAuthentication no
 PubkeyAuthentication yes
-#AuthorizedKeysFile	%h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-
-# similar for protocol version 2
-HostbasedAuthentication no
-
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-# Subsystem sftp /usr/lib/openssh/sftp-server
+# Turn off a lot of features
-
+AllowAgentForwarding no
-# Set this to 'yes' to enable PAM authentication, account processing,
+IgnoreRhosts yes
-# and session processing. If this is enabled, PAM authentication will
+RhostsRSAAuthentication no
-# be allowed through the ChallengeResponseAuthentication and
+RSAAuthentication no
-# PasswordAuthentication.  Depending on your PAM configuration,
+HostbasedAuthentication no
-# PAM authentication via ChallengeResponseAuthentication may bypass
+PermitEmptyPasswords no
-# the setting of "PermitRootLogin yes
+ChallengeResponseAuthentication no
-# If you just want the PAM account and session checks to run without
+PasswordAuthentication no
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-# Added by DigitalOcean build process
-ClientAliveInterval 120
-ClientAliveCountMax 2
 UseDNS no
+X11Forwarding no
+
+# Do not enable sftp
+# If you DO enable it, use this line to log which files sftp users read/write
+# Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# This makes ansible faster
+PrintMotd no
+PrintLastLog yes
+
+# Use only modern host keys
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Use only modern ciphers
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
 
-# Password based logins are disabled - only public key based logins are allowed.
+###
-AuthenticationMethods publickey
+
+# TODO: I haven't seen anyone review these yet
+# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+
+# TODO: I haven't seen anyone review these yet
+# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+
+# TODO: I think we want to enable tunnels but disable stream local fowarding?
+# PermitTunnel yes
+# AllowStreamLocalForwarding no
+
+{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
+Match Group algo
+    AllowTcpForwarding remote
+    AllowStreamLocalForwarding no
+{% endif %}    

roles/ssh_tunneling/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart ssh
+  service: name=ssh state=restarted

roles/ssh_tunneling/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Ensure that the algo group exist
+  group: name=algo state=present
+  
+- name: Ensure that the jail directory exist
+  file: path=/var/jail/ state=directory mode=0755  owner=root group=root  
+  
+- name: Ensure that the SSH users exist
+  user: 
+    name: "{{ item }}"
+    group: algo
+    home: '/var/jail/{{ item }}'
+    createhome: yes
+    generate_ssh_key: yes
+    shell: /bin/false
+    ssh_key_type: ecdsa
+    ssh_key_bits: 521
+    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
+    state: present    
+  with_items: "{{ users }}"