fixes

.gitignore

@@ -1,6 +1,3 @@
 *.retry
-configs/*.mobileconfig
-configs/*.p12
-configs/*.crt
-configs/*.tmp
+configs/*
 inventory_users

digitalocean.yml

@@ -1,3 +1,4 @@
+# vim:ft=ansible:
 - name: Configure the server and install required software
   hosts: localhost
 
@@ -50,23 +51,28 @@
     private: no
 
   - name: "dns_enabled"
-    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "proxy_enabled"
-    prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "auditd_enabled"
-    prompt: "Do you want to use auditd ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
+    private: no
+
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "easyrsa_p12_export_password"
-    prompt: "Enter the password for p12 certificates:\n"
-    default: "vpn"
+    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+    default: "vpnpw"
     private: yes
 
   roles:
@@ -125,10 +131,11 @@
   roles:
     - common
     - security
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
     - vpn    
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } 
-    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
 
   handlers:
     - name: reload eth0

ec2.yml

@@ -21,7 +21,6 @@
       "11": "sa-east-1"
 
   vars_prompt:
-
   - name: "aws_access_key"
     prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
     private: yes
@@ -58,23 +57,28 @@
     private: no
 
   - name: "dns_enabled"
-      prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "proxy_enabled"
-      prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "auditd_enabled"
-      prompt: "Do you want to use auditd ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
+    private: no
+
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
-      default: "vpn"
+    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+    default: "vpnpw"
     private: yes
 
   roles:
@@ -96,7 +100,8 @@
   roles:
     - common
     - security
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
     - vpn    
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

gce.yml

@@ -1,3 +1,4 @@
+# vim:ft=ansible:
 - name: Configure the server and install required software
   hosts: localhost
   gather_facts: false
@@ -54,23 +55,28 @@
     private: no
 
   - name: "dns_enabled"
-    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "proxy_enabled"
-    prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "auditd_enabled"
-    prompt: "Do you want to use auditd ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
+    private: no
+
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "easyrsa_p12_export_password"
-    prompt: "Enter the password for p12 certificates:\n"
-    default: "vpn"
+    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+    default: "vpnpw"
     private: yes
 
   roles:
@@ -92,7 +98,8 @@
   roles:
     - common
     - security
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
     - vpn    
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

non-cloud.yml

@@ -1,9 +1,10 @@
+# vim:ft=ansible:
 - hosts: localhost
   gather_facts: False
   vars_files:
     - config.cfg
-  vars_prompt:
 
+  vars_prompt:
   - name: "server_ip"
     prompt: "Enter IP address of your server: (use localhost for local installation)\n"
     default: localhost
@@ -15,27 +16,32 @@
     private: no
 
   - name: "dns_enabled"
-      prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "proxy_enabled"
-      prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "auditd_enabled"
-      prompt: "Do you want to use auditd ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
+    private: no
+
+  - name: "ssh_tunneling_enabled"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
     private: no
 
   - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
-      default: "vpn"
+    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+    default: "vpnpw"
     private: yes
       
   - name: "IP_subject"
-      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
+    prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
     private: no
 
   tasks:
@@ -47,6 +53,7 @@
         ansible_python_interpreter: "/usr/bin/python2.7"
         dns_enabled: "{{ dns_enabled }}"
         proxy_enabled: "{{ proxy_enabled }}"
+        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
         auditd_enabled: " {{ auditd_enabled }}"
         easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
         IP_subject: "{{ IP_subject }}"
@@ -69,7 +76,8 @@
   roles:
     - common
     - security
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
     - vpn    
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

roles/cloud-digitalocean/tasks/main.yml

@@ -33,6 +33,7 @@
     do_droplet_id: "{{ do.droplet.id }}"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: digitalocean

roles/cloud-ec2/tasks/main.yml

@@ -71,6 +71,7 @@
     ansible_python_interpreter: "/usr/bin/python2.7"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: ec2

roles/cloud-gce/tasks/main.yml

@@ -22,6 +22,7 @@
     ansible_python_interpreter: "/usr/bin/python2.7"
     dns_enabled: "{{ dns_enabled }}"
     proxy_enabled: "{{ proxy_enabled }}"
+    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: gce

roles/common/templates/sshd_config.j2

@@ -1,106 +1,64 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
 Port 22
-
-# Use these options to restrict which interfaces/protocols sshd will bind to
 # ListenAddress ::
 # ListenAddress 0.0.0.0
 Protocol 2
 
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Needed to have a clear audit log of which keys were used to log in.
+SyslogFacility AUTH
+LogLevel VERBOSE
 
-# Use kernel sandbox mechanisms where possible in unprivilegied processes
+# Use kernel sandbox mechanisms where possible
 # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
 UsePrivilegeSeparation sandbox
 
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
+# Handy for keeping network connections alive
+TCPKeepAlive yes
+ClientAliveInterval 120
 
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
+# Authentication
+UsePAM yes
 PermitRootLogin without-password
 StrictModes yes
-
-RSAAuthentication no
 PubkeyAuthentication yes
-#AuthorizedKeysFile	%h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-
-# similar for protocol version 2
-HostbasedAuthentication no
-
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-# Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-# Added by DigitalOcean build process
-ClientAliveInterval 120
-ClientAliveCountMax 2
+# Turn off a lot of features
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+RSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
 UseDNS no
+
+# Do not enable sftp
+# If you DO enable it, use this line to log which files sftp users read/write
+# Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# This makes ansible faster
+PrintMotd no
+PrintLastLog yes
+
+# Use only modern host keys
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Use only modern ciphers
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
+# TODO: I haven't seen anyone review these yet
+# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+# TODO: I haven't seen anyone review these yet
+# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
 
-# Password based logins are disabled - only public key based logins are allowed.
-AuthenticationMethods publickey
+{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" %}
+Match Group algo
+    AllowTcpForwarding remote
+    AllowAgentForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    X11Forwarding no
+{% endif %}    

roles/dns_adblocking/tasks/main.yml

@@ -10,7 +10,7 @@
     - restart dnsmasq
 
 - name: The dnsmasq directory created
-  file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup
+  file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
 
 - name: Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq

roles/ssh_tunneling/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart ssh
+  service: name=ssh state=restarted

roles/ssh_tunneling/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Ensure that the algo group exist
+  group: name=algo state=present
+
+- name: Ensure that the jail directory exist
+  file: path=/var/jail/ state=directory mode=0755  owner=root group=root
+
+- name: Ensure that the SSH users exist
+  user:
+    name: "{{ item }}"
+    groups: algo
+    home: '/var/jail/{{ item }}'
+    createhome: yes
+    generate_ssh_key: yes
+    shell: /bin/false
+    ssh_key_type: rsa
+    ssh_key_bits: 2048
+    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
+    ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
+    state: present
+    append: yes
+  with_items: "{{ users }}"
+  
+- name: The authorized keys file created
+  file: 
+    src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
+    dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    state: link
+  with_items: "{{ users }}"
+  
+- name: Generate SSH fingerprints
+  shell: >
+    ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
+  register: ssh_fingerprints
+  
+- name: The known_hosts file created
+  template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
+
+- name: Fetch users SSH private keys
+  fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+  with_items: "{{ users }}"
+  
+- name: Fetch the known_hosts file
+  fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes
+  
+  

roles/ssh_tunneling/templates/known_hosts.j2

@@ -0,0 +1,3 @@
+{% for item in ssh_fingerprints.stdout_lines %}
+{{ item }}
+{% endfor %}

users.yml

@@ -16,9 +16,14 @@
       default: "root"
       private: no      
       
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+      default: "y"
+      private: no      
+      
     - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
-      default: "vpn"
+      prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+      default: "vpnpw"
       private: yes   
 
     - name: "IP_subject"
@@ -33,6 +38,7 @@
         ansible_ssh_user: "{{ server_user }}"
         ansible_python_interpreter: "/usr/bin/python2.7"
         easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
         IP_subject: "{{ IP_subject }}"
 
     - name: Wait for SSH to become available
@@ -114,3 +120,51 @@
     
   - name: Fetch server CA certificate
     fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
+    
+  # SSH
+  
+  - name: SSH | Ensure that the system users exist
+    user:
+      name: "{{ item }}"
+      groups: algo
+      home: '/var/jail/{{ item }}'
+      createhome: yes
+      generate_ssh_key: yes
+      shell: /bin/false
+      ssh_key_type: rsa
+      ssh_key_bits: 2048
+      ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
+      ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
+      state: present
+      append: yes
+    with_items: "{{ users }}"
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" 
+    
+  - name: SSH | The authorized keys file created
+    file: 
+      src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
+      dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
+      owner: "{{ item }}"
+      group: "{{ item }}"
+      state: link
+    with_items: "{{ users }}"
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+
+  - name: SSH | Get active system users
+    shell: >
+      getent group algo | cut -f4 -d: | sed "s/,/\n/g"
+    register: valid_users
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+
+  - name: SSH | Delete non-existing users
+    user:
+      name: "{{ item }}"
+      state: absent
+      remove: yes      
+      force: yes
+    when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+    with_items: "{{ valid_users.stdout_lines }}"
+    
+  - name: SSH | Fetch users SSH private keys
+    fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+    with_items: "{{ users }}"