wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

ssh tunneling fixes (#1127)

Browse source
This commit is contained in:
Jack Ivanov 2018-10-08 03:33:55 +03:00 committed by Dan Guido
parent cd3fbe5e47
commit bcba905547
7 changed files with 50 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
roles/ssh_tunneling/tasks/main.yml
View file

@ -31,25 +31,20 @@
groups: algo groups: algo
home: '/var/jail/{{ item }}' home: '/var/jail/{{ item }}'
createhome: yes createhome: yes
generate_ssh_key: yes generate_ssh_key: false
shell: /bin/false shell: /bin/false
ssh_key_type: ecdsa
ssh_key_bits: 256
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
ssh_key_passphrase: "{{ p12_export_password }}"
update_password: on_create
state: present state: present
append: yes append: yes
with_items: "{{ users }}" with_items: "{{ users }}"
tags: update-users tags: update-users
- name: The authorized keys file created - name: The authorized keys file created
file: authorized_key:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub' user: "{{ item }}"
dest: '/var/jail/{{ item }}/.ssh/authorized_keys' key: "{{ lookup('file', 'configs/' + IP_subject_alt_name + '/pki/public/' + item + '.pub') }}"
owner: "{{ item }}" state: present
group: "{{ item }}" manage_dir: true
state: link exclusive: true
with_items: "{{ users }}" with_items: "{{ users }}"
tags: update-users tags: update-users
@ -57,15 +52,6 @@
shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints register: ssh_fingerprints
- name: Fetch users SSH private keys
fetch:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
flat: yes
mode: "0600"
with_items: "{{ users }}"
tags: update-users
- name: Fetch the known_hosts file - name: Fetch the known_hosts file
local_action: local_action:
module: template module: template
@ -83,20 +69,21 @@
tags: update-users tags: update-users
with_items: "{{ users }}" with_items: "{{ users }}"
- name: SSH | Get active system users - name: Get active users
shell: > getent:
getent group algo | cut -f4 -d: | sed "s/,/\n/g" database: group
register: valid_users key: algo
split: ':'
tags: update-users tags: update-users
- name: SSH | Delete non-existing users - name: Delete non-existing users
user: user:
name: "{{ item }}" name: "{{ item }}"
state: absent state: absent
remove: yes remove: yes
force: yes force: yes
when: item not in users when: item not in users
with_items: "{{ valid_users.stdout_lines | default('null') }}" with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users tags: update-users
rescue: rescue:
- debug: var=fail_hint - debug: var=fail_hint

1
roles/vpn/defaults/main.yml
View file

@ -34,6 +34,7 @@ ipv6_support: false
dns_encryption: true dns_encryption: true
domain: false domain: false
subjectAltName_IP: "IP:{{ IP_subject_alt_name }}" subjectAltName_IP: "IP:{{ IP_subject_alt_name }}"
subjectAltName_USER: "{% if '@' in item %}email:{{ item }}{% else %}DNS:{{ item }}{% endif %}"
openssl_bin: openssl openssl_bin: openssl
strongswan_enabled_plugins: strongswan_enabled_plugins:
- aes - aes

10
roles/vpn/tasks/main.yml
View file

@ -1,10 +1,10 @@
--- ---
- block: - block:
- name: Ensure that the strongswan group exist - name: Include WireGuard role
group: name=strongswan state=present include_role:
name: wireguard
- name: Ensure that the strongswan user exist tags: wireguard
user: name=strongswan group=strongswan state=present when: wireguard_enabled and ansible_distribution == 'Ubuntu'
- include_tasks: ubuntu.yml - include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

27
roles/vpn/tasks/openssl.yml
View file

@ -16,12 +16,14 @@
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
state: directory state: directory
recurse: yes recurse: yes
mode: '0700'
with_items: with_items:
- ecparams - ecparams
- certs - certs
- crl - crl
- newcerts - newcerts
- private - private
- public
- reqs - reqs
- name: Ensure the files exist - name: Ensure the files exist
@ -42,6 +44,7 @@
- name: Build the CA pair - name: Build the CA pair
shell: > shell: >
umask 077;
{{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem && {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
{{ openssl_bin }} req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem -newkey ec:ecparams/secp384r1.pem
@ -70,6 +73,7 @@
- name: Build the server pair - name: Build the server pair
shell: > shell: >
umask 077;
{{ openssl_bin }} req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem -newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
@ -92,9 +96,10 @@
- name: Build the client's pair - name: Build the client's pair
shell: > shell: >
umask 077;
{{ openssl_bin }} req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem -newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
-keyout private/{{ item }}.key -keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes -out reqs/{{ item }}.req -nodes
-passin pass:"{{ CA_password }}" -passin pass:"{{ CA_password }}"
@ -102,7 +107,7 @@
{{ openssl_bin }} ca -utf8 {{ openssl_bin }} ca -utf8
-in reqs/{{ item }}.req -in reqs/{{ item }}.req
-out certs/{{ item }}.crt -out certs/{{ item }}.crt
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
-days 3650 -batch -days 3650 -batch
-passin pass:"{{ CA_password }}" -passin pass:"{{ CA_password }}"
-subj "/CN={{ item }}" && -subj "/CN={{ item }}" &&
@ -113,8 +118,24 @@
executable: bash executable: bash
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Create links for the private keys
file:
src: "pki/private/{{ item }}.key"
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem"
state: link
force: true
with_items: "{{ users }}"
- name: Build openssh public keys
openssl_publickey:
path: "configs/{{ IP_subject_alt_name }}/pki/public/{{ item }}.pub"
privatekey_path: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.key"
format: OpenSSH
with_items: "{{ users }}"
- name: Build the client's p12 - name: Build the client's p12
shell: > shell: >
umask 077;
{{ openssl_bin }} pkcs12 {{ openssl_bin }} pkcs12
-in certs/{{ item }}.crt -in certs/{{ item }}.crt
-inkey private/{{ item }}.key -inkey private/{{ item }}.key
@ -149,7 +170,7 @@
- name: Revoke non-existing users - name: Revoke non-existing users
shell: > shell: >
{{ openssl_bin }} ca -gencrl {{ openssl_bin }} ca -gencrl
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
-passin pass:"{{ CA_password }}" -passin pass:"{{ CA_password }}"
-revoke certs/{{ item }}.crt -revoke certs/{{ item }}.crt
-out crl/{{ item }}.crt -out crl/{{ item }}.crt

2
roles/vpn/templates/strongswan.conf.j2
View file

@ -10,7 +10,7 @@ charon {
include strongswan.d/charon/*.conf include strongswan.d/charon/*.conf
} }
user = strongswan user = strongswan
group = strongswan group = nogroup
{% if ansible_distribution == 'FreeBSD' %} {% if ansible_distribution == 'FreeBSD' %}
filelog { filelog {
/var/log/charon.log { /var/log/charon.log {

6
server.yml
View file

@ -16,14 +16,14 @@
- role: dns_adblocking - role: dns_adblocking
when: algo_local_dns when: algo_local_dns
tags: dns_adblocking tags: dns_adblocking
- role: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
- role: wireguard - role: wireguard
when: wireguard_enabled when: wireguard_enabled
tags: wireguard tags: wireguard
- role: vpn - role: vpn
tags: vpn tags: vpn
- role: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
post_tasks: post_tasks:
- block: - block:

4
users.yml
View file

@ -60,13 +60,13 @@
roles: roles:
- role: common - role: common
- role: ssh_tunneling
when: algo_ssh_tunneling
- role: wireguard - role: wireguard
tags: [ 'vpn', 'wireguard' ] tags: [ 'vpn', 'wireguard' ]
when: wireguard_enabled when: wireguard_enabled
- role: vpn - role: vpn
tags: vpn tags: vpn
- role: ssh_tunneling
when: algo_ssh_tunneling
post_tasks: post_tasks:
- block: - block: