mirror of
https://github.com/trailofbits/algo.git
synced 2025-07-21 21:13:00 +02:00
ssh fixes
This commit is contained in:
Jack Ivanov
parent
cf08c5ff61
commit
c19908c9b1
7 changed files with 30 additions and 19 deletions
5
.gitignore
vendored
5
.gitignore
vendored
|
|
@ -1,6 +1,3 @@
|
|||
*.retry
|
||||
configs/*.mobileconfig
|
||||
configs/*.p12
|
||||
configs/*.crt
|
||||
configs/*.tmp
|
||||
configs/*
|
||||
inventory_users
|
||||
|
|
|
|||
|
|
@ -71,8 +71,8 @@
|
|||
private: no
|
||||
|
||||
- name: "easyrsa_p12_export_password"
|
||||
prompt: "Enter a password for p12 certificates:\n"
|
||||
default: "vpn"
|
||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
default: "vpnpw"
|
||||
private: yes
|
||||
|
||||
roles:
|
||||
|
|
@ -131,11 +131,11 @@
|
|||
roles:
|
||||
- common
|
||||
- security
|
||||
- vpn
|
||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
|
||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||
- vpn
|
||||
|
||||
handlers:
|
||||
- name: reload eth0
|
||||
|
|
|
|||
6
ec2.yml
6
ec2.yml
|
|
@ -77,8 +77,8 @@
|
|||
private: no
|
||||
|
||||
- name: "easyrsa_p12_export_password"
|
||||
prompt: "Enter a password for p12 certificates:\n"
|
||||
default: "vpn"
|
||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
default: "vpnpw"
|
||||
private: yes
|
||||
|
||||
roles:
|
||||
|
|
@ -100,8 +100,8 @@
|
|||
roles:
|
||||
- common
|
||||
- security
|
||||
- vpn
|
||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||
- vpn
|
||||
|
|
|
|||
6
gce.yml
6
gce.yml
|
|
@ -75,8 +75,8 @@
|
|||
private: no
|
||||
|
||||
- name: "easyrsa_p12_export_password"
|
||||
prompt: "Enter a password for p12 certificates:\n"
|
||||
default: "vpn"
|
||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
default: "vpnpw"
|
||||
private: yes
|
||||
|
||||
roles:
|
||||
|
|
@ -98,8 +98,8 @@
|
|||
roles:
|
||||
- common
|
||||
- security
|
||||
- vpn
|
||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||
- vpn
|
||||
|
|
|
|||
|
|
@ -36,8 +36,8 @@
|
|||
private: no
|
||||
|
||||
- name: "easyrsa_p12_export_password"
|
||||
prompt: "Enter a password for p12 certificates:\n"
|
||||
default: "vpn"
|
||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
default: "vpnpw"
|
||||
private: yes
|
||||
|
||||
- name: "IP_subject"
|
||||
|
|
@ -76,8 +76,8 @@
|
|||
roles:
|
||||
- common
|
||||
- security
|
||||
- vpn
|
||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||
- vpn
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
|
|||
# TODO: I haven't seen anyone review these yet
|
||||
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
|
||||
|
||||
{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
|
||||
{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" %}
|
||||
Match Group algo
|
||||
AllowTcpForwarding remote
|
||||
AllowAgentForwarding no
|
||||
|
|
|
|||
|
|
@ -14,8 +14,22 @@
|
|||
createhome: yes
|
||||
generate_ssh_key: yes
|
||||
shell: /bin/false
|
||||
ssh_key_type: ecdsa
|
||||
ssh_key_bits: 521
|
||||
ssh_key_type: rsa
|
||||
ssh_key_bits: 2048
|
||||
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
||||
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
|
||||
state: present
|
||||
with_items: "{{ users }}"
|
||||
|
||||
- name: The authorized keys file created
|
||||
file:
|
||||
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
|
||||
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
||||
owner: "{{ item }}"
|
||||
group: algo
|
||||
state: link
|
||||
with_items: "{{ users }}"
|
||||
|
||||
- name: Fetch users SSH private keys
|
||||
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
||||
with_items: "{{ users }}"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue