From c19908c9b119c93a851db71f0cbb23e52590bd08 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 25 Aug 2016 23:03:20 +0300 Subject: [PATCH] ssh fixes --- .gitignore | 5 +---- digitalocean.yml | 6 +++--- ec2.yml | 6 +++--- gce.yml | 6 +++--- non-cloud.yml | 6 +++--- roles/common/templates/sshd_config.j2 | 2 +- roles/ssh_tunneling/tasks/main.yml | 18 ++++++++++++++++-- 7 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index 7d9d96c..9df513b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,3 @@ *.retry -configs/*.mobileconfig -configs/*.p12 -configs/*.crt -configs/*.tmp +configs/* inventory_users diff --git a/digitalocean.yml b/digitalocean.yml index 7d6ac8e..687bfbc 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -71,8 +71,8 @@ private: no - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates:\n" - default: "vpn" + prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + default: "vpnpw" private: yes roles: @@ -131,11 +131,11 @@ roles: - common - security - - vpn - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - vpn handlers: - name: reload eth0 diff --git a/ec2.yml b/ec2.yml index 891f267..a988be6 100644 --- a/ec2.yml +++ b/ec2.yml @@ -77,8 +77,8 @@ private: no - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates:\n" - default: "vpn" + prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + default: "vpnpw" private: yes roles: @@ -100,8 +100,8 @@ roles: - common - security - - vpn - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - vpn diff --git a/gce.yml b/gce.yml index b44ce86..24a0cb9 100644 --- a/gce.yml +++ b/gce.yml @@ -75,8 +75,8 @@ private: no - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates:\n" - default: "vpn" + prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + default: "vpnpw" private: yes roles: @@ -98,8 +98,8 @@ roles: - common - security - - vpn - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - vpn diff --git a/non-cloud.yml b/non-cloud.yml index a823cca..b1f9f65 100644 --- a/non-cloud.yml +++ b/non-cloud.yml @@ -36,8 +36,8 @@ private: no - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates:\n" - default: "vpn" + prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + default: "vpnpw" private: yes - name: "IP_subject" @@ -76,8 +76,8 @@ roles: - common - security - - vpn - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - vpn diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2 index 8c08f0f..453a561 100644 --- a/roles/common/templates/sshd_config.j2 +++ b/roles/common/templates/sshd_config.j2 @@ -54,7 +54,7 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op # TODO: I haven't seen anyone review these yet # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 -{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %} +{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" %} Match Group algo AllowTcpForwarding remote AllowAgentForwarding no diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index b78b19b..63f6cea 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -14,8 +14,22 @@ createhome: yes generate_ssh_key: yes shell: /bin/false - ssh_key_type: ecdsa - ssh_key_bits: 521 + ssh_key_type: rsa + ssh_key_bits: 2048 ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' + ssh_key_passphrase: "{{ easyrsa_p12_export_password }}" state: present with_items: "{{ users }}" + +- name: The authorized keys file created + file: + src: '/var/jail/{{ item }}/.ssh/id_rsa.pub' + dest: '/var/jail/{{ item }}/.ssh/authorized_keys' + owner: "{{ item }}" + group: algo + state: link + with_items: "{{ users }}" + +- name: Fetch users SSH private keys + fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes + with_items: "{{ users }}"