wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-04 16:29:57 +02:00
Code Issues Projects Releases Wiki Activity
algo/server.yml
Dima Scherbakov fd6efb71f2
ssh_config: ignore pre-existing SSH keys on client (#14646) 
sshd limits the number of authentication attempts permitted per
established connection.
The limit is set via the MaxAuthTries option and defaults to six
attempts.

Client SSH environments that define more than six SSH keys globally or
in the agent would exhaust authentication attempts before they reach the
algo-specified per-instance SSH private key.

SSH client allows "forgetting" existing keys per connection using the
IdentitiesOnly option.
A client only offers an explicitly defined key when this option is set.
2023-09-27 18:15:35 +03:00

123 lines
4.3 KiB
YAML
Raw Permalink Blame History

---
- name: Configure the server and install required software
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
tasks:
- block:
- name: Wait until the cloud-init completed
wait_for:
path: /var/lib/cloud/data/result.json
delay: 10
timeout: 600
state: present
become: false
when: cloudinit
- block:
- name: Ensure the config directory exists
file:
dest: configs/{{ IP_subject_alt_name }}
state: directory
mode: "0700"
- name: Dump the ssh config
copy:
dest: configs/{{ IP_subject_alt_name }}/ssh_config
mode: "0600"
content: |
Host {{ IP_subject_alt_name }} {{ algo_server_name }}
HostName {{ IP_subject_alt_name }}
User {{ ansible_ssh_user }}
Port {{ ansible_ssh_port }}
IdentitiesOnly yes
IdentityFile {{ SSH_keys.private | realpath }}
KeepAlive yes
ServerAliveInterval 30
when: inventory_hostname != 'localhost'
become: false
delegate_to: localhost
- import_role:
name: common
tags: common
- import_role:
name: dns
when:
- algo_dns_adblocking or dns_encryption
tags: dns
- import_role:
name: wireguard
when: wireguard_enabled
tags: wireguard
- import_role:
name: strongswan
when: ipsec_enabled
tags: ipsec
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
- block:
- name: Dump the configuration
copy:
dest: configs/{{ IP_subject_alt_name }}/.config.yml
content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }}
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
{% if algo_provider != "local" %}
ansible_ssh_private_key_file: {{ SSH_keys.private }}
{% endif %}
algo_provider: {{ algo_provider }}
algo_server_name: {{ algo_server_name }}
algo_ondemand_cellular: {{ algo_ondemand_cellular }}
algo_ondemand_wifi: {{ algo_ondemand_wifi }}
algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }}
algo_dns_adblocking: {{ algo_dns_adblocking }}
algo_ssh_tunneling: {{ algo_ssh_tunneling }}
algo_store_pki: {{ algo_store_pki }}
IP_subject_alt_name: {{ IP_subject_alt_name }}
ipsec_enabled: {{ ipsec_enabled }}
wireguard_enabled: {{ wireguard_enabled }}
{% if tests|default(false)|bool %}
ca_password: '{{ CA_password }}'
p12_password: '{{ p12_export_password }}'
{% endif %}
become: false
delegate_to: localhost
- name: Create a symlink if deploying to localhost
file:
src: "{{ IP_subject_alt_name }}"
dest: configs/localhost
state: link
force: true
when: inventory_hostname == 'localhost'
- name: Import tmpfs tasks
import_tasks: playbooks/tmpfs/umount.yml
become: false
delegate_to: localhost
vars:
facts: "{{ hostvars['localhost'] }}"
when:
- pki_in_tmpfs
- not algo_store_pki
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
- " {{ congrats.ca_key_pass if algo_store_pki and ipsec_enabled else '' }}"
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
tags: always
rescue:
- include_tasks: playbooks/rescue.yml
Reference in a new issue View git blame Copy permalink