trailofbits · dguido · Feb 3, 2017 · Dec 18, 2016 · Jan 12, 2017 · Jan 12, 2017
@@ -45,4 +45,7 @@ install:
 
 script:
   - ansible-playbook deploy.yml --syntax-check
-  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
+  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
+
+after_script:
+  - ./tests/update-users.sh
@@ -50,6 +50,12 @@ Do you want the VPN to support Windows 10 clients? (requires RSA certificates an
 Win10_Enabled=${Win10_Enabled:-n}
 if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
 
+read -p "
+Do you want to store the CA key? (required for update-users script, but less secure)
+[y/N]: " -r Store_CAKEY
+Store_CAKEY=${Store_CAKEY:-N}
+if [[ "$Store_CAKEY" =~ ^(n|N)$ ]]; then EXTRA_VARS+=" Store_CAKEY=N"; fi
+
 }
 
 deploy () {
@@ -332,7 +338,31 @@ Enter the number of your desired provider
 }
 
 user_management () {
-  ansible-playbook users.yml
+
+  read -p "
+Enter IP address of your server: (use localhost for local installation)
+: " -r server_ip
+
+  read -p "
+What user should we use to login on the server? (ignore if you're deploying to localhost)
+[root]: " -r server_user
+  server_user=${server_user:-root}
+
+read -p "
+Do you want each user to have their own account for SSH tunneling?
+[y/N]: " -r ssh_tunneling_enabled
+ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
+
+  read -p "
+Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
+: " -r IP_subject
+
+  read -p "
+Enter the password for the private CA key:
+[pasted values will not be displayed]
+: " -rs easyrsa_CA_password
+
+ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password"
 }
 
 case "$1" in

@@ -63,3 +63,18 @@
 
     - debug: msg="{{ additional_information.split('\n') }}"
       tags: cloud
+
+    - name: Save the CA key password
+      local_action: >
+        shell echo "{{ easyrsa_CA_password }}" > /tmp/ca_password
+      become: no
+      tags: tests
+
+    - name: Delete the CA key
+      local_action:
+        module: file
+        path: "configs/{{ IP_subject_alt_name }}/pki/private/cakey.pem"
+        state: absent
+      become: no
+      tags: always
+      when: Store_CAKEY is defined and Store_CAKEY == "N"
@@ -57,13 +57,13 @@
   template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
 
 - name: Fetch users SSH private keys
-  fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+  fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
   with_items: "{{ users }}"
 
 - name: Change mode for SSH private keys
-  local_action: file path=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600
+  local_action: file path=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600
   with_items: "{{ users }}"
   become: false
 
 - name: Fetch the known_hosts file
-  fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes
+  fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes
@@ -9,6 +9,12 @@
 - set_fact:
     easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
     easyrsa_CA_password: "{{ CA_password.stdout }}"
+    IP_subject_alt_name: "{{ IP_subject_alt_name }}"
+
+- name: Change the algorithm to RSA
+  set_fact:
+    algo_params: "rsa:2048"
+  when: Win10_Enabled is defined and Win10_Enabled == "Y"
 
 - name: Install StrongSwan
   apt: name=strongswan state=latest update_cache=yes
@@ -97,153 +103,206 @@
   when: item in strongswan_enabled_plugins
   with_items: "{{ strongswan_plugins.stdout_lines }}"
 
-- name: Fetch easy-rsa-ipsec from git
-  git:
-    repo: git://github.com/ValdikSS/easy-rsa-ipsec.git
-    version: ipsec-with-patches
-    dest: "{{ easyrsa_dir }}"
-
-- name: Setup the vars file from our template
-  template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
-
 - name: Ensure the pki directory is not exist
-  file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent
+  local_action:
+    module: file
+    dest: configs/{{ IP_subject_alt_name }}/pki
+    state: absent
+  become: no
   when: easyrsa_reinit_existent == True
 
-- name: Build the pki enviroments
-  shell: >
-    ./easyrsa init-pki &&
-    touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
-  args:
-    chdir: '{{ easyrsa_dir }}/easyrsa3/'
-    creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
+- name: Ensure the pki directories are exist
+  local_action:
+    module: file
+    dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+    state: directory
+    recurse: yes
+  become: no
+  with_items:
+    - ecparams
+    - certs
+    - crl
+    - newcerts
+    - private
+    - reqs
+
+- name: Ensure the files are exist
+  local_action:
+    module: file
+    dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+    state: touch
+  become: no
+  with_items:
+    - ".rnd"
+    - "private/.rnd"
+    - "index.txt"
+    - "index.txt.attr"
+    - "serial"
+
+- name: Generate the openssl server configs
+  local_action:
+    module: template
+    src: openssl.cnf.j2
+    dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
+  become: no
 
 - name: Build the CA pair
-  shell: >
-    ./easyrsa --batch build-ca -- -passout pass:"{{ easyrsa_CA_password }}" &&
-    touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
+  local_action: >
+    shell openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
+      openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ easyrsa_CA_password }}" &&
+      touch {{ IP_subject_alt_name }}_ca_generated
+  become: no
   args:
-    chdir: '{{ easyrsa_dir }}/easyrsa3/'
-    creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized'
-  notify:
-    - restart strongswan
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    creates: "{{ IP_subject_alt_name }}_ca_generated"
+  environment:
+    subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
+
+- name: Copy the CA certificate
+  local_action:
+    module: copy
+    src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
+    dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
+    mode: 0600
+  become: no
+
+- name: Generate the serial number
+  local_action: >
+    shell echo 01 > serial &&
+      touch serial_generated
+  become: no
+  args:
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    creates: serial_generated
 
 - name: Build the server pair
-  shell: >
-    ./easyrsa gen-req {{ IP_subject_alt_name }} batch nopass -- -subj "/CN={{ IP_subject_alt_name }}" &&
-    ./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' sign-req server {{ IP_subject_alt_name }} -- -passin pass:"{{ easyrsa_CA_password }}" &&
-    touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
+  local_action: >
+    shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch &&
+    openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" &&
+    touch certs/{{ IP_subject_alt_name }}_crt_generated
+  become: no
   args:
-    chdir: '{{ easyrsa_dir }}/easyrsa3/'
-    creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
-  notify:
-    - restart strongswan
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    creates: certs/{{ IP_subject_alt_name }}_crt_generated
+  environment:
+    subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
 
 - name: Build the client's pair
-  shell: >
-    ./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
-    ./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&
-    touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+  local_action: >
+   shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+      openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+      touch certs/{{ item }}_crt_generated
+  become: no
   args:
-    chdir: '{{ easyrsa_dir }}/easyrsa3/'
-    creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    creates: certs/{{ item }}_crt_generated
+  environment:
+    subjectAltName: "DNS:{{ item }}"
   with_items: "{{ users }}"
 
 - name: Build the client's p12
-  shell: >
-    openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:"{{ easyrsa_p12_export_password }}"
+  local_action: >
+    shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
+  become: no
   args:
-    chdir: '{{ easyrsa_dir }}/easyrsa3/'
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
   with_items: "{{ users }}"
 
+- name: Copy the p12 certificates
+  local_action:
+    module: copy
+    src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
+    dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+    mode: 0600
+  become: no
+  with_items:
+    - "{{ users }}"
+
 - name: Copy the CA cert to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
+  copy: src='configs/{{ IP_subject_alt_name }}/pki/cacert.pem' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
   notify:
     - restart strongswan
 
 - name: Copy the server cert to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
+  copy: src='configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
   notify:
     - restart strongswan
 
 - name: Copy the server key to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
+  copy: src='configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
   notify:
     - restart strongswan
 
 - name: Register p12 PayloadContent
-  shell: >
-    cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+  local_action: >
+    shell cat private/{{ item }}.p12 | base64
   register:  PayloadContent
+  become: no
+  args:
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
   with_items: "{{ users }}"
 
-- name: Register CA PayloadContent
-  shell: >
-    cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
-  register:  PayloadContentCA
-
 - name: Set facts for mobileconfigs
   set_fact:
     proxy_enabled: false
+    PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
 
 - name: Build the mobileconfigs
-  template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+  local_action:
+    module: template
+    src: mobileconfig.j2
+    dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
+    mode: 0600
+  become: no
   with_together:
     - "{{ users }}"
     - "{{ PayloadContent.results }}"
   no_log: True
 
 - name: Build the client ipsec config file
-  template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
+  local_action:
+    module: template
+    src: client_ipsec.conf.j2
+    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
+    mode: 0600
+  become: no
   with_items:
     - "{{ users }}"
 
 - name: Build the client ipsec secret file
-  template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
+  local_action:
+    module: template
+    src: client_ipsec.secrets.j2
+    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
+    mode: 0600
+  become: no
   with_items:
     - "{{ users }}"
 
-- name: Fetch users P12
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
-  with_items: "{{ users }}"
-
-- name: Fetch users mobileconfig
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
-  with_items: "{{ users }}"
-
-- name: Fetch users certificates
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
-  with_items: "{{ users }}"
-
-- name: Fetch users keys
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
-  with_items: "{{ users }}"
-
-- name: Fetch users ipsec configs
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
-  with_items: "{{ users }}"
-
-- name: Fetch users ipsec secrets
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
-  with_items: "{{ users }}"
-
 - name: Build the windows client powershell script
-  template: src=client_windows.ps1.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 mode=0600
+  local_action:
+    module: template
+    src: client_windows.ps1.j2
+    dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
+    mode: 0600
+  become: no
   when: Win10_Enabled is defined and Win10_Enabled == "Y"
   with_items: "{{ users }}"
 
-- name: Fetch users windows scripts
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/windows_{{ item }}.ps1 dest=configs/{{ IP_subject_alt_name }}_{{ item }}_windows.ps1 flat=yes
-  when: Win10_Enabled is defined and Win10_Enabled == "Y"
-  with_items: "{{ users }}"
-
-- name: Restrict permissions
+- name: Restrict permissions for the remote private directories
   file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
   with_items:
     - /etc/ipsec.d/private
 
-- name: Fetch server CA certificate
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
+- name: Restrict permissions for the local private directories
+  local_action:
+    module: file
+    path: "{{ item }}"
+    state: directory
+    mode: 0700
+  become: no
+  with_items:
+    - configs/{{ IP_subject_alt_name }}
 
 - include: iptables.yml
   tags: iptables