From 586d6279f67d7559a4c3e9a4bf9da8d3f076b2ab Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Sun, 24 Nov 2019 13:12:02 +0100
Subject: [PATCH] SSH fixes

---
 README.md                    | 10 ++++-----
 docs/faq.md                  |  2 +-
 files/cloud-init/sshd_config |  2 +-
 server.yml                   | 40 ++++++++++++++++++++++++++++--------
 tests/cloud-init.sh          |  2 +-
 tests/ssh-tunnel.sh          |  2 +-
 6 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index d13bf61..4040f84 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN
     "#                     Local DNS resolver 172.16.0.1                    #"
     "#        The p12 and SSH keys password for new users is XXXXXXXX       #"
     "#        The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX       #"
-    "#      Shell access: ssh -i configs/algo.pem root@xxx.xxx.xx.xx        #"
+    "#      Shell access: ssh -F configs/<server_ip>/ssh_config algo        #"
 ```
 
 ## Configure the VPN Clients
@@ -147,17 +147,17 @@ Depending on the platform, you may need one or multiple of the following files.
 
 If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., `ssh -N` is required). This ensures that SSH users have the least access required to setup a tunnel and can perform no other actions on the Algo server.
 
-Use the example command below to start an SSH tunnel by replacing `user` and `ip` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
+Use the example command below to start an SSH tunnel by replacing `<user>` and `<ip>` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
 
- `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/<server_ip>/ssh-tunnel/<user>.pem`
+ `ssh -D 127.0.0.1:1080 -f -q -C -N <user>@algo -i configs/<ip>/ssh-tunnel/<user>.pem -F configs/<ip>/ssh_config`
 
 ## SSH into Algo Server
 
 Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message:
 
- `ssh -i configs/algo.pem user@ip`
+ `ssh -F configs/<ip>/ssh_config algo`
 
-where `user` is either `root` or `ubuntu` as listed on the success message, and `ip` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
+where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
 
  `ssh-add ~/.ssh/algo > /dev/null 2>&1`
 
diff --git a/docs/faq.md b/docs/faq.md
index 69d4d61..354b2ed 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -78,4 +78,4 @@ No.
 
 ## What inbound ports are used?
 
-You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
+You should only need 4160/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
diff --git a/files/cloud-init/sshd_config b/files/cloud-init/sshd_config
index de3b21e..02349ec 100644
--- a/files/cloud-init/sshd_config
+++ b/files/cloud-init/sshd_config
@@ -1,5 +1,5 @@
 Port {{ ssh_port }}
-AllowUsers algo
+AllowGroups algo
 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no
diff --git a/server.yml b/server.yml
index 39653e9..12d6175 100644
--- a/server.yml
+++ b/server.yml
@@ -6,16 +6,38 @@
   vars_files:
     - config.cfg
   tasks:
-    - name: Wait until the cloud-init completed
-      wait_for:
-        path: /var/lib/cloud/data/result.json
-        delay: 10
-        timeout: 600
-        state: present
-      become: false
-      when: cloudinit
-
     - block:
+      - name: Wait until the cloud-init completed
+        wait_for:
+          path: /var/lib/cloud/data/result.json
+          delay: 10
+          timeout: 600
+          state: present
+        become: false
+        when: cloudinit
+
+      - block:
+        - name: Ensure the config directory exists
+          file:
+            dest: "configs/{{ IP_subject_alt_name }}"
+            state: directory
+            mode: "0700"
+
+        - name: Dump the ssh config
+          copy:
+            dest: "configs/{{ IP_subject_alt_name }}/ssh_config"
+            mode: "0600"
+            content: |
+              Host {{ IP_subject_alt_name }} algo
+                HostName {{ IP_subject_alt_name }}
+                User {{ ansible_ssh_user }}
+                Port {{ ansible_ssh_port }}
+                IdentityFile {{ SSH_keys.private }}
+                KeepAlive yes
+                ServerAliveInterval 30
+        become: false
+        delegate_to: localhost
+
       - import_role:
           name: common
         tags: common
diff --git a/tests/cloud-init.sh b/tests/cloud-init.sh
index f8de251..a17e51e 100755
--- a/tests/cloud-init.sh
+++ b/tests/cloud-init.sh
@@ -9,7 +9,7 @@ export DNS_ADBLOCKING=true
 export SSH_TUNNELING=true
 export ENDPOINT=10.0.8.100
 export USERS=desktop,user1,user2
-export EXTRA_VARS='install_headers=false tests=true apparmor_enabled=false local_service_ip=172.16.0.1'
+export EXTRA_VARS='install_headers=false tests=true apparmor_enabled=false local_service_ip=172.16.0.1 ansible_ssh_user=4160'
 export ANSIBLE_EXTRA_ARGS='--skip-tags apparmor'
 export REPO_SLUG=${TRAVIS_PULL_REQUEST_SLUG:-${TRAVIS_REPO_SLUG:-trailofbits/algo}}
 export REPO_BRANCH=${TRAVIS_PULL_REQUEST_BRANCH:-${TRAVIS_BRANCH:-master}}
diff --git a/tests/ssh-tunnel.sh b/tests/ssh-tunnel.sh
index 39f6ecc..fba8039 100755
--- a/tests/ssh-tunnel.sh
+++ b/tests/ssh-tunnel.sh
@@ -6,7 +6,7 @@ PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}')
 
 ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
 
-ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem
+ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config
 
 git config --global http.proxy 'socks5://127.0.0.1:1080'