SSH fixes

README.md

@@ -92,7 +92,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN
     "#                     Local DNS resolver 172.16.0.1                    #"
     "#        The p12 and SSH keys password for new users is XXXXXXXX       #"
     "#        The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX       #"
-    "#      Shell access: ssh -i configs/algo.pem root@xxx.xxx.xx.xx        #"
+    "#      Shell access: ssh -F configs/<server_ip>/ssh_config algo        #"
 ```
 
 ## Configure the VPN Clients
@@ -147,17 +147,17 @@ Depending on the platform, you may need one or multiple of the following files.
 
 If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., `ssh -N` is required). This ensures that SSH users have the least access required to setup a tunnel and can perform no other actions on the Algo server.
 
-Use the example command below to start an SSH tunnel by replacing `user` and `ip` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
+Use the example command below to start an SSH tunnel by replacing `<user>` and `<ip>` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
 
- `ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/<server_ip>/ssh-tunnel/<user>.pem`
+ `ssh -D 127.0.0.1:1080 -f -q -C -N <user>@algo -i configs/<ip>/ssh-tunnel/<user>.pem -F configs/<ip>/ssh_config`
 
 ## SSH into Algo Server
 
 Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message:
 
- `ssh -i configs/algo.pem user@ip`
+ `ssh -F configs/<ip>/ssh_config algo`
 
-where `user` is either `root` or `ubuntu` as listed on the success message, and `ip` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
+where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
 
  `ssh-add ~/.ssh/algo > /dev/null 2>&1`
 

docs/faq.md

@@ -78,4 +78,4 @@ No.
 
 ## What inbound ports are used?
 
-You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
+You should only need 4160/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.

files/cloud-init/sshd_config

@@ -1,5 +1,5 @@
 Port {{ ssh_port }}
-AllowUsers algo
+AllowGroups algo
 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no

server.yml

@@ -6,16 +6,38 @@
   vars_files:
     - config.cfg
   tasks:
-    - name: Wait until the cloud-init completed
-      wait_for:
-        path: /var/lib/cloud/data/result.json
-        delay: 10
-        timeout: 600
-        state: present
-      become: false
-      when: cloudinit
-
     - block:
+      - name: Wait until the cloud-init completed
+        wait_for:
+          path: /var/lib/cloud/data/result.json
+          delay: 10
+          timeout: 600
+          state: present
+        become: false
+        when: cloudinit
+
+      - block:
+        - name: Ensure the config directory exists
+          file:
+            dest: "configs/{{ IP_subject_alt_name }}"
+            state: directory
+            mode: "0700"
+
+        - name: Dump the ssh config
+          copy:
+            dest: "configs/{{ IP_subject_alt_name }}/ssh_config"
+            mode: "0600"
+            content: |
+              Host {{ IP_subject_alt_name }} algo
+                HostName {{ IP_subject_alt_name }}
+                User {{ ansible_ssh_user }}
+                Port {{ ansible_ssh_port }}
+                IdentityFile {{ SSH_keys.private }}
+                KeepAlive yes
+                ServerAliveInterval 30
+        become: false
+        delegate_to: localhost
+
       - import_role:
           name: common
         tags: common

tests/cloud-init.sh

@@ -9,7 +9,7 @@ export DNS_ADBLOCKING=true
 export SSH_TUNNELING=true
 export ENDPOINT=10.0.8.100
 export USERS=desktop,user1,user2
-export EXTRA_VARS='install_headers=false tests=true apparmor_enabled=false local_service_ip=172.16.0.1'
+export EXTRA_VARS='install_headers=false tests=true apparmor_enabled=false local_service_ip=172.16.0.1 ansible_ssh_user=4160'
 export ANSIBLE_EXTRA_ARGS='--skip-tags apparmor'
 export REPO_SLUG=${TRAVIS_PULL_REQUEST_SLUG:-${TRAVIS_REPO_SLUG:-trailofbits/algo}}
 export REPO_BRANCH=${TRAVIS_PULL_REQUEST_BRANCH:-${TRAVIS_BRANCH:-master}}

tests/ssh-tunnel.sh

@@ -6,7 +6,7 @@ PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}')
 
 ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
 
-ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem
+ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config
 
 git config --global http.proxy 'socks5://127.0.0.1:1080'