search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

Failed to connect to the host via ssh: Permission denied #1575

Closed xmunet closed 5 years ago

xmunet commented 5 years ago

Describe the bug Below error when deploying Algo on Vultr

TASK [common : Check the system] ***** fatal: [a.b.c.d]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'a.b.c.d' (ECDSA) to the list of known hosts.\r\nroot@a.b.c.d: Permission denied (publickey,password).", "unreachable": true}

But I can ssh to my VPN servver with "ssh root@a.b.c.d" after regenerating ssh key by manual and copy to my cloud server.

To Reproduce

Steps to reproduce the behavior:

  1. run ./algo

Expected behavior pass the error

Full log

Algo running on: Linux Mint 19.2 (Virtualized: oracle) ZIP file created: 2019-08-22 18:54:05.000000000 +0800 Python 2.7.15+ Runtime variables: algo_provider "vultr" algo_ondemand_cellular "False" algo_ondemand_wifi "False" algo_ondemand_wifi_exclude "X251bGw=" algo_dns_adblocking "True" algo_ssh_tunneling "False" wireguard_enabled "True" dns_encryption "True"

PUT THE OUTPUT HERE

PLAY [localhost] *****

TASK [Gathering Facts] *** ok: [localhost]

TASK [Ensure the requirements installed] ***** ok: [localhost]

TASK [Set required ansible version as a fact] **** ok: [localhost] => (item=ansible==2.7.12)

TASK [Verify Ansible meets Algo VPN requirements.] *** ok: [localhost] => { "changed": false, "msg": "All assertions passed" }

PLAY [Ask user for the input] ****

TASK [Gathering Facts] *** ok: [localhost] [Cloud prompt] What provider would you like to use?

  1. DigitalOcean
  2. Amazon Lightsail
  3. Amazon EC2
  4. Vultr
  5. Microsoft Azure
  6. Google Compute Engine
  7. Scaleway
  8. OpenStack (DreamCompute optimised)
  9. CloudStack (Exoscale optimised)
  10. Install to existing Ubuntu 18.04 or 19.04 server (Advanced)

Enter the number of your desired provider : [ [ TASK [Cloud prompt] ** ok: [localhost]

TASK [Set facts based on the input] ** ok: [localhost] [VPN server name prompt] Name the vpn server [algo] : [ [ TASK [VPN server name prompt] **** ok: [localhost] [Cellular On Demand prompt] Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? [y/N] : [ [ TASK [Cellular On Demand prompt] * ok: [localhost] [Wi-Fi On Demand prompt] Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N] : [ [ TASK [Wi-Fi On Demand prompt] **** ok: [localhost] [Retain the PKI prompt] Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) [y/N] : [ [ TASK [Retain the PKI prompt] ***** ok: [localhost] [DNS adblocking prompt] Do you want to enable DNS ad blocking on this VPN server? [y/N] : [ [ TASK [DNS adblocking prompt] ***** ok: [localhost] [SSH tunneling prompt] Do you want each user to have their own account for SSH tunneling? [y/N] : [ [ TASK [SSH tunneling prompt] ** ok: [localhost]

TASK [Set facts based on the input] ** ok: [localhost]

PLAY [Provision the server] ** n TASK [Gathering Facts] *** ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Linux Mint 19.2 (Virtualized: oracle) ZIP file created: 2019-08-22 18:54:05.000000000 +0800 Python 2.7.15+ Runtime variables: algo_provider "vultr" algo_ondemand_cellular "False" algo_ondemand_wifi "False" algo_ondemand_wifi_exclude "X251bGw=" algo_dns_adblocking "True" algo_ssh_tunneling "False" wireguard_enabled "True" dns_encryption "True"

TASK [Display the invocation environment] **** changed: [localhost -> localhost]

TASK [Install the requirements] ** ok: [localhost -> localhost]

TASK [Generate the SSH private key] ** ok: [localhost]

TASK [Generate the SSH public key] * ok: [localhost] [cloud-vultr : pause] Enter the local path to your configuration INI file (https://trailofbits.github.io/algo/cloud-vultr.html): : ^M TASK [cloud-vultr : pause] ***** ok: [localhost] [ [ TASK [cloud-vultr : Set the token as a fact] ***** ok: [localhost]

TASK [cloud-vultr : Get regions] ***** ok: [localhost]

TASK [cloud-vultr : Format regions] ** ok: [localhost]

TASK [cloud-vultr : Set regions as a fact] *** ok: [localhost]

TASK [cloud-vultr : Set default region] ** ok: [localhost] [cloud-vultr : pause] What region should the server be located in? (https://www.vultr.com/locations/):

  1. Sydney
  2. Toronto
  3. Frankfurt
  4. Paris
  5. London
  6. Tokyo
  7. Amsterdam
  8. Singapore
  9. Miami
  10. Silicon Valley
  11. New Jersey
  12. Dallas
  13. Chicago
  14. Los Angeles
  15. Seattle
  16. Atlanta

Enter the number of your desired region [11] : [ [ TASK [cloud-vultr : pause] *** ok: [localhost]

TASK [cloud-vultr : Set the desired region as a fact] **** ok: [localhost]

TASK [cloud-vultr : Upload the SSH key] ** ok: [localhost]

TASK [cloud-vultr : Creating a firewall group] *** ok: [localhost]

TASK [cloud-vultr : Creating firewall rules] ***** ok: [localhost] => (item={u'ip': u'v4', u'cidr': u'0.0.0.0/0', u'protocol': u'tcp', u'port': 22}) ok: [localhost] => (item={u'ip': u'v6', u'cidr': u'::/0', u'protocol': u'tcp', u'port': 22}) ok: [localhost] => (item={u'ip': u'v4', u'cidr': u'0.0.0.0/0', u'protocol': u'udp', u'port': 500}) ok: [localhost] => (item={u'ip': u'v6', u'cidr': u'::/0', u'protocol': u'udp', u'port': 500}) ok: [localhost] => (item={u'ip': u'v4', u'cidr': u'0.0.0.0/0', u'protocol': u'udp', u'port': 4500}) ok: [localhost] => (item={u'ip': u'v6', u'cidr': u'::/0', u'protocol': u'udp', u'port': 4500}) ok: [localhost] => (item={u'ip': u'v4', u'cidr': u'0.0.0.0/0', u'protocol': u'udp', u'port': 51820}) ok: [localhost] => (item={u'ip': u'v6', u'cidr': u'::/0', u'protocol': u'udp', u'port': 51820})

TASK [cloud-vultr : Creating a server] *** [WARNING]: Some changes won't be applied to running instances. Use force=true to allow the instance allgo to be stopped/started.

ok: [localhost]

TASK [cloud-vultr : set_fact] **** ok: [localhost]

TASK [Set subjectAltName as afact] *** ok: [localhost]

TASK [Add the server to an inventory group] ** changed: [localhost]

TASK [Additional variables for the server] *** changed: [localhost]

TASK [Wait until SSH becomes ready...] *** ok: [localhost]

TASK [Linux | set OS specific facts] ***** ok: [localhost]

TASK [Set config paths as facts] ***** ok: [localhost]

TASK [Update config paths] *** changed: [localhost]

TASK [debug] ***** ok: [localhost] => { "IP_subject_alt_name": "a.b.c.d" } Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ** ok: [localhost]

PLAY [Configure the server and install required software] ****

TASK [common : Check the system] ***** fatal: [a.b.c.d]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'a.b.c.d' (ECDSA) to the list of known hosts.\r\nroot@a.b.c.d: Permission denied (publickey,password).", "unreachable": true}

PLAY RECAP *** a.b.c.d : ok=0 changed=0 unreachable=1 failed=0
localhost : ok=41 changed=4 unreachable=0 failed=0

davidemyers commented 5 years ago

Is this problem repeatable? Sometimes Vultr can be slow.

Was Algo's SSH key in authorized_keys before you added yours?

xmunet commented 5 years ago

Is this problem repeatable? Sometimes Vultr can be slow.

Was Algo's SSH key in authorized_keys before you added yours?

Thank you very much! the issue was fixed after adding algo sshkey in 'authorized_keys'. :)