New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vagrant documentation about default insecure key should be updated #5059

Closed
gou1 opened this Issue Dec 24, 2014 · 21 comments

Comments

Projects
None yet
7 participants
@gou1

gou1 commented Dec 24, 2014

Hi,

Vagrant supposedly uses the same insecure private key by default, which allows for easy ssh to the VMs. But lately vagrant has been replacing my private key when booting a VM.

Here's my setup:

  • Windows 7 Pro x64
  • VirtualBox 4.3.20
  • Vagrant 1.7.1

Here's my Vagrantfile:

Vagrant.configure(2) do |config|
    config.vm.box = "ubuntu/trusty32"
end

And when i run vagrant up i get:

Vagrant insecure key detected. Vagrant will automatically replace this with a newly generated keypair for better security.

How to force the use of the default insecure key? On Windows, because "vagrant ssh" is not pratical to use, the typical workflow is to have a putty session for vagrant boxes. Having a newly generated key per box hinders this.

@gou1 gou1 changed the title from Vagrant now replacing insecure key to Vagrant replacing insecure key Dec 24, 2014

@gou1

This comment has been minimized.

Show comment
Hide comment
@gou1

gou1 Dec 24, 2014

I came accross this #4707 which I guess answers my question. I think it should be clearly documented somewhere on the website.

gou1 commented Dec 24, 2014

I came accross this #4707 which I guess answers my question. I think it should be clearly documented somewhere on the website.

@gou1

This comment has been minimized.

Show comment
Hide comment
@gou1

gou1 commented Dec 24, 2014

And #5005

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 24, 2014

Collaborator

You simply need to add config.ssh.insert_key = false into your Vagrantfile as explained in https://docs.vagrantup.com/v2/vagrantfile/ssh_settings.html.

What would you propose as an enhancement for the documentation?

Collaborator

gildegoma commented Dec 24, 2014

You simply need to add config.ssh.insert_key = false into your Vagrantfile as explained in https://docs.vagrantup.com/v2/vagrantfile/ssh_settings.html.

What would you propose as an enhancement for the documentation?

@gildegoma gildegoma added the question label Dec 24, 2014

@gou1

This comment has been minimized.

Show comment
Hide comment
@gou1

gou1 Dec 24, 2014

Thanks, config.ssh.insert_key = false did the trick 👍

The documentation says:

About config.ssh.insert_key:
"If true, Vagrant will automatically insert an insecure keypair to use for SSH. By default, this is true."

About config.ssh.private_key_path
"The path to the private key to use to SSH into the guest machine. By default this is the insecure private key that ships with Vagrant, since that is what public boxes use."

Which are both misleading IMHO.

I eventually found out the change in https://github.com/mitchellh/vagrant/blob/master/CHANGELOG.md , but it's not marked as "Breaking change".

Considering this workflow has been around for a long time (so you have lots of resources available which reference this behaviour), I think it should be clearly stated in the documentation that it was changed in 1.7.

gou1 commented Dec 24, 2014

Thanks, config.ssh.insert_key = false did the trick 👍

The documentation says:

About config.ssh.insert_key:
"If true, Vagrant will automatically insert an insecure keypair to use for SSH. By default, this is true."

About config.ssh.private_key_path
"The path to the private key to use to SSH into the guest machine. By default this is the insecure private key that ships with Vagrant, since that is what public boxes use."

Which are both misleading IMHO.

I eventually found out the change in https://github.com/mitchellh/vagrant/blob/master/CHANGELOG.md , but it's not marked as "Breaking change".

Considering this workflow has been around for a long time (so you have lots of resources available which reference this behaviour), I think it should be clearly stated in the documentation that it was changed in 1.7.

@gildegoma gildegoma added documentation core and removed question labels Dec 24, 2014

@gildegoma gildegoma changed the title from Vagrant replacing insecure key to Vagrant documentation about default insecure key should be updated Dec 24, 2014

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 24, 2014

Collaborator

Thanks @gou1 for the good catches :)

I agree that some "as of Vagrant 1.7" is missing, and that the private_key_path docs must be updated.

@mitchellh @sethvargo I renamed the issue title and tagged as "docs" issue.

@gou1 are you willing to propose a pull request? (just to know if somebody else should take on the job ;-)

Collaborator

gildegoma commented Dec 24, 2014

Thanks @gou1 for the good catches :)

I agree that some "as of Vagrant 1.7" is missing, and that the private_key_path docs must be updated.

@mitchellh @sethvargo I renamed the issue title and tagged as "docs" issue.

@gou1 are you willing to propose a pull request? (just to know if somebody else should take on the job ;-)

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 24, 2014

Collaborator

Note that your initial question (How to force the use of the default insecure key?) has been answered.

Collaborator

gildegoma commented Dec 24, 2014

Note that your initial question (How to force the use of the default insecure key?) has been answered.

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 24, 2014

Collaborator

(@gou1 Oh, I see that you've just updated your previous comment, and it is good to know that it works for you ☺️)

Collaborator

gildegoma commented Dec 24, 2014

(@gou1 Oh, I see that you've just updated your previous comment, and it is good to know that it works for you ☺️)

@gou1

This comment has been minimized.

Show comment
Hide comment
@gou1

gou1 Dec 24, 2014

Sure I can do a PR, I'll try to submit it within a week!

gou1 commented Dec 24, 2014

Sure I can do a PR, I'll try to submit it within a week!

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 24, 2014

Collaborator

@gou1 THANKS 💓

Collaborator

gildegoma commented Dec 24, 2014

@gou1 THANKS 💓

@gou1

This comment has been minimized.

Show comment
Hide comment
@gou1

gou1 commented Dec 24, 2014

Oh and

Merry Christmas

@ploxiln

This comment has been minimized.

Show comment
Hide comment
@ploxiln

ploxiln Dec 31, 2014

After updating to vagrant 1.7.1, config.ssh.private_key_path doesn't seem to take effect anymore. Perhaps i need some other combination of options for it to work?

Demonstration of manual ssh using all the same parameters working, but vagrant ssh somehow failing to try the correct private key:

[pierce@plo-pro dockerdev]$ vagrant --version
Vagrant 1.7.1
[pierce@plo-pro dockerdev]$ grep private_key_path Vagrantfile 
  config.ssh.private_key_path = ["~/.vagrant.d/insecure_private_key", "~/.ssh/id_rsa"]
[pierce@plo-pro dockerdev]$ vagrant ssh
vagrant@127.0.0.1's password: 

[pierce@plo-pro dockerdev]$ vagrant ssh-config
Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile /Users/pierce/team15/sysop/dockerdev/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL
  ForwardAgent yes

[pierce@plo-pro dockerdev]$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa -p 2222 vagrant@127.0.0.1
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
Last login: Wed Dec 31 19:56:16 2014 from 10.0.2.2
vagrant@dockerdev:~$ echo "key based auth worked..."

I understand that the vagrant-insecure-key path is no longer correct for the latest version. (or is it correct until the newly created public key is copied in for config.ssh.insert_key?). Anyway, the correct private key is in the list, and even if I change it from a list to just the correct private key, it still doesn't seem to use it.

ploxiln commented Dec 31, 2014

After updating to vagrant 1.7.1, config.ssh.private_key_path doesn't seem to take effect anymore. Perhaps i need some other combination of options for it to work?

Demonstration of manual ssh using all the same parameters working, but vagrant ssh somehow failing to try the correct private key:

[pierce@plo-pro dockerdev]$ vagrant --version
Vagrant 1.7.1
[pierce@plo-pro dockerdev]$ grep private_key_path Vagrantfile 
  config.ssh.private_key_path = ["~/.vagrant.d/insecure_private_key", "~/.ssh/id_rsa"]
[pierce@plo-pro dockerdev]$ vagrant ssh
vagrant@127.0.0.1's password: 

[pierce@plo-pro dockerdev]$ vagrant ssh-config
Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile /Users/pierce/team15/sysop/dockerdev/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL
  ForwardAgent yes

[pierce@plo-pro dockerdev]$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa -p 2222 vagrant@127.0.0.1
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
Last login: Wed Dec 31 19:56:16 2014 from 10.0.2.2
vagrant@dockerdev:~$ echo "key based auth worked..."

I understand that the vagrant-insecure-key path is no longer correct for the latest version. (or is it correct until the newly created public key is copied in for config.ssh.insert_key?). Anyway, the correct private key is in the list, and even if I change it from a list to just the correct private key, it still doesn't seem to use it.

@ploxiln

This comment has been minimized.

Show comment
Hide comment
@ploxiln

ploxiln Dec 31, 2014

this could be due to needing to use an ssh agent for a passphrase-protected key, and something related to that changing... I'm on OS X btw... sorry to pollute this issue with unrelated comments

ploxiln commented Dec 31, 2014

this could be due to needing to use an ssh agent for a passphrase-protected key, and something related to that changing... I'm on OS X btw... sorry to pollute this issue with unrelated comments

@gildegoma

This comment has been minimized.

Show comment
Hide comment
@gildegoma

gildegoma Dec 31, 2014

Collaborator

@ploxiln I think that you are bitten by #4967 bug.

Collaborator

gildegoma commented Dec 31, 2014

@ploxiln I think that you are bitten by #4967 bug.

@isimmons

This comment has been minimized.

Show comment
Hide comment
@isimmons

isimmons Feb 26, 2015

Hi, I have a problem with running laravel/homestead due to this automatic insertion of secure keys.

I should not be editing the vagrant file as it is part of the source for homestead. Somehow 'homestead ssh' works but is very slow so I would like to continue using plain old ssh from the cli

ssh vagrant@127.0.0.1 -p 2222

But now when I do this I get the following message.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f4:4e:31:f6:f1:a7:bb:97:b3:e3:2b:ac:65:19:c0:e1.
Please contact your system administrator.
Add correct host key in /c/Users/lotus/.ssh/known_hosts to get rid of this message.
Offending key in /c/Users/lotus/.ssh/known_hosts:18
RSA host key for [127.0.0.1]:2222 has changed and you have requested strict checking.
Host key verification failed.

Where can I find the correct key to add to the known hosts file?

isimmons commented Feb 26, 2015

Hi, I have a problem with running laravel/homestead due to this automatic insertion of secure keys.

I should not be editing the vagrant file as it is part of the source for homestead. Somehow 'homestead ssh' works but is very slow so I would like to continue using plain old ssh from the cli

ssh vagrant@127.0.0.1 -p 2222

But now when I do this I get the following message.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f4:4e:31:f6:f1:a7:bb:97:b3:e3:2b:ac:65:19:c0:e1.
Please contact your system administrator.
Add correct host key in /c/Users/lotus/.ssh/known_hosts to get rid of this message.
Offending key in /c/Users/lotus/.ssh/known_hosts:18
RSA host key for [127.0.0.1]:2222 has changed and you have requested strict checking.
Host key verification failed.

Where can I find the correct key to add to the known hosts file?

@gregorskii

This comment has been minimized.

Show comment
Hide comment
@gregorskii

gregorskii Mar 3, 2015

It is in ~/.ssh/known_hosts

gregorskii commented Mar 3, 2015

It is in ~/.ssh/known_hosts

@ploxiln

This comment has been minimized.

Show comment
Hide comment
@ploxiln

ploxiln Mar 3, 2015

This issue is not about known_hosts. vagrant does not automatically insert keys into known_hosts, what you're seeing is normal default ssh behavior regarding known_hosts.

For hostnames / ip addresses which you expect to change identity (new VM, new ssh host key generated inside the VM), you can use the ssh config options which vagrant does for "vagrant ssh":

[pierce@plo-pro dockerdev]$ vagrant ssh-config
...
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
...

ploxiln commented Mar 3, 2015

This issue is not about known_hosts. vagrant does not automatically insert keys into known_hosts, what you're seeing is normal default ssh behavior regarding known_hosts.

For hostnames / ip addresses which you expect to change identity (new VM, new ssh host key generated inside the VM), you can use the ssh config options which vagrant does for "vagrant ssh":

[pierce@plo-pro dockerdev]$ vagrant ssh-config
...
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
...
@isimmons

This comment has been minimized.

Show comment
Hide comment
@isimmons

isimmons Mar 4, 2015

Thanks for the reply but I'm not understanding. According to the message I get from using ssh the problem is that the correct host key is not in the known_hosts file.

So how do I get the correct host key so I can manually insert it into the known_hosts file?

vagrant ssh-config does not work because there is no vagrantfile. Even if I cd to the directory where the vagrant file exists "C:\Users\lotus\AppData\Roaming\Composer\vendor\laravel\homestead" I get the following message

The provider for this Vagrant-managed machine is reporting that it
is not yet ready for SSH. Depending on your provider this can carry
different meanings. Make sure your machine is created and running and
try again. Additionally, check the output of `vagrant status` to verify
that the machine is in the state that you expect. If you continue to
get this error message, please view the documentation for the provider
you're using.

I get the same message if I first do homestead up to start up the machine.

But I still don't see what vagrant ssh-config has to do with me using plain old ssh like

ssh vagrant@127.0.0.1 -p 2222

isimmons commented Mar 4, 2015

Thanks for the reply but I'm not understanding. According to the message I get from using ssh the problem is that the correct host key is not in the known_hosts file.

So how do I get the correct host key so I can manually insert it into the known_hosts file?

vagrant ssh-config does not work because there is no vagrantfile. Even if I cd to the directory where the vagrant file exists "C:\Users\lotus\AppData\Roaming\Composer\vendor\laravel\homestead" I get the following message

The provider for this Vagrant-managed machine is reporting that it
is not yet ready for SSH. Depending on your provider this can carry
different meanings. Make sure your machine is created and running and
try again. Additionally, check the output of `vagrant status` to verify
that the machine is in the state that you expect. If you continue to
get this error message, please view the documentation for the provider
you're using.

I get the same message if I first do homestead up to start up the machine.

But I still don't see what vagrant ssh-config has to do with me using plain old ssh like

ssh vagrant@127.0.0.1 -p 2222
@ploxiln

This comment has been minimized.

Show comment
Hide comment
@ploxiln

ploxiln Mar 4, 2015

What you need to do now is remove the key for host "127.0.0.1" in your known_hosts. I wasn't suggesting using "vagrant ssh-config", just using the ssh config options which "vagrant ssh" uses. I ran "vagrant ssh-config" to show how I knew of them. Those two options I pointed out cause ssh to not use known_hosts, which is appropriate in this case. You should research how to configure ssh (you'll probably want to edit ~/.ssh/config) and how known_hosts is used.

ploxiln commented Mar 4, 2015

What you need to do now is remove the key for host "127.0.0.1" in your known_hosts. I wasn't suggesting using "vagrant ssh-config", just using the ssh config options which "vagrant ssh" uses. I ran "vagrant ssh-config" to show how I knew of them. Those two options I pointed out cause ssh to not use known_hosts, which is appropriate in this case. You should research how to configure ssh (you'll probably want to edit ~/.ssh/config) and how known_hosts is used.

@isimmons

This comment has been minimized.

Show comment
Hide comment
@isimmons

isimmons Mar 7, 2015

Thanks @ploxiln . Sorry I misunderstood. I removed the local host entry and then when I used ssh again it added it back to the known_hosts file with the correct rsa key on the first time and now works as it should. Also 'homestead ssh' which calls 'vagrant ssh' still works so all is good.

I agree that I need to research ssh config options but also think this should be added to documentation. Basically if user has a basic default ssh setup using openssh (at least on Windows systems) the known_hosts file will be used by default and the current entry for 127.0.0.1 will be incorrect because vagrant changed it so that entry will need to be deleted and re-created again in order for plain old ssh connections to work.

isimmons commented Mar 7, 2015

Thanks @ploxiln . Sorry I misunderstood. I removed the local host entry and then when I used ssh again it added it back to the known_hosts file with the correct rsa key on the first time and now works as it should. Also 'homestead ssh' which calls 'vagrant ssh' still works so all is good.

I agree that I need to research ssh config options but also think this should be added to documentation. Basically if user has a basic default ssh setup using openssh (at least on Windows systems) the known_hosts file will be used by default and the current entry for 127.0.0.1 will be incorrect because vagrant changed it so that entry will need to be deleted and re-created again in order for plain old ssh connections to work.

bredenan added a commit to victoriauniversity/vagrant that referenced this issue May 29, 2015

Tell vagrant not to create new ssh keys
Was issue with previous Vagrantfile where vagrant ssh was asking for a password on login. This prevents that, however proper ssh keys will need to be created for security reasons. See puphpet/puphpet#1253 and http://stackoverflow.com/questions/23599297/changing-vagrantfile-causes-vagrant-ssh-to-prompt-for-a-password hashicorp/vagrant#5059 for more information on this issue.
@mitchellh

This comment has been minimized.

Show comment
Hide comment
@mitchellh

mitchellh Jul 7, 2015

Member

This should be fixed now! We now honor private_key_path and take that over the inserted key.

Member

mitchellh commented Jul 7, 2015

This should be fixed now! We now honor private_key_path and take that over the inserted key.

@mitchellh mitchellh closed this Jul 7, 2015

@sethvargo

This comment has been minimized.

Show comment
Hide comment
@sethvargo

sethvargo Jul 7, 2015

Contributor

Since there is a lot of participation on this issue, I am going to lock the thread to prevent additional issues from being reported as comments. If you are using Vagrant 1.7.3 and still have errors with the generated SSH private key, please open a new issue on the issue tracker. Thank you! 😄

Contributor

sethvargo commented Jul 7, 2015

Since there is a lot of participation on this issue, I am going to lock the thread to prevent additional issues from being reported as comments. If you are using Vagrant 1.7.3 and still have errors with the generated SSH private key, please open a new issue on the issue tracker. Thank you! 😄

@hashicorp hashicorp locked and limited conversation to collaborators Jul 7, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.