From b7dd9984537e417807ab9eacc8f441626bea1850 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Jul 25 2020 23:48:32 +0000
Subject: cloud vagrant: continue to support vagrant insecure rsa key


Upstream SSH has been claiming [1] for a few releases now that:

```
It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
```

In Fedora we switched recently [2] to disallow ssh-rsa. I filed a bug
upstream [3] for Vagrant to stop using an rsa key. For now let's workaround
the issue.

[1] https://www.openssh.com/txt/release-8.3
[2] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e107b7e9699b36879eca031d1900ded1c4
[3] https://github.com/hashicorp/vagrant/issues/11783

---

diff --git a/fedora-cloud-base-vagrant.ks b/fedora-cloud-base-vagrant.ks
index 612d039..284bb4c 100644
--- a/fedora-cloud-base-vagrant.ks
+++ b/fedora-cloud-base-vagrant.ks
@@ -53,6 +53,12 @@ EOKEYS
 chmod 600 ~vagrant/.ssh/authorized_keys
 chown -R vagrant:vagrant ~vagrant/.ssh/
 
+cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
+# For now the vagrant insecure key is an rsa key
+# https://github.com/hashicorp/vagrant/issues/11783
+PubkeyAcceptedKeyTypes=+ssh-rsa
+EOF
+
 # Further suggestion from @purpleidea (James Shubin) - extend key to root users as well
 mkdir -m 0700 -p /root/.ssh
 cp /home/vagrant/.ssh/authorized_keys /root/.ssh/authorized_keys