#669 cloud vagrant: continue to support vagrant insecure rsa key
Merged 3 years ago by kevin. Opened 3 years ago by dustymabe.
dustymabe/fedora-kickstarts dusty-vagrant-workaround  into  master

@@ -53,6 +53,12 @@ 

  chmod 600 ~vagrant/.ssh/authorized_keys

  chown -R vagrant:vagrant ~vagrant/.ssh/

  

+ cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF

+ # For now the vagrant insecure key is an rsa key

+ # https://github.com/hashicorp/vagrant/issues/11783

+ PubkeyAcceptedKeyTypes=+ssh-rsa

+ EOF

+ 

  # Further suggestion from @purpleidea (James Shubin) - extend key to root users as well

  mkdir -m 0700 -p /root/.ssh

  cp /home/vagrant/.ssh/authorized_keys /root/.ssh/authorized_keys

Upstream SSH has been claiming [1] for a few releases now that:

It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

In Fedora we switched recently [2] to disallow ssh-rsa. I filed a bug
upstream [3] for Vagrant to stop using an rsa key. For now let's workaround
the issue.

[1] https://www.openssh.com/txt/release-8.3
[2] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e107b7e9699b36879eca031d1900ded1c4
[3] https://github.com/hashicorp/vagrant/issues/11783

rebased onto d7c3d3397a0b26a83f4ed053b10a7a8e6ecf3440

3 years ago

Can you rebase again? the automated one isn't working out...

rebased onto b7dd998

3 years ago

rebased! good to merge?

Pull-Request has been merged by kevin

3 years ago
Metadata