Vagrant documentation about default insecure key should be updated

[gou1]

Hi,

Vagrant supposedly uses the same insecure private key by default, which allows for easy ssh to the VMs. But lately vagrant has been replacing my private key when booting a VM.

Here's my setup:

• Windows 7 Pro x64
• VirtualBox 4.3.20
• Vagrant 1.7.1

Here's my Vagrantfile:

Vagrant.configure(2) do |config|
    config.vm.box = "ubuntu/trusty32"
end

And when i run vagrant up i get:

Vagrant insecure key detected. Vagrant will automatically replace this with a newly generated keypair for better security.

How to force the use of the default insecure key? On Windows, because "vagrant ssh" is not pratical to use, the typical workflow is to have a putty session for vagrant boxes. Having a newly generated key per box hinders this.

[gou1]

I came accross this #4707 which I guess answers my question. I think it should be clearly documented somewhere on the website.

[gou1]

And #5005

[gildegoma]

You simply need to add config.ssh.insert_key = false into your Vagrantfile as explained in https://docs.vagrantup.com/v2/vagrantfile/ssh_settings.html.

What would you propose as an enhancement for the documentation?

[gou1]

Thanks, config.ssh.insert_key = false did the trick 👍

The documentation says:

About config.ssh.insert_key:
"If true, Vagrant will automatically insert an insecure keypair to use for SSH. By default, this is true."

About config.ssh.private_key_path
"The path to the private key to use to SSH into the guest machine. By default this is the insecure private key that ships with Vagrant, since that is what public boxes use."

Which are both misleading IMHO.

I eventually found out the change in https://github.com/mitchellh/vagrant/blob/master/CHANGELOG.md , but it's not marked as "Breaking change".

Considering this workflow has been around for a long time (so you have lots of resources available which reference this behaviour), I think it should be clearly stated in the documentation that it was changed in 1.7.

[gildegoma]

Thanks @gou1 for the good catches :)

I agree that some "as of Vagrant 1.7" is missing, and that the private_key_path docs must be updated.

@mitchellh @sethvargo I renamed the issue title and tagged as "docs" issue.

@gou1 are you willing to propose a pull request? (just to know if somebody else should take on the job ;-)

[gildegoma]

Note that your initial question (How to force the use of the default insecure key?) has been answered.

[gildegoma]

(@gou1 Oh, I see that you've just updated your previous comment, and it is good to know that it works for you ☺️)

[gou1]

Sure I can do a PR, I'll try to submit it within a week!

[gildegoma]

@gou1 THANKS 💓

[gou1]

Oh and

[ploxiln]

After updating to vagrant 1.7.1, config.ssh.private_key_path doesn't seem to take effect anymore. Perhaps i need some other combination of options for it to work?

Demonstration of manual ssh using all the same parameters working, but vagrant ssh somehow failing to try the correct private key:

[pierce@plo-pro dockerdev]$ vagrant --version
Vagrant 1.7.1
[pierce@plo-pro dockerdev]$ grep private_key_path Vagrantfile 
  config.ssh.private_key_path = ["~/.vagrant.d/insecure_private_key", "~/.ssh/id_rsa"]
[pierce@plo-pro dockerdev]$ vagrant ssh
[email protected]'s password: 

[pierce@plo-pro dockerdev]$ vagrant ssh-config
Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile /Users/pierce/team15/sysop/dockerdev/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL
  ForwardAgent yes

[pierce@plo-pro dockerdev]$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa -p 2222 [email protected]
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
Last login: Wed Dec 31 19:56:16 2014 from 10.0.2.2
vagrant@dockerdev:~$ echo "key based auth worked..."

I understand that the vagrant-insecure-key path is no longer correct for the latest version. (or is it correct until the newly created public key is copied in for config.ssh.insert_key?). Anyway, the correct private key is in the list, and even if I change it from a list to just the correct private key, it still doesn't seem to use it.

[ploxiln]

this could be due to needing to use an ssh agent for a passphrase-protected key, and something related to that changing... I'm on OS X btw... sorry to pollute this issue with unrelated comments

[gildegoma]

@ploxiln I think that you are bitten by #4967 bug.

[isimmons]

Hi, I have a problem with running laravel/homestead due to this automatic insertion of secure keys.

I should not be editing the vagrant file as it is part of the source for homestead. Somehow 'homestead ssh' works but is very slow so I would like to continue using plain old ssh from the cli

ssh [email protected] -p 2222

But now when I do this I get the following message.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f4:4e:31:f6:f1:a7:bb:97:b3:e3:2b:ac:65:19:c0:e1.
Please contact your system administrator.
Add correct host key in /c/Users/lotus/.ssh/known_hosts to get rid of this message.
Offending key in /c/Users/lotus/.ssh/known_hosts:18
RSA host key for [127.0.0.1]:2222 has changed and you have requested strict checking.
Host key verification failed.

Where can I find the correct key to add to the known hosts file?

[gregorskii]

It is in ~/.ssh/known_hosts

[ploxiln]

This issue is not about known_hosts. vagrant does not automatically insert keys into known_hosts, what you're seeing is normal default ssh behavior regarding known_hosts.

For hostnames / ip addresses which you expect to change identity (new VM, new ssh host key generated inside the VM), you can use the ssh config options which vagrant does for "vagrant ssh":

[pierce@plo-pro dockerdev]$ vagrant ssh-config
...
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
...

[isimmons]

Thanks for the reply but I'm not understanding. According to the message I get from using ssh the problem is that the correct host key is not in the known_hosts file.

So how do I get the correct host key so I can manually insert it into the known_hosts file?

vagrant ssh-config does not work because there is no vagrantfile. Even if I cd to the directory where the vagrant file exists "C:\Users\lotus\AppData\Roaming\Composer\vendor\laravel\homestead" I get the following message

The provider for this Vagrant-managed machine is reporting that it
is not yet ready for SSH. Depending on your provider this can carry
different meanings. Make sure your machine is created and running and
try again. Additionally, check the output of `vagrant status` to verify
that the machine is in the state that you expect. If you continue to
get this error message, please view the documentation for the provider
you're using.

I get the same message if I first do homestead up to start up the machine.

But I still don't see what vagrant ssh-config has to do with me using plain old ssh like

ssh [email protected] -p 2222

[ploxiln]

What you need to do now is remove the key for host "127.0.0.1" in your known_hosts. I wasn't suggesting using "vagrant ssh-config", just using the ssh config options which "vagrant ssh" uses. I ran "vagrant ssh-config" to show how I knew of them. Those two options I pointed out cause ssh to not use known_hosts, which is appropriate in this case. You should research how to configure ssh (you'll probably want to edit ~/.ssh/config) and how known_hosts is used.

[isimmons]

Thanks @ploxiln . Sorry I misunderstood. I removed the local host entry and then when I used ssh again it added it back to the known_hosts file with the correct rsa key on the first time and now works as it should. Also 'homestead ssh' which calls 'vagrant ssh' still works so all is good.

I agree that I need to research ssh config options but also think this should be added to documentation. Basically if user has a basic default ssh setup using openssh (at least on Windows systems) the known_hosts file will be used by default and the current entry for 127.0.0.1 will be incorrect because vagrant changed it so that entry will need to be deleted and re-created again in order for plain old ssh connections to work.

[mitchellh]

This should be fixed now! We now honor private_key_path and take that over the inserted key.

[sethvargo]

Since there is a lot of participation on this issue, I am going to lock the thread to prevent additional issues from being reported as comments. If you are using Vagrant 1.7.3 and still have errors with the generated SSH private key, please open a new issue on the issue tracker. Thank you! 😄