Newly generated key is empty

[ghost]

I'm booting a CentOS 7 machine with SELinux enabled.

==> default: Verifying vmnet devices are healthy...
==> default: Preparing network adapters...
==> default: Starting the VMware VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 172.16.171.131:22
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection refused. Retrying...
    default: 
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default: 
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if its present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
Text will be echoed in the clear. Please install the HighLine or Termios libraries to suppress echoed text.
[email protected]'s password:vagrant
==> default: Machine booted and ready!

It seems that the newly generated public key isn't inserted:

[vagrant@localhost ~]$ cat .ssh/authorized_keys 
[vagrant@localhost ~]$ 

[sethvargo]

@yves-vogl sorry you are having problems with the new key insertion. Just for posterity sake, what happens if you disable SELinux?

[shiny]

I have the same problem too

vagrant up

default: Warning: Connection timeout. Retrying...
default: 
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default: 
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if its present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
default: Warning: Authentication failure. Retrying...
default: Warning: Authentication failure. Retrying...
default: Warning: Authentication failure. Retrying...

Login in with password, cat ~/.ssh/authorized_keys is empty.

I have to excute openssl rsa -in .vagrant/machines/default/virtualbox/private_key -pubout
generate a public key,write it to authorized_keys by vim, then it goes normal.

Use debian7 minimal, SELinux not enabled.
That's very strange.

[shiny]

Solved by check the "Standard system utilities"

[ghost]

SELinux did not cause this. The same happens with SLES 11.3

==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 172.16.171.131:22
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection refused. Retrying...
    default: 
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default: 
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if its present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...```

[haf]

vagrant package keeps messing with the key now even if the built box has correct file permissions on it. This is the second major roadblock towards getting my box up and running just this.

[smozely]

I'm seeing the same issue with RHEL and SELInux.

Update:
I don't think it is SELinux, having SELinux set to disabled. still ends up with same result.

Update 2:
A workaround is to just set config.ssh.insert_key = false in your Vagrantfile. Hat tip to the kitchen-vagrant link.

[rbair23]

I'm seeing this also on Oracle Linux 7.1. It seems like a pretty universal issue then with any RHEL 7 based system, as there are now reports of RHEL, CentOS 7, and OEL 7.1.

[dkoloditch]

This worked for me.

Assuming your IP addresses are the same (check via cat ~/.ssh/known_hosts), run:

ssh-keygen -R 172.28.128.1
ssh-keygen -R 172.28.128.3
ssh-keygen -R 127.0.0.1
ssh-keygen -R [127.0.0.1]
ssh-keygen -R [127.0.0.1]:2222
ssh-keygen -R 10.0.2.1
ssh-keygen -R 10.0.2.15

[rbair23]

I was wrong. In fact I am seeing the same symptoms (constantly being told that the key is insecure and a new secure key has been successfully installed) but not because /home/vagrant/.ssh/authorized_keys is empty, but rather because it is over-full. The file contains two keys: the original insecure one and the new secure one.

I see in the code (https://github.com/mitchellh/vagrant/blob/efd1d5e11bfc5a72c7a1d1eae294b4751d841544/plugins/guests/linux/cap/insert_public_key.rb) that the new secure key is appended to the authorized_keys file, and the insecure key is never removed.

I created this box that I'm testing with, and followed instructions such as http://docs.vagrantup.com/v2/boxes/base.html which contains language such as:

When Vagrant boots a box and detects the insecure keypair, it will automatically replace it with a randomly generated keypair for additional security while the box is running.

However the code above clearly uses >> to append to authorized_keys and not >, and also doesn't look for and remove the insecure key. I'm left wondering if my base box should just skip this step, and what would happen?

I'm also wondering , if I've followed this right, it hasn't shown up more generally for everybody.

[mitchellh]

@rbair23 After adding the key successfully, it does remove it.

I'll try to repro this with a Cent box.

[prateepb]

I'm seeing the same on CentOS 6

[doctapp]

Seems linked to #5186

[vdloo]

Same on Debian 8 Jessie
@smozely's workaround of adding config.ssh.insert_key = false seems to work

[doctapp]

Creating a new ubuntu/trusty64 VM works with the config.ssh.insert_key = false, but my existing VMs don't work.

[lsmolic]

I have found the 1.7.2 to be very buggy in this particular area and in my google travels I have found the following to resolve almost all situations, assuming you don't need a secure user:

config.ssh.username = "vagrant"
config.ssh.password = "vagrant"
config.ssh.insert_key = false

This will completely overwrite the key implementation, but there are definitely a number of bugs associated with public/private keys in this vagrant version.

Hope it helps.

[ghost]

Has anyone done a root cause analysis so far? Maybe we should support @mitchellh more to get this issue solved.

[vlad-ko]

hey guys, any updates on this, we still seem to be running into this problem... anything i can do to help troubleshoot?

[sethvargo]

This should be fixed by GH-6406. Thanks everyone!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.