Bug#831302: Vagrant box allows root login with insecure default key

[Emmanuel Kasper <emmanuel@libera.cc>]

On 07/14/2016 03:04 PM, Felix Dreissig wrote:
> Package: cloud.debian.org
> Severity: normal
> Tags: security
> 
> Dear Debian cloud maintainers,
> 
> in the "jessie64" Vagrant box (and presumably the other Vagrant boxes as
> well), the insecure Vagrant default SSH key is installed as authorized key for
> the root user and root login using SSH keys is permitted.
> 
> Since Vagrant 1.7, the insecure default key is not used anymore by default.
> Instead, a random key is generated for the "vagrant" user on `vagrant up`. [1]
> This increases security when Vagrant machines are exposed outside their host,
> see [2] for the complete motivation. The Debian boxes, however, still allow
> root login using the insecure default key.
> 
> From my understanding of Vagrant box creation [3], root login is not actually
> required and sudo is used.
> Otherwise, I'd suggest to use the temporary key for root as well (if that's
> possible) or remove the insecure default key after initial provisioning.
> 
> Best regards,
> Felix
> 
> [1] https://github.com/mitchellh/vagrant/pull/4707
> [2] https://github.com/mitchellh/vagrant/issues/2608
> [3] https://www.vagrantup.com/docs/boxes/base.html#default-user-settings
> 

A fix for this issue has been committed yesterday, see
http://anonscm.debian.org/cgit/cloud/debian-vm-templates.git/commit/

the next box uploads will have the fix included