--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Vagrant box allows root login with insecure default key
- From: Felix Dreissig <f30@f30.me>
- Date: Thu, 14 Jul 2016 15:04:36 +0200
- Message-id: <85FDB9CC-0713-4894-B822-10E49BB73BFA@f30.me>
Package: cloud.debian.org
Severity: normal
Tags: security
Dear Debian cloud maintainers,
in the "jessie64" Vagrant box (and presumably the other Vagrant boxes as
well), the insecure Vagrant default SSH key is installed as authorized key for
the root user and root login using SSH keys is permitted.
Since Vagrant 1.7, the insecure default key is not used anymore by default.
Instead, a random key is generated for the "vagrant" user on `vagrant up`. [1]
This increases security when Vagrant machines are exposed outside their host,
see [2] for the complete motivation. The Debian boxes, however, still allow
root login using the insecure default key.
From my understanding of Vagrant box creation [3], root login is not actually
required and sudo is used.
Otherwise, I'd suggest to use the temporary key for root as well (if that's
possible) or remove the insecure default key after initial provisioning.
Best regards,
Felix
[1] https://github.com/mitchellh/vagrant/pull/4707
[2] https://github.com/mitchellh/vagrant/issues/2608
[3] https://www.vagrantup.com/docs/boxes/base.html#default-user-settings
--- End Message ---