[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011756: cloud.debian.org: Vagrant debian/testing64: sshd rejects default insecure ssh-rsa key, hangs waiting for SSH

Package: cloud.debian.org
Severity: normal
X-Debbugs-Cc: a.t.chadwick@gmail.com

Dear base box maintainers:

I don’t know if this should be a documentation fix or an image fix. I’ll 
just lay out the problem with as much detail as I can so that people can 
search it and find better workarounds. I think the FAQ at 
https://wiki.debian.org/Teams/Cloud/VagrantBaseBoxes should probably be 
updated, given that it’s linked from https://app.vagrantup.com/debian, a 
place where people sill be looking.

OpenSSH have addressed a weakness of SHA-1 by removing the ssh-rsa public 
key signature algorithm from their list of supported key types. The 
openssh-server 1:9.0p1-1 package in the debian/testing64 image incorporates 
this change. However the vagrant 2.2.14+dfsg-1 package shipped with Debian 
11 “bullseye” has a default “vagrant insecure public key” which requires 
ssh-rsa.

See
- https://github.com/hashicorp/vagrant/issues/11783
- https://github.com/hashicorp/packer/issues/10074


## Symptoms

The current debian/testing64 image hangs during “vagrant up”. If I follow 
the instructions at https://wiki.debian.org/Teams/Cloud/VagrantQuickStart, 
the following happens. I already have vagrant and vagrant-libvirt installed 
and configured enough for me to use them. I am using the current Debian 11 
versions.

> ~ $ cd "$(mktemp -d)"
> tmp.1PuBegzk6c $ vagrant init debian/testing64
> tmp.1PuBegzk6c $ vagrant up
> ==> default: Checking if box 'debian/testing64' version '20220414.1' is up to date...
> ==> default: Creating image (snapshot of base box volume).
> ==> default: Creating domain with the following settings...
> [...]
> ==> default: Starting domain.
> ==> default: Waiting for domain to get an IP address...
> ==> default: Waiting for SSH to become available...
> [... hangs here, but leave it running ...]

However, I can SSH in to the running virtual just fine from another window. 
Why this is, I don’t know.

> ~ $ cd /tmp/tmp.1PuBegzk6c
> tmp.1PuBegzk6c $ vagrant ssh
> Linux testing 5.16.0-6-amd64 #1 SMP PREEMPT Debian 5.16.18-1 (2022-03-29) x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> vagrant@testing:~$ cat .ssh/authorized_keys
> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key

However, connections from the still-running vagrant command on the host are 
still failing, as a quick check of auth.log will confirm. What the heck!

> vagrant@testing:~$ sudo tail /var/log/auth.log
> [...]
> May 26 11:49:18 testing sshd[1644]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
> May 26 11:49:18 testing sshd[1644]: Connection closed by authenticating user vagrant 192.168.121.1 port 34488 [preauth]


## Workaround

One way to fix it from the user perspective is to grab @dustymabe’s fix from 
https://github.com/hashicorp/vagrant/issues/11783#issuecomment-720822960, 
and apply it over our mysteriously working SSH connection

> vagrant@testing:~$ sudo tee >/dev/null /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
> # For now the vagrant insecure key is an rsa key
> # https://github.com/hashicorp/vagrant/issues/11783
> PubkeyAcceptedKeyTypes=+ssh-rsa
> EOF
> vagrant@testing:~$ sudo systemctl restart ssh

This allows the hung vagrant to resume immediately:

>     default:
>     default: Vagrant insecure key detected. Vagrant will automatically replace
>     default: this with a newly generated keypair for better security.
>     default:
>     default: Inserting generated public key within guest...
>     default: Removing insecure key from the guest if it's present...
>     default: Key inserted! Disconnecting and reconnecting using new SSH key...
> ==> default: Installing NFS client...
> ==> default: Exporting NFS shared folders...
> ==> default: Preparing to edit /etc/exports. Administrator privileges will be required...
> ==> default: Mounting NFS shared folders...
> 
> ==> default: Machine 'default' has a post `vagrant up` message. This is a message
> ==> default: from the creator of the Vagrantfile, and not from Vagrant itself:
> ==> default:
> ==> default: Vanilla Debian box. See https://app.vagrantup.com/debian for help and bug reports



   thanks for keeping the boxes fresh
   - Andrew
Reply to: