Bug#1011756: cloud.debian.org: Vagrant debian/testing64: sshd rejects default insecure ssh-rsa key, hangs waiting for SSH
Package: cloud.debian.org
Severity: normal
X-Debbugs-Cc: a.t.chadwick@gmail.com
Dear base box maintainers:
I don’t know if this should be a documentation fix or an image fix. I’ll
just lay out the problem with as much detail as I can so that people can
search it and find better workarounds. I think the FAQ at
https://wiki.debian.org/Teams/Cloud/VagrantBaseBoxes should probably be
updated, given that it’s linked from https://app.vagrantup.com/debian, a
place where people sill be looking.
OpenSSH have addressed a weakness of SHA-1 by removing the ssh-rsa public
key signature algorithm from their list of supported key types. The
openssh-server 1:9.0p1-1 package in the debian/testing64 image incorporates
this change. However the vagrant 2.2.14+dfsg-1 package shipped with Debian
11 “bullseye” has a default “vagrant insecure public key” which requires
ssh-rsa.
See
- https://github.com/hashicorp/vagrant/issues/11783
- https://github.com/hashicorp/packer/issues/10074
## Symptoms
The current debian/testing64 image hangs during “vagrant up”. If I follow
the instructions at https://wiki.debian.org/Teams/Cloud/VagrantQuickStart,
the following happens. I already have vagrant and vagrant-libvirt installed
and configured enough for me to use them. I am using the current Debian 11
versions.
> ~ $ cd "$(mktemp -d)"
> tmp.1PuBegzk6c $ vagrant init debian/testing64
> tmp.1PuBegzk6c $ vagrant up
> ==> default: Checking if box 'debian/testing64' version '20220414.1' is up to date...
> ==> default: Creating image (snapshot of base box volume).
> ==> default: Creating domain with the following settings...
> [...]
> ==> default: Starting domain.
> ==> default: Waiting for domain to get an IP address...
> ==> default: Waiting for SSH to become available...
> [... hangs here, but leave it running ...]
However, I can SSH in to the running virtual just fine from another window.
Why this is, I don’t know.
> ~ $ cd /tmp/tmp.1PuBegzk6c
> tmp.1PuBegzk6c $ vagrant ssh
> Linux testing 5.16.0-6-amd64 #1 SMP PREEMPT Debian 5.16.18-1 (2022-03-29) x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> vagrant@testing:~$ cat .ssh/authorized_keys
> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
However, connections from the still-running vagrant command on the host are
still failing, as a quick check of auth.log will confirm. What the heck!
> vagrant@testing:~$ sudo tail /var/log/auth.log
> [...]
> May 26 11:49:18 testing sshd[1644]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
> May 26 11:49:18 testing sshd[1644]: Connection closed by authenticating user vagrant 192.168.121.1 port 34488 [preauth]
## Workaround
One way to fix it from the user perspective is to grab @dustymabe’s fix from
https://github.com/hashicorp/vagrant/issues/11783#issuecomment-720822960,
and apply it over our mysteriously working SSH connection
> vagrant@testing:~$ sudo tee >/dev/null /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
> # For now the vagrant insecure key is an rsa key
> # https://github.com/hashicorp/vagrant/issues/11783
> PubkeyAcceptedKeyTypes=+ssh-rsa
> EOF
> vagrant@testing:~$ sudo systemctl restart ssh
This allows the hung vagrant to resume immediately:
> default:
> default: Vagrant insecure key detected. Vagrant will automatically replace
> default: this with a newly generated keypair for better security.
> default:
> default: Inserting generated public key within guest...
> default: Removing insecure key from the guest if it's present...
> default: Key inserted! Disconnecting and reconnecting using new SSH key...
> ==> default: Installing NFS client...
> ==> default: Exporting NFS shared folders...
> ==> default: Preparing to edit /etc/exports. Administrator privileges will be required...
> ==> default: Mounting NFS shared folders...
>
> ==> default: Machine 'default' has a post `vagrant up` message. This is a message
> ==> default: from the creator of the Vagrantfile, and not from Vagrant itself:
> ==> default:
> ==> default: Vanilla Debian box. See https://app.vagrantup.com/debian for help and bug reports
thanks for keeping the boxes fresh
- Andrew
Reply to: