cloud vagrant: continue to support vagrant insecure rsa key

Upstream SSH has been claiming [1] for a few releases now that:

```
It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
```

In Fedora we switched recently [2] to disallow ssh-rsa. I filed a bug
upstream [3] for Vagrant to stop using an rsa key. For now let's workaround
the issue.

[1] https://www.openssh.com/txt/release-8.3
[2] b298a9e107
[3] https://github.com/hashicorp/vagrant/issues/11783
This commit is contained in:
Dusty Mabe 2020-07-24 23:19:29 -04:00
parent b5c953f75b
commit b7dd998453
No known key found for this signature in database
GPG Key ID: 3302DBD73952E671

View File

@ -53,6 +53,12 @@ EOKEYS
chmod 600 ~vagrant/.ssh/authorized_keys chmod 600 ~vagrant/.ssh/authorized_keys
chown -R vagrant:vagrant ~vagrant/.ssh/ chown -R vagrant:vagrant ~vagrant/.ssh/
cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa
EOF
# Further suggestion from @purpleidea (James Shubin) - extend key to root users as well # Further suggestion from @purpleidea (James Shubin) - extend key to root users as well
mkdir -m 0700 -p /root/.ssh mkdir -m 0700 -p /root/.ssh
cp /home/vagrant/.ssh/authorized_keys /root/.ssh/authorized_keys cp /home/vagrant/.ssh/authorized_keys /root/.ssh/authorized_keys