OBSOLETE: The functionality this plugin provides is available in Vagrant 1.7+
This is a vagrant plugin that will make your vagrant boxes a bit more secure than they currently are.
All Vagrant boxes come with the same ssh key and passwords installed. This means anyone who can ssh into your VM will be able to authenticate to it if they try the vagrant default credentials. Additionally, vagrant boxes come with passwordless sudo privileges, so anyone able to SSH into your box will be able to do whatever they want on it.
As of Vagrant 1.2.3, for the most part this doesn't matter, because you can only access the Vagrant VM from localhost (previous versions allowed access from any machine on your local network). However, this becomes extremely important if you are using a vagrant box that is on a bridged network. If your VM is on a bridged network without other controls in place, that means anyone who has access to your local network can SSH into your VM and get root access on it. There are plenty of documented ways of breaking out of a VM, so this is clearly a problem that needs to be addressed.
Ideally, Vagrant would have something built into it to solve the problem. Since that isn't currently the case, I've created this plugin to help.
The first time that this plugin is run, it generates a unique SSH key and
stores it as ~/vagrant.d/less_insecure_private_key
. Whenever you run the
vagrant provision
command, this plugin will run a script to check the
authorized keys for the vagrant user to determine if the insecure key
public key is present. If it is present, it will replace the insecure key
with the public key for the generated key pair.
Additionally, if the insecure public key is present, it will delete the passwords for root and vagrant, so that you cannot login using a password.
Whenever vagrant tries to SSH into a box using an SSH key, this plugin will add the generated SSH key to the list of keys it tries. This ensures that you will still be able to SSH into boxes that have the insecure key installed.
vagrant plugin install vagrant-rekey-ssh
Just install the plugin. It will do its magic automatically when you provision a box.
To secure already running VMs, you will need to run vagrant provision
on
them.
You can set these settings in an individual Vagrantfile, or you can specify this in your global Vagrantfile (~/.vagrant.d/Vagrantfile)
config.rekey_ssh.enable
- Enables or disables the plugin. Default: enabled
I've only tested this on Vagrant 1.3.5 using the Virtualbox provider on Ubuntu and OSX. In addition, it was tested on Windows 8.1 with Vagrant 1.6.3 and the VirtualBox provider. Let me know if it works on earlier versions of Vagrant, and I'll put that here.
I haven't figured out a generic way to override a machine's configuration without hooking specific actions, which results in the following bugs that I am aware of:
- The ssh-config command does not include the correct keys
- May not work with commands that are not built in to vagrant
If you can figure out a good way to fix these, please submit a pull request.
- Fork this repository
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
To work on the vagrant-rekey-ssh
plugin, clone this repository out, and use
Bundler to get the dependencies:
$ bundle
You can test the plugin without installing it into your Vagrant environment
by just creating a Vagrantfile
in the top level of this directory (it is
gitignored) that uses it, and uses bundler to execute Vagrant:
$ bundle exec vagrant WHATEVER
Since I'm not really a ruby programmer, a lot of the skeleton of this plugin
came from other Vagrant plugins, particularly vagrant-ohai
and
vagrant-openstack-plugin
.
Author:: Dustin Spicuzza (dustin@virtualroadside.com)