From 5c8aa8447e4b7a0bc197e297fe42f2d128900aaf Mon Sep 17 00:00:00 2001 From: John Chittum Date: Mon, 18 Apr 2022 10:39:26 -0500 Subject: [PATCH] fix: move Vagrant 22.04+ to ephemeral ed25519 key LP: 1969664 tracks an issue related to the deprecation of rsa+ssh on Jammy+ openssh server, coupled with upstream vagrant bugs, that cause Jammy vagrant images fail to bootstrap due to ssh negotiation issues. Moving to a different key algo from the upstream insecure key matches Jammy's expectations, and works with older vagrant versions. vagrant >= 2.2.16 hosts are unaffected by the issue, as an upstream change was made. This change keep compatibility with newer vagrant versions as well. --- .../ubuntu-cpc/hooks.d/base/vagrant.binary | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary index 49746926..efcd3d4b 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary @@ -58,6 +58,18 @@ cleanup_vagrant() { } trap cleanup_vagrant EXIT + +########################## +### Vagrant User Setup +### Create ed25519 ssh key +### the default insecure key is rsa, and that is disabled in Jammy forward +### https://github.com/hashicorp/vagrant/tree/main/keys +########################## + +ssh-keygen -t ed25519 -C "ubuntu_vagrant_insecure_key" -b 4096 -f ${box_d}/vagrant_insecure_key + +pub_key=$(cat ${box_d}/vagrant_insecure_key.pub) + # Create and setup users inside the image. # Vagrant users expect a "vagrant" user with a "vagrant" username. # See https://www.vagrantup.com/docs/boxes/base.html @@ -70,12 +82,12 @@ cat << EOF > ${mount_d}/etc/sudoers.d/vagrant vagrant ALL=(ALL) NOPASSWD:ALL EOF -# Add the insecure vagrant pubkey to the vagrant user, as is expected by the +# Add an insecure vagrant pubkey to the vagrant user, as is expected by the # vagrant ecosystem (https://www.vagrantup.com/docs/boxes/base.html) chroot ${mount_d} chmod 0440 /etc/sudoers.d/vagrant chroot ${mount_d} mkdir -p /home/vagrant/.ssh cat << EOF > ${mount_d}/home/vagrant/.ssh/authorized_keys -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key +${pub_key} EOF chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh chroot ${mount_d} chmod 700 /home/vagrant/.ssh @@ -130,7 +142,6 @@ genisoimage \ create_vmdk ${seed_d}/seed.iso ${cdrom_vmdk_f} 10 ### END Create ConfigDrive -########################## ########################## # VAGRANT meta-data @@ -145,6 +156,8 @@ load include_vagrantfile if File.exist?(include_vagrantfile) Vagrant.configure("2") do |config| config.vm.base_mac = "${macaddr}" + # Set to use our vagrant_insecure_key. Path is relative to Vagrantfile + config.ssh.private_key_path = File.join(File.expand_path(File.dirname(__FILE__)), "vagrant_insecure_key") config.vm.provider "virtualbox" do |vb| vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ] @@ -233,6 +246,8 @@ tar -C ${box_d} \ -cf ${cur_d}/livecd.ubuntu-cpc.vagrant.box \ box.ovf \ Vagrantfile \ + vagrant_insecure_key \ + vagrant_insecure_key.pub \ metadata.json \ ${prefix}.mf \ ${vmdk_f##*/} \