I am confused about public keys and vagrant...
915 views
Skip to first unread message
Jason Harris
Apr 24, 2014, 10:02:04 PM4/24/14
to vagra...@googlegroups.com
Hi,
I am confused about ssh keys. (I just started using vagrant so this might be a standard question...) Normally if I start a new VM instance on say digital ocean I would proceed to use say
ssh-copy-id.sh root@newMachineIP
then I would enter the password that say digital ocean sent me and this would transfer my *public* key id_rsa.pub into /root/.ssh/authorized_keys
Then I could just
ssh root@newMachineIP
and it would work... With digital ocean I can even given them my *public* key id_rsa.pub and then I will be able to log into the machine without this step.
Sooo... How come I can't set some
config.ssh.public_key_path = '~/.ssh/id_rsa.pub'
and when the machine is provisioned it would just add this into the /vagrant/.ssh/authorized_keys ?
why does the config / setup want my private key? It would be nice to then not have the vagrant key in there at all...
I must be missing something...
Thanks,
Jason
Simon McCartney
Apr 25, 2014, 9:15:02 AM4/25/14
to vagra...@googlegroups.com
Vagrant deals with pre-built boxes/images, and under systems like Virtualbox & VMWare, there is no mechanism for dropping a key into an image (under AWS & digital ocean, they use the cloud-init/user-data hooks for dropping data into booting instances), for this reason, Vagrant defaults to using a known key & baking the public key into the standard boxes.
If you’re using vagrant against cloud providers instead of local virtualisation, I believe that Vagrant does support using your own keys & seeding them into instances.
HTH,
Simon.
--
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Harris
Apr 25, 2014, 7:53:05 PM4/25/14
to vagra...@googlegroups.com
Thanks! At least that tells me I am not missing something obvious.
I of course can set up an ansible script to do exactly this. However, it is just a bit ironic to have to do this on a system which is all about automating bringing up an experimental box to play in :)
I would think there could easily be options:
config.ssh.admin_public_key_path = ...
config.user.admin_user =...
config.user.admin_user_crypted_pass = ...
config.user.disable_vagrant_user = ...
So then a typical Vagrant file would be something like:
config.ssh.admin_public_key_path = '~/.ssh/id_rsa.pub'
config.user.admin_user = deploy
config.user.admin_user_crypted_pass = '$6$AC3bdCF7!$KLZmE6Biiry1hSdrGkTBgmskX/UxG6OuD3.m035J0zlEwxICcDgaH2zffvfCBP2b38kIs5keVr4RV2/IsjDr4.'
config.user.disable_vagrant_user = true
Where crypted password is simply generated on a Linux box using: echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$SomeRandomSalt!")' | python -
I would imagine this would be the default way most users would set things up if this was available. Moreover it would solve the security problem out of the box... Is there any reason why this can't be done and wouldn't make a good normal way that is proposed to users on how to set their boxes up?
Thanks, Jason
Jason Harris
Apr 26, 2014, 8:29:30 PM4/26/14
to vagra...@googlegroups.com
Actually I found (not surprisingly after thinking about this) that there are a number of other people that also want this:
yet this issue seems to have been closed:
https://github.com/mitchellh/vagrant/pull/907
I would think that exchanging public keys is the way to go here... Why are private keys being used here?
I would think that exchanging public keys is the way to go here... Why are private keys being used here?
Thanks,
Jason
Simon McCartney
Apr 28, 2014, 11:32:46 AM4/28/14
to vagra...@googlegroups.com
You’ve lost me, where are private keys being used other than on the Vagrant host?
The issue remains the same, how do you get a new key (or a key you specify) on to a vbox instance without first having a password for an existing account on the guest box or the private key for a public key in the authorised_keys file on the guest box? Vagrant uses SSH and it’s the “known public key” being installed on the guest box to drive the automation.
Jason Harris
Apr 28, 2014, 3:00:32 PM4/28/14
to vagra...@googlegroups.com
On Apr 28, 2014, at 5:32 PM, Simon McCartney <si...@mccartney.ie> wrote:
You’ve lost me, where are private keys being used other than on the Vagrant host?
There is no vagrant option config.ssh.public_key_path, there is however the vagrant option config.ssh.private_key_path. My question is I thought the former should exist and I am not sure why the latter one does.
The issue remains the same, how do you get a new key
We are talking about a public key here right? (just like copy ssh-copy-id copies over)
(or a key you specify) on to a vbox instance without first having a password for an existing account on the guest box or the private key for a public key in the authorised_keys file on the guest box?
Agreed how do you seamlessly and smoothy do this? That is the question.
Vagrant uses SSH and it’s the “known public key” being installed on the guest box to drive the automation.
Right I can image initially provisioning can utilize the user:vagrant and pass:vagrant to first login and then do the transfer of your public key and then remove for instance the vagrant insecure key, and remove login via password for the vagrant user. In fact programadoresweb gave parts of the exact instructions on how to do this in
So this can be done. Vagrant looks like it is all about smoothly and easily bringing up a VM and provisioning it. As far as I can tell, currently the issue of key exchange etc is not a smooth process. IMHO It should be. (unless I have missed an easy and smooth way to do this…)
Thanks,
Jas
You received this message because you are subscribed to a topic in the Google Groups "Vagrant" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vagrant-up/VSd7P9mCkuQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vagrant-up+...@googlegroups.com.
Simon McCartney
Apr 30, 2014, 11:11:37 AM4/30/14
to vagra...@googlegroups.com
From: Jason Harris jason.f...@gmail.com
To: vagra...@googlegroups.com vagra...@googlegroups.com
Subject: Re: [vagrant-up] I am confused about public keys and vagrant...
On Apr 28, 2014, at 5:32 PM, Simon McCartney <si...@mccartney.ie> wrote:
You’ve lost me, where are private keys being used other than on the Vagrant host?There is no vagrant option config.ssh.public_key_path, there is however the vagrant option config.ssh.private_key_path. My question is I thought the former should exist and I am not sure why the latter one does.
If you’ve built your own vagrant boxes, it’s perfectly possible to bake in an alternative public key into ~vagrant/.ssh/authorized_keys, if you do this, you need to be able to tell vagrant where the private part of the key pair is so that vagrant can ssh into the box and work it’s magic.
As I’ve said before, if Vagrant only has SSH access to a guest, supplying a public key to the vagrant command makes no sense, as if you don’t have working SSH access to the box, you can’t drop on a public key.
The issue remains the same, how do you get a new keyWe are talking about a public key here right? (just like copy ssh-copy-id copies over)
Yes, we’re talking about how you get a public key onto a box you don’t have access to.
(or a key you specify) on to a vbox instance without first having a password for an existing account on the guest box or the private key for a public key in the authorised_keys file on the guest box?Agreed how do you seamlessly and smoothy do this? That is the question.
1) bake you’re own Vagrant box images using veewee or packer, which include the desired public key in the image & then specify the private key to use for access in your Vagrantfile.
2) Use EC2/RackSpace/DreamHost etc where the key seeding is done via cloud-init.
Vagrant uses SSH and it’s the “known public key” being installed on the guest box to drive the automation.Right I can image initially provisioning can utilize the user:vagrant and pass:vagrant to first login and then do the transfer of your public key and then remove for instance the vagrant insecure key, and remove login via password for the vagrant user. In fact programadoresweb gave parts of the exact instructions on how to do this inSo this can be done. Vagrant looks like it is all about smoothly and easily bringing up a VM and provisioning it. As far as I can tell, currently the issue of key exchange etc is not a smooth process. IMHO It should be. (unless I have missed an easy and smooth way to do this…)
What programadoresweb is doing there is seeding a set of private keys on to the guest for use on the guest, I thought we were talking about using a different key pair to access the guest (i.e. not the known-vagrant pair) ?
Simon.
Reply all
Reply to author
Forward
0 new messages