Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/virtuald/vagrant-rekey-ssh

Obsolete after Vagrant 1.7. Vagrant plugin which plugs default gaping holes in a vagrant box
https://github.com/virtuald/vagrant-rekey-ssh

Last synced: 11 days ago
JSON representation

Obsolete after Vagrant 1.7. Vagrant plugin which plugs default gaping holes in a vagrant box

Host: GitHub
URL: https://github.com/virtuald/vagrant-rekey-ssh
Owner: virtuald
License: other
Archived: true
Created: 2013-12-08T01:20:03.000Z (almost 11 years ago)
Default Branch: master
Last Pushed: 2016-02-27T06:11:51.000Z (over 8 years ago)
Last Synced: 2024-08-02T14:12:32.675Z (4 months ago)
Language: Ruby
Homepage:
Size: 17.6 KB
Stars: 55
Watchers: 5
Forks: 6
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

OBSOLETE: The functionality this plugin provides is available in Vagrant 1.7+

vagrant-rekey-ssh
=================

This is a [vagrant](http://vagrantup.com) plugin that will make your vagrant
boxes a bit more secure than they currently are.

Rationale
---------

All Vagrant boxes come with the same ssh key and passwords installed. This
means anyone who can ssh into your VM will be able to authenticate to it
if they try the vagrant default credentials. Additionally, vagrant boxes
come with passwordless sudo privileges, so anyone able to SSH into your
box will be able to do whatever they want on it.

As of Vagrant 1.2.3, for the most part this doesn't matter, because you can
only access the Vagrant VM from localhost (previous versions allowed access
from any machine on your local network). However, this becomes *extremely*
important if you are using a vagrant box that is on a bridged network. If
your VM is on a bridged network without other controls in place, that means
*anyone* who has access to your local network can SSH into your VM and get
root access on it. There are plenty of documented ways of breaking out of a
VM, so this is clearly a problem that needs to be addressed.

Ideally, Vagrant would have something built into it to solve the problem.
Since that isn't currently the case, I've created this plugin to help.

This solution
-------------

The first time that this plugin is run, it generates a unique SSH key and
stores it as `~/vagrant.d/less_insecure_private_key`. Whenever you run the
`vagrant provision` command, this plugin will run a script to check the
authorized keys for the vagrant user to determine if the insecure key
public key is present. If it is present, it will replace the insecure key
with the public key for the generated key pair.

Additionally, if the insecure public key is present, it will delete the
passwords for root and vagrant, so that you cannot login using a password.

Whenever vagrant tries to SSH into a box using an SSH key, this plugin will
add the generated SSH key to the list of keys it tries. This ensures that
you will still be able to SSH into boxes that have the insecure key installed.

Installation
------------

vagrant plugin install vagrant-rekey-ssh

Usage
-----

Just install the plugin. It will do its magic automatically when you provision
a box.

To secure already running VMs, you will need to run `vagrant provision` on
them.

Settings
--------

You can set these settings in an individual Vagrantfile, or you can specify
this in your global Vagrantfile (~/.vagrant.d/Vagrantfile)

* `config.rekey_ssh.enable` - Enables or disables the plugin. Default: enabled

Compatibility
-------------

I've only tested this on Vagrant 1.3.5 using the Virtualbox provider on Ubuntu
and OSX. In addition, it was tested on Windows 8.1 with Vagrant 1.6.3 and the
VirtualBox provider. Let me know if it works on earlier versions of Vagrant,
and I'll put that here.

Known Issues
------------

I haven't figured out a generic way to override a machine's configuration
without hooking specific actions, which results in the following bugs that
I am aware of:

* The ssh-config command does not include the correct keys
* May not work with commands that are not built in to vagrant

If you can figure out a good way to fix these, please submit a pull request.

Contributing new changes
========================

1. Fork this repository
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request

Development
===========

To work on the `vagrant-rekey-ssh` plugin, clone this repository out, and use
[Bundler](http://gembundler.com) to get the dependencies:

$ bundle

You can test the plugin without installing it into your Vagrant environment
by just creating a `Vagrantfile` in the top level of this directory (it is
gitignored) that uses it, and uses bundler to execute Vagrant:

$ bundle exec vagrant WHATEVER

Credits
=======

Since I'm not really a ruby programmer, a lot of the skeleton of this plugin
came from other Vagrant plugins, particularly `vagrant-ohai` and
`vagrant-openstack-plugin`.

Author
======

Author:: Dustin Spicuzza ([email protected])