From b7dd9984537e417807ab9eacc8f441626bea1850 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 24 Jul 2020 23:19:29 -0400 Subject: [PATCH] cloud vagrant: continue to support vagrant insecure rsa key Upstream SSH has been claiming [1] for a few releases now that: ``` It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release. ``` In Fedora we switched recently [2] to disallow ssh-rsa. I filed a bug upstream [3] for Vagrant to stop using an rsa key. For now let's workaround the issue. [1] https://www.openssh.com/txt/release-8.3 [2] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e107b7e9699b36879eca031d1900ded1c4 [3] https://github.com/hashicorp/vagrant/issues/11783 --- fedora-cloud-base-vagrant.ks | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fedora-cloud-base-vagrant.ks b/fedora-cloud-base-vagrant.ks index 612d039..284bb4c 100644 --- a/fedora-cloud-base-vagrant.ks +++ b/fedora-cloud-base-vagrant.ks @@ -53,6 +53,12 @@ EOKEYS chmod 600 ~vagrant/.ssh/authorized_keys chown -R vagrant:vagrant ~vagrant/.ssh/ +cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <