1
1
mirror of https://pagure.io/fedora-kickstarts.git synced 2024-12-27 05:23:08 +00:00
fedora-kickstarts/fedora-cloud-base-vagrant.ks
Dusty Mabe b7dd998453
cloud vagrant: continue to support vagrant insecure rsa key
Upstream SSH has been claiming [1] for a few releases now that:

```
It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
```

In Fedora we switched recently [2] to disallow ssh-rsa. I filed a bug
upstream [3] for Vagrant to stop using an rsa key. For now let's workaround
the issue.

[1] https://www.openssh.com/txt/release-8.3
[2] b298a9e107
[3] https://github.com/hashicorp/vagrant/issues/11783
2020-07-25 19:48:32 -04:00

70 lines
2.9 KiB
Plaintext

# Like the Cloud Base image, but tuned for vagrant. Enable
# the vagrant user, disable cloud-init.
%include fedora-cloud-base.ks
services --disabled=cloud-init,cloud-init-local,cloud-config,cloud-final
# So, to be clear, this gaping security hole is an integral part of how
# Vagrant works - These images are _not_ supposed to be run in any public-
# Internet facing way - They are for use on developer setups, almost always
# with NAT
user --name=vagrant --password=vagrant
# Suggestion from @purpleidea that most/many vagrant boxes also set root PW
# to "vagrant" for ease of use. Again, see comments above.
rootpw vagrant
# The addition of the net.ifnames=0 and biosdevnames=0 option ensures that
# even on VirtualBox virt, we get a primary network device with "eth0" as the name
# This simplifies things and allows a single disk image for both supported Vagrant
# platforms (virtualbox and kvm)
bootloader --timeout=1 --append="no_timer_check console=tty1 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0"
%packages
# The default koji Vagrantfile configuration uses rsync to sync files between
# the vagrant host and the guest. It uses yum to verify that rsync is present
# and/or install it if it is not. It will fail without adding the yum compat
# layer for dnf
# TODO: Teach vagrant about dnf
dnf-yum
# rsync gets installed when the Vagrant box is first launched on the
# users setup. This can actually take a bit of time. Just fold it
# in to the base box disk image
rsync
# Add in sshfs for vagrant-sshfs plugin
fuse-sshfs
%end
%post --erroronfail
# Work around cloud-init being both disabled and enabled; need
# to refactor to a common base.
systemctl mask cloud-init cloud-init-local cloud-config cloud-final
# Vagrant setup
sed -i 's,Defaults\\s*requiretty,Defaults !requiretty,' /etc/sudoers
echo 'vagrant ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/vagrant-nopasswd
sed -i 's/.*UseDNS.*/UseDNS no/' /etc/ssh/sshd_config
mkdir -m 0700 -p ~vagrant/.ssh
cat > ~vagrant/.ssh/authorized_keys << EOKEYS
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
EOKEYS
chmod 600 ~vagrant/.ssh/authorized_keys
chown -R vagrant:vagrant ~vagrant/.ssh/
cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa
EOF
# Further suggestion from @purpleidea (James Shubin) - extend key to root users as well
mkdir -m 0700 -p /root/.ssh
cp /home/vagrant/.ssh/authorized_keys /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chown -R root:root /root/.ssh
%end