On 07/14/2016 03:04 PM, Felix Dreissig wrote: > Package: cloud.debian.org > Severity: normal > Tags: security > > Dear Debian cloud maintainers, > > in the "jessie64" Vagrant box (and presumably the other Vagrant boxes as > well), the insecure Vagrant default SSH key is installed as authorized key for > the root user and root login using SSH keys is permitted. > > Since Vagrant 1.7, the insecure default key is not used anymore by default. > Instead, a random key is generated for the "vagrant" user on `vagrant up`. [1] > This increases security when Vagrant machines are exposed outside their host, > see [2] for the complete motivation. The Debian boxes, however, still allow > root login using the insecure default key. > > From my understanding of Vagrant box creation [3], root login is not actually > required and sudo is used. > Otherwise, I'd suggest to use the temporary key for root as well (if that's > possible) or remove the insecure default key after initial provisioning. > > Best regards, > Felix > > [1] https://github.com/mitchellh/vagrant/pull/4707 > [2] https://github.com/mitchellh/vagrant/issues/2608 > [3] https://www.vagrantup.com/docs/boxes/base.html#default-user-settings >
A fix for this issue has been committed yesterday, see http://anonscm.debian.org/cgit/cloud/debian-vm-templates.git/commit/ the next box uploads will have the fix included
