Your message dated Fri, 04 Nov 2016 19:13:50 +0100
with message-id <581ccfde.7020...@libera.cc>
and subject line
has caused the Debian Bug report #831302,
regarding Vagrant box allows root login with insecure default key
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
831302: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cloud.debian.org
Severity: normal
Tags: security
Dear Debian cloud maintainers,
in the "jessie64" Vagrant box (and presumably the other Vagrant boxes as
well), the insecure Vagrant default SSH key is installed as authorized key for
the root user and root login using SSH keys is permitted.
Since Vagrant 1.7, the insecure default key is not used anymore by default.
Instead, a random key is generated for the "vagrant" user on `vagrant up`. [1]
This increases security when Vagrant machines are exposed outside their host,
see [2] for the complete motivation. The Debian boxes, however, still allow
root login using the insecure default key.
From my understanding of Vagrant box creation [3], root login is not actually
required and sudo is used.
Otherwise, I'd suggest to use the temporary key for root as well (if that's
possible) or remove the insecure default key after initial provisioning.
Best regards,
Felix
[1] https://github.com/mitchellh/vagrant/pull/4707
[2] https://github.com/mitchellh/vagrant/issues/2608
[3] https://www.vagrantup.com/docs/boxes/base.html#default-user-settings
--- End Message ---
--- Begin Message ---
Fixed in 8.6.1
see https://atlas.hashicorp.com/debian/boxes/jessie64/versions/8.6.1
--- End Message ---
