Vagrant net-ssh is assuming that any RSA key is SHA1, resulting in a connection error

[crochat]

Vagrant version

2.2.16

Host operating system

Ubuntu 20.04

Guest operating system

Ubuntu 20.04

Debug output

D, [2021-05-01T15:09:40.735420 #92523] DEBUG -- net.ssh.authentication.session[2876340]: allowed methods: publickey
D, [2021-05-01T15:09:40.735468 #92523] DEBUG -- net.ssh.authentication.methods.none[28849a4]: none failed
D, [2021-05-01T15:09:40.735509 #92523] DEBUG -- net.ssh.authentication.session[2876340]: trying publickey
D, [2021-05-01T15:09:40.735739 #92523] DEBUG -- net.ssh.authentication.agent[289266c]: connecting to ssh-agent
E, [2021-05-01T15:09:40.735808 #92523] ERROR -- net.ssh.authentication.agent[289266c]: could not connect to ssh-agent: Agent not configured
D, [2021-05-01T15:09:40.735930 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: trying publickey (a9:7a:e7:aa:0b:89:72:91:86:81:19:4f:e0:d5:15:35)
D, [2021-05-01T15:09:40.736079 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: public key has been marked for deprecated ssh-rsa SHA1 behavior
D, [2021-05-01T15:09:40.736150 #92523] DEBUG -- socket[2811e90]: using encrypt-then-mac
D, [2021-05-01T15:09:40.736196 #92523] DEBUG -- socket[2811e90]: queueing packet nr 5 type 50 len 480
D, [2021-05-01T15:09:40.736238 #92523] DEBUG -- socket[2811e90]: sent 548 bytes
D, [2021-05-01T15:09:40.739143 #92523] DEBUG -- socket[2811e90]: read 516 bytes
D, [2021-05-01T15:09:40.739245 #92523] DEBUG -- socket[2811e90]: received packet nr 5 type 60 len 448
D, [2021-05-01T15:09:40.739287 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: public key has been marked for deprecated ssh-rsa SHA1 behavior
D, [2021-05-01T15:09:40.745181 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: public key has been marked for deprecated ssh-rsa SHA1 behavior
D, [2021-05-01T15:09:40.745208 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: private key has been marked for deprecated ssh-rsa SHA1 behavior
D, [2021-05-01T15:09:40.745260 #92523] DEBUG -- socket[2811e90]: using encrypt-then-mac
D, [2021-05-01T15:09:40.745307 #92523] DEBUG -- socket[2811e90]: queueing packet nr 6 type 50 len 896
D, [2021-05-01T15:09:40.745351 #92523] DEBUG -- socket[2811e90]: sent 964 bytes
D, [2021-05-01T15:09:40.752308 #92523] DEBUG -- socket[2811e90]: read 100 bytes
D, [2021-05-01T15:09:40.752410 #92523] DEBUG -- socket[2811e90]: received packet nr 6 type 51 len 32
D, [2021-05-01T15:09:40.752456 #92523] DEBUG -- net.ssh.authentication.session[2876340]: allowed methods: publickey
D, [2021-05-01T15:09:40.752484 #92523] DEBUG -- net.ssh.authentication.methods.publickey[2892c20]: publickey failed (a9:7a:e7:aa:0b:89:72:91:86:81:19:4f:e0:d5:15:35)
E, [2021-05-01T15:09:40.752507 #92523] ERROR -- net.ssh.authentication.session[2876340]: all authorization methods failed (tried none, publickey)

Expected behavior

It should connect without any problem, because the is not actually refused by the server.

Actual behavior

The ssh client (Vagrant, with specific patch https://github.com/hashicorp/vagrant/blob/main/lib/vagrant/patches/net-ssh.rb) is assuming that, because the ssh key is RSA, it's necessary SHA1, and it fails i.e. in "vagrant provision", despite the fact that "vagrant ssh" works well.
If you generate a ssh-key with "ssh-keygen -t rsa-sha2-512", it specifically uses the SHA2 algorithm, but this patch assumes that it can only be SHA1, because it's RSA:

"if s_ver >= Gem::Version.new("7.2") && pub_key.is_a?(OpenSSL::PKey::RSA)"

I'm working with OpenStack, but I guess it won't change in another situation. Reverting to Vagrant 2.2.15 solves (temporarily) the issue.

[AntonioMeireles]

@chrisroberts, @crochat
can confirm/second this issue.

ironically this breaks the case when the stock default vagrant key set is used...

simple test, with my very own ClearLinux boxes ...

Vagrant.configure("2") do |config|
  config.vm.box = "AntonioMeireles/ClearLinux"
end

as OP said, right now, reverting to previous release is the (simplest) way to go :| until a point release with this fixed is out.

Thanks in advance and a great weekend.

[sakers]

Having trouble with this too. Reverted back to 2.2.14 and it works fine.

[gsserge]

I've run into this issue today as well with Ubuntu 21.04. Here's a simple workaround:

1. On your host generate a new ed25519 key

$ ssh-keygen -a 100 -t ed25519 -f ubuntu_vagrant -C vagrant

This will result in ubuntu_vagrant and ubuntu_vagrant.pub files.
2. vagrant up a new Ubuntu VM.
3. vagrant ssh into that VM. This will work because normal ssh client is used, not Ruby's net-ssh.
4. In the VM, put the previously generated ubuntu_vagrant.pub into ~/.ssh/authorized_keys. The original rsa key can be removed from ~/.ssh/authorized_keys.
5. On the host machine overwrite this VM's original private_key with ubuntu_vagrant

$ cp ubuntu_vagrant ${PATH_TO_VM_ROOT}/.vagrant/machines/default/virtualbox/private_key

[crochat]

I've also tried it, but as OpenStack (at least in my case) is refusing this type of key, my only choice was RSA. An RSA key could be generated using SHA2, which should be ok for ssh, but not ok in Vagrant, because of the assumption that it will be SHA1. So... no possible workaround here, only a downgrade to 2.2.15 until it's fixed in 2.2.17. Le sam. 8 mai 2021 à 16:36, Sergey Glushchenko ***@***.***> a écrit :

…

I've run into this issue today as well with Ubuntu 21.04. Here's a simple workaround that worked for me: 1. On your host generate a ed25519 key $ ssh-keygen -a 100 -t ed25519 -f ubuntu_vagrant -C vagrant This will result in ubuntu_vagrant and ubuntu_vagrant.pub files. 2. vagrant up a new Ubuntu VM. 3. vagrant ssh into that VM. This will work because normal ssh client is used, not Ruby's net-ssh. 4. In the VM, put the previously generated ubuntu_vagrant.pub into ~/.ssh/authorized_keys. The original rsa key can be removed from ~/.ssh/authorized_keys. 5. On the host machine overwrite this VM's original private_key with ubuntu_vagrant cp ubuntu_vagrant ${PATH_TO_VM_ROOT}/.vagrant/machines/default/virtualbox/private_key — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12344 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACCUJBFX5UR2ARHBFQ5OLHLTMVD5HANCNFSM436QS2CQ> .

[timvisher]

Wanted to point out that AWS EC2 keypairs must be RSA (specifically 2048-bit SSH-2 RSA keys) so this change breaks the ability to use vagrant-aws to spin up EC2 boxes, IIUC.

[simplytech]

I just upgraded from Vagrant 2.2.14 to 2.2.16 and having the same issue.

[simplytech]

Downgrading back to Vagrant 2.2.14 solved it for me too.

[robrecord]

Here is a script to create the workaround, with credit to gsserge

EDIT: This will work only on systems that can use keys other than RSA.

#!/usr/bin/env bash

echo "Fixing SSH key for vagrant 2.2.16 ..."

# exit when any command fails
set -e
# keep track of the last executed command
trap 'last_command=$current_command; current_command=$BASH_COMMAND' DEBUG
# echo an error message before exiting
trap 'echo "\"${last_command}\" command filed with exit code $?."' EXIT

config="$(vagrant ssh-config)"
host="$(echo "$config" | grep "^  HostName" | cut -d' ' -f4)"
file="$(echo "$config" | grep "^  IdentityFile" | cut -d' ' -f4)"

[ -z "$host" ] || [ -z "$file" ] && echo "Failed to get vagrant config" && exit 1

echo "Generating key..."
cat /dev/zero | ssh-keygen -a 100 -t ed25519 -f ubuntu_vagrant -C vagrant -q -N '' || echo "Using existing key"

echo "Copying public key..."
ssh-copy-id -o "IdentityFile $file" -f -i ubuntu_vagrant.pub -p 22 vagrant@$host 1>/dev/null

echo "Copying private key..."
mv "$file" "$file.bak"
cp ubuntu_vagrant "$file"

echo "Testing connection..."
ssh -o 'BatchMode=yes' -o 'ConnectionAttempts=1' -i "$file" -q -p 22 vagrant@$host exit
echo "Connection successful"

echo "Removing temporary keys..."
rm ubuntu_vagrant*

trap 'echo "Success."' EXIT

set +e

[crochat]

This fix doesn't apply to all situations. For my part, in my OpenStack infrastructure, I can only use RSA keys. Again, changing the type of key is not a fix, it's exactly following the rules forced by the new code, which simply forbid RSA keys for good. Le jeu. 20 mai 2021 à 14:33, Rob Record ***@***.***> a écrit :

…

Here is a script to create the workaround, with credit to gsserge #!/usr/bin/env bash echo "Fixing SSH key for vagrant 2.2.16 ..." # exit when any command failsset -e# keep track of the last executed commandtrap 'last_command=$current_command; current_command=$BASH_COMMAND' DEBUG# echo an error message before exitingtrap 'echo "\"${last_command}\" command filed with exit code $?."' EXIT config="$(vagrant ssh-config)" host="$(echo "$config" | grep "^ HostName" | cut -d' ' -f4)" file="$(echo "$config" | grep "^ IdentityFile" | cut -d' ' -f4)" [ -z "$host" ] || [ -z "$file" ] && echo "Failed to get vagrant config" && exit 1 echo "Generating key..." cat /dev/zero | ssh-keygen -a 100 -t ed25519 -f ubuntu_vagrant -C vagrant -q -N '' || echo "Using existing key" echo "Copying public key..." ssh-copy-id -o "IdentityFile $file" -f -i ubuntu_vagrant.pub -p 22 vagrant@$host 1>/dev/null echo "Copying private key..." mv "$file" "$file.bak" cp ubuntu_vagrant "$file" echo "Testing connection..." ssh -o 'BatchMode=yes' -o 'ConnectionAttempts=1' -i "$file" -q -p 22 vagrant@$host exitecho "Connection successful" echo "Removing temporary keys..." rm ubuntu_vagrant* trap 'echo "Success."' EXIT set +e — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12344 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACCUJBDYIL2N6JUUSIBOUKTTOT6QNANCNFSM436QS2CQ> .

[robrecord]

This fix doesn't apply to all situations.

Thanks; I have edited my comment to state it will only work where other keys are possible to use.

[paulcalabro]

I just wanted to add that I was also experiencing this issue when using vagrant-aws.
Vagrant would hang while trying to establish an SSH connection when executing vagrant up even though I could ssh to the host successfully.

I was able to uninstall and reinstall using version 2.2.15 with homebrew like this:

wget https://github.com/Homebrew/homebrew-cask/blob/d81815ea27a778a312fa0e2bbef0d78f9767f45b/Casks/vagrant.rb
brew install --cask vagrant.rb

Now everything works as expected.