Search code examples

What is the best way to save ssh public key in custom vagrant box?

I often see unofficial documents that says you should save vagrant user’s ssh public key when creating your own box like below:

curl >> /home/vagrant/.ssh/authorized_keys

And when vagrant up with the box, the following message is shown:

default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...

It seems to me that mitchellh’s key above is not appropriate.

What is the best way to save vagrant user’s ssh public key?


  • The key you point on is a sample to no be used.

    The returned message seem tell that another keypair is automatically generated:

    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if it's present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...

    so if everything is going correctly, your container now use a new public key in /home/vagrant/.ssh/authorized_keys and your local host use a new private key in $HOME/.ssh/id_rsa.

    Compare this files with files you originally downloaded, look at modification time of both files (on local host and in vagrant container)

    Build your own key

    Simply run:

    ssh-keygen -f ~/.ssh/vagrant-dedicated

    see man ssh-keygen for key length, cipher, etc...

    Sample output:

    • dialog:

       Enter passphrase (empty for no passphrase): 
       Enter same passphrase again: 
    • Simple output:

       Generating public/private rsa key pair.
       Your identification has been saved in vagrant-dedicated.
       Your public key has been saved in
       The key fingerprint is:
       SHA256:U2YfVbMlCUed7tXrvf3xBQoLB3glpSpto4hwdjTKwV0 user @host  
       The key's randomart image is:
       +---[RSA 2048]----+
       |      E ..o .o==+|
       | . . . . +   o.o=|
       |  o + . + + . ...|
       | . + o o = . . .o|
       |. = o = S o . o o|
       |.+ o + . + o . + |
       |. . .     . . ..o|
       |               .*|
       |               .*|

    This will create two files:

    ls -l ~/.ssh/vagrant-dedicated*
    -rw------- 1 user  user  1679 Oct 20 12:18 vagrant-dedicated
    -rw-r--r-- 1 user  user   394 Oct 20 12:18
    head -n1 ~/.ssh/vagrant-dedicated*
    ==> vagrant-dedicated <==
    ==> <==
    ssh-rsa AAAAB3...0y/5 user@host  

    Replace content of container's /home/vagrant/.ssh/authorized_keys (target) by content of ~/.ssh/, then use vagrant-dedicated as private key for ssh connection.

    ssh -i ~/.ssh/vagrant-dedicated vagrant@container

    Note about fingerprint

    Before 1st connection to a new target host, ssh will prompt you about host's fingerprint.

    You could compare output of

    ssh-keygen -vlf /etc/ssh/ 

    on target vagrant container with output of your 1st connection output:

    ssh -o VisualHostKey=true -i ~/.ssh/vagrant-dedicated vagrant@container

    First run will begin output like:

    The authenticity of host 'container (' can't be established.

    Then, the fingerprint, something like

    ECDSA key fingerprint is SHA256:9M+2wGn0nZO3GPYkWuuxzXqI3nIbk5IJJ5xwhsxwbXk

    And the Ascii art representation:

    +---[ECDSA 256]---+
    |     . .. .      |
    |      = .+ E     |
    |       =oo.      |
    |       .=..      |
    |        S=o.     |
    |         o+=o..o |
    |          =+*X*..|
    |         . =*+#+.|
    |          .o=O+= |

    Both commands must give identical fingerprint and ascii art.