search

AlmaLinux / cloud-images

Packer templates and other tools for building AlmaLinux images for various cloud platforms.
MIT License
147 stars 46 forks source link

vagrant user can't login in almalinux/9 #93

Closed vchepkov closed 2 years ago

vchepkov commented 2 years ago

I have tried to use almalinux/9 virtualbox image, but vagrant fails to login:

    al9: SSH username: vagrant
    al9: SSH auth method: private key
    al9: Warning: Authentication failure. Retrying...
    al9: Warning: Authentication failure. Retrying...
vchepkov commented 2 years ago

ssh-rsa authentication is disabled in RHEL9 by default, bu vagrant is using ssh-rsa key Maybe it's fine for vagrant image to re-enable ssh-rsa by adding in kickstart 

update-crypto-policies --set DEFAULT:SHA1
LKHN commented 2 years ago

Hey! @vchepkov

I would like to release the stable version of the 9.0 boxes without the proposed workaround, because...

TL;DR: Update your OpenSSH to >= 7.2 (2016-02-29) instead of modifying the DEFAULT crypto settings on AlmaLinux OS 9 boxes.

The SHA-1 deprecation is relevant to the Public Key Algorithm^1 not the Public Key Format:

From the OpenSSH 8.8's release note^2:

For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

So, it's related to the version of the SSH, not the vagrant's insecure ssh key in this case.

If you're using the OpenSSH, you can check the supported key types and signature algorithms, (check the rsa-sha2-256 and rsa-sha2-512) :

ssh -Q sig(old)/key-sig(new)

ssh-ed25519
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
vchepkov commented 2 years ago

@LKHN , I am using the latest Catalina version, which comes with 

$ ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3
$ ssh -Q sig
ssh-ed25519
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521

As I mention, the problem is not with the client, the problem is with the ssh server configuration RSA signatures with SHA1 (ssh-rsa) are deprecated in RHEL9, and vagrant uses SHA1 key by default If I use ecdsa private key, I can connect to an RHEL9 instance just fine One can argue that this is vagrant issue, but in the end the AlmaLinux image is unusable if SHA1 signatures are not re-enabled

RobertFloor commented 2 years ago

I have a problem that Alma Linux 9 its second network adapter is not working correctly. Perhaps this network adapter is needed to create a host-only network in VirtualBox or another virtualization tool. This host only network is needed to login via ssh

vchepkov commented 2 years ago

It seems problem was addressed by vagrant

LKHN commented 2 years ago

@RobertFloor

It seems fine to me :thinking:

Do you still have this issue?

Creating a fresh VM from the https://app.vagrantup.com/almalinux/boxes/9/versions/9.0.20220531 (Latest)

$ vagrant up

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'almalinux/9'...
==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'almalinux/9' version '9.0.20220531' is up to date...
==> default: Setting the name of the VM: almalinux9_default_1657108878299_43609
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
    default: Adapter 2: hostonly
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: 
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default: 
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if it's present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
==> default: Configuring and enabling network interfaces...
==> default: Mounting shared folders...
    default: /vagrant => /RobertsTest/almalinux9

Network Status:

[vagrant@localhost ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:00:78:8a brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 86273sec preferred_lft 86273sec
    inet6 fe80::a00:27ff:fe00:788a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:a6:76:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.9/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s8
       valid_lft 473sec preferred_lft 473sec
    inet6 fe80::a00:27ff:fea6:76da/64 scope link 
       valid_lft forever preferred_lft forever

Connect through the NAT interface:

$ ssh -p 2222 vagrant@127.0.0.1
vagrant@127.0.0.1's password: 
Last login: Wed Jul  6 12:08:04 2022 from 192.168.56.1
[vagrant@localhost ~]$ hostnamectl
   Static hostname: n/a                                 
Transient hostname: localhost
         Icon name: computer-vm
           Chassis: vm 🖴
        Machine ID: aff7f528e68e4ab4bfdfca4a79b8ce47
           Boot ID: 7618dfcbbb114a4c9fe04988ca9ad748
    Virtualization: oracle
  Operating System: AlmaLinux 9.0 (Emerald Puma)        
       CPE OS Name: cpe:/o:almalinux:almalinux:9::baseos
            Kernel: Linux 5.14.0-70.13.1.el9_0.x86_64
      Architecture: x86-64
   Hardware Vendor: innotek GmbH
    Hardware Model: VirtualBox
[vagrant@localhost ~]$

Connect through the Host-Only(Private Network) interface:

$ ssh vagrant@192.168.56.9

vagrant@192.168.56.9's password: 
Last login: Wed Jul  6 12:07:40 2022 from 10.0.2.2

[vagrant@localhost ~]$ hostnamectl
   Static hostname: n/a                                 
Transient hostname: localhost
         Icon name: computer-vm
           Chassis: vm 🖴
        Machine ID: aff7f528e68e4ab4bfdfca4a79b8ce47
           Boot ID: 7618dfcbbb114a4c9fe04988ca9ad748
    Virtualization: oracle
  Operating System: AlmaLinux 9.0 (Emerald Puma)        
       CPE OS Name: cpe:/o:almalinux:almalinux:9::baseos
            Kernel: Linux 5.14.0-70.13.1.el9_0.x86_64
      Architecture: x86-64
   Hardware Vendor: innotek GmbH
    Hardware Model: VirtualBox
[vagrant@localhost ~]$

@vchepkov Thanks for opening the issue. I've tried different combinations of host OS-es and could not reproduce it. Additionally I haven't get any report about that so far. Therefore, sorry for the delay and for not enabling the SHA1 on the 9 boxes. Could you share with us how you resolved the issue? Maybe it would be helpful for somebody.

We're planning to refresh the boxes, so it's better time to report anything. You can report here and https://bugs.almalinux.org. We can also discuss in our chat https://chat.almalinux.org