search

hashicorp / vagrant

Vagrant is a tool for building and distributing development environments.
https://www.vagrantup.com
Other
26.16k stars 4.43k forks source link

"vagrant ssh" not working with CentOS 6 guest on Ubunutu 22.10 host #13200

Closed hartmut-mariadb closed 1 year ago

hartmut-mariadb commented 1 year ago

Expected behavior

"vagrant ssh" into CentOS 6 guest should work as it did on host machines with earlier versions of Ubuntu.

Actual behavior

"vagrant ssh" fails silently. "vagrant ssh -- -v" output ends with:

...
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 127.0.0.1 port 2222: no matching host key type found. Their offer: ssh-rsa

On the guest I'm getting this in /var/log/secure:

Jun 11 18:26:14 centos6 sshd[2477]: fatal: no hostkey alg

I can log in with 

vagrant ssh -- -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa

I could get things working for by by adding 

Host 127.0.0.1
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostKeyAlgorithms=+ssh-rsa

to my $HOME/.ssh/config file as a workaround

Reproduction information

Vagrant version

Vagrant 2.3.6

Host operating system

Ubuntu 22.10 with OpenSSH 9.0

Guest operating system

CentOS 6 installed from "generic/centos6"

Steps to reproduce

  1. start a CentOS 6 VM
  2. try "vagrant ssh" -> fails
  3. try "vagrant ssh -- -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" -> works

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "generic/centos6"
end

suggested fix

Add 

-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa

to ssh commands executed by "vagrant ssh" so that connections to such old guests with the installed SSH server accepting ssh-rsa only are still possible. Security wise this shouldn't be much of an issue as this is for local host->guest connections on 127.0.0.1 only anyway ...

drawks commented 1 year ago

This is the inverse problem of what is described in #12589 it would be very nice if both issues were resolved sooner rather than later. Newer clients having trouble connecting to older boxes and newer boxes not working with the old rsa insecure key are both a significant regression in general usability in vagrant that /should/ be trivial to fix.

chrisroberts commented 1 year ago

Hi there. This was fixed via #13179 and is available in the latest release (2.3.7).

Cheers