security hole from disabled StrictHostKeyChecking

[NodeGuy]

Vagrant disables StrictHostKeyChecking which means it's vulnerable to a man-in-the-middle attack, defeating the security assurances provided by SSH and calling into question the security of the instance for the remainder of its lifetime. Given that AWS instances are commonly used for ecommerce sites, I find this unacceptable and consider it to be a showstopper preventing me from using the Vagrant AWS provider.

[NodeGuy]

Here's one possible solution:

# ec2-get-console-output INSTANCE | ec2-knownhost hostname

The ec2-knownhost uses the fact that EC2 AMIs — standard ones, at least — print their host keys prefixed with ec2: and between lines -----BEGIN SSH HOST KEY FINGERPRINTS----- and -----END SSH HOST KEY FINGERPRINTS-----. A few lines of shell script is all it takes to extract the host key fingerprints and pass them to ssh-knownhost. Again, short, simple, and effective.

— Automatically populating .ssh/known_hosts

[NodeGuy]

Here's another one:

Instead of letting the new EC2 instance generate its own ssh host key and waiting for it to communicate the fingerprint through the EC2 console output, we can generate the new ssh host key on our local system and pass it to the new instance.

Using this approach, we already know the public side of the ssh key so we don’t have to wait for it to become available through the console (which can take minutes).

— Uploading Known ssh Host Key in EC2 user-data Script

[rtyler]

@NodeGuy Vagrant, and in turn vagrant-aws is more commonly used in development environment, so the concerns about the verification of SSH hosts has been a bit more lax.

From my understanding, and I'll have to dig more into this, this is an option usually used in core Vagrant as well so I'm not sure how feasible it is to disable this across the board.

[NodeGuy]

@rtyler Ah, that's helpful context that I didn't realize, thank you. I would prefer that it be secure, however.

[sallespro]

hi, i have not been able to set this up properly.

Bringing machine 'default' up with 'aws' provider...
WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1
[default] Warning! The AWS provider doesn't support any of the Vagrant
high-level network configurations (`config.vm.network`). They
will be silently ignored.
[default] Launching an instance with the following settings...
[default]  -- Type: m1.small
[default]  -- AMI: ami-7747d01e
[default]  -- Region: us-east-1
[default]  -- Keypair: zzz
[default]  -- Block Device Mapping: []
[default]  -- Terminate On Shutdown: false
[default]  -- Monitoring: false
[default]  -- EBS optimized: false
[default] Waiting for instance to become "ready"...
[default] Waiting for SSH to become available...

Vagrant.configure("2") do |config|
  config.vm.box = "dummy"

  config.vm.provider :aws do |aws, override|
    aws.access_key_id = "xxx"
    aws.secret_access_key = "yyy"
    aws.keypair_name = "zzz"

    aws.ami = "ami-7747d01e"

    override.ssh.username = "ubuntu"
    override.ssh.private_key_path = "~/.ssh/zzz.pem"
  end
end

what am i missing ?

[sodevy]

This was on hackernews today: https://www.danieldent.com/blog/ssh-requires-a-chain-of-trust/