I often see unofficial documents that says you should save vagrant user’s ssh public key when creating your own box like below:
curl https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub >> /home/vagrant/.ssh/authorized_keys
And when vagrant up with the box, the following message is shown:
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default:
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
It seems to me that mitchellh’s vagrant.pub key above is not appropriate.
What is the best way to save vagrant user’s ssh public key?
The key you point on raw.githubusercontent.com is a sample to no be used.
The returned message seem tell that another keypair is automatically generated:
default: Inserting generated public key within guest... default: Removing insecure key from the guest if it's present... default: Key inserted! Disconnecting and reconnecting using new SSH key...
so if everything is going correctly, your container now use a new public key in /home/vagrant/.ssh/authorized_keys and your local host use a new private key in $HOME/.ssh/id_rsa.
Compare this files with files you originally downloaded, look at modification time of both files (on local host and in vagrant container)
Simply run:
ssh-keygen -f ~/.ssh/vagrant-dedicated
see man ssh-keygen for key length, cipher, etc...
Sample output:
dialog:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Simple output:
Generating public/private rsa key pair.
Your identification has been saved in vagrant-dedicated.
Your public key has been saved in vagrant-dedicated.pub.
The key fingerprint is:
SHA256:U2YfVbMlCUed7tXrvf3xBQoLB3glpSpto4hwdjTKwV0 user @host
The key's randomart image is:
+---[RSA 2048]----+
| E ..o .o==+|
| . . . . + o.o=|
| o + . + + . ...|
| . + o o = . . .o|
|. = o = S o . o o|
|.+ o + . + o . + |
|. . . . . ..o|
| .*|
| .*|
+----[SHA256]-----+
This will create two files:
ls -l ~/.ssh/vagrant-dedicated*
-rw------- 1 user user 1679 Oct 20 12:18 vagrant-dedicated
-rw-r--r-- 1 user user 394 Oct 20 12:18 vagrant-dedicated.pub
head -n1 ~/.ssh/vagrant-dedicated*
==> vagrant-dedicated <==
-----BEGIN RSA PRIVATE KEY-----
==> vagrant-dedicated.pub <==
ssh-rsa AAAAB3...0y/5 user@host
Replace content of container's /home/vagrant/.ssh/authorized_keys (target) by content of ~/.ssh/vagrant-dedicated.pub, then use vagrant-dedicated as private key for ssh connection.
ssh -i ~/.ssh/vagrant-dedicated vagrant@container
Before 1st connection to a new target host, ssh will prompt you about host's fingerprint.
You could compare output of
ssh-keygen -vlf /etc/ssh/ssh_host_rsa_key.pub
on target vagrant container with output of your 1st connection output:
ssh -o VisualHostKey=true -i ~/.ssh/vagrant-dedicated vagrant@container
First run will begin output like:
The authenticity of host 'container (10.12.34.56)' can't be established.
Then, the fingerprint, something like
ECDSA key fingerprint is SHA256:9M+2wGn0nZO3GPYkWuuxzXqI3nIbk5IJJ5xwhsxwbXk
And the Ascii art representation:
+---[ECDSA 256]---+
| . .. . |
| = .+ E |
| =oo. |
| .=.. |
| S=o. |
| o+=o..o |
| =+*X*..|
| . =*+#+.|
| .o=O+= |
+----[SHA256]-----+
Both commands must give identical fingerprint and ascii art.