vagrant-rekey-ssh 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    N2NjY2FkMjVlYTI1Zjg0N2M1OTE0OWQ4M2I5NzA1YTYyMDAxMzVlZQ==
+  data.tar.gz: !binary |-
+    NzlhNmIxMGFjZTcwZDAzNDI4MjJkOWJiMTdhZGUyNjZiYTI0ZDgxYw==
+SHA512:
+  metadata.gz: !binary |-
+    NDJiNjc4MjAzMjEyMjgzMGI3MjBiZDFlOWZmNGQzM2UwNzcyOGVkMWUxOTQ2
+    ZmY3MzUzNTVmYjIzNDVlM2ZmODM5MmMyMjg4NzdhZTY2ZWMzN2IzOTMzNDcw
+    MWZlOWI3ZjBhNTc5ODVjYWQ3MDRkN2Q5ZjQxYTQ4YWM1ZmFhMTg=
+  data.tar.gz: !binary |-
+    YTk1ZTI3MTRjOTViM2ZjNWUyZGI1Y2UwMDEwYjRhMTJhMGE0NWUxM2ZjN2Nh
+    Y2Y4ZTE1MTcwNDA5MzEwNTA2MzgwZmNiMTZjOTNlMzhlMTJiMDgzMTY2MmU3
+    NDU5NWFhMWU2YWZjYmY3N2NhNGIyYjAzZDIwMTNhZjFjMjEwODQ=

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+Vagrantfile

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in vagrant-rekey-ssh.gemspec
+gemspec
+
+group :development do
+  # We depend on Vagrant for development, but we don't add it as a
+  # gem dependency because we expect to be installed within the
+  # Vagrant environment itself using `vagrant plugin`.
+  gem "vagrant", :git => "https://github.com/mitchellh/vagrant.git"
+end
+

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Avishai Ish-Shalom
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,123 @@
+vagrant-rekey-ssh
+=================
+
+This is a [vagrant](http://vagrantup.com) plugin that will make your vagrant
+boxes a bit more secure than they currently are.
+
+Rationale
+---------
+
+All Vagrant boxes come with the same ssh key and passwords installed. This
+means anyone who can ssh into your VM, will be able to authenticate to it
+if they try the vagrant default credentials. Additionally, vagrant boxes
+come with passwordless sudo privileges, so anyone able to SSH into your 
+box will be able to do whatever they want on it.
+
+As of Vagrant 1.2.3, for the most part this doesn't matter, because you can 
+only access the Vagrant VM from localhost (previous versions allowed access
+from any machine on your local network). However, this becomes *extremely*
+important if you are using a vagrant box that is on a bridged network. If
+your VM is on a bridged network, without other controls in place that means
+*anyone* who has access to your local network can SSH into your VM and get
+root access on it. There are plenty of documented ways of breaking out of a
+VM, so this is clearly a problem that needs to be addressed.
+
+Ideally, Vagrant would have something built into it to solve the problem.
+Since that isn't currently the case, I've created this plugin to help. 
+
+This solution
+-------------
+
+The first time that this plugin is ran, it generates a unique SSH key and
+stores it as `~/vagrant.d/less_insecure_private_key`. Whenever you run the
+`vagrant provision` command, this plugin will run a script to check the
+authorized keys for the vagrant user to determine if the insecure key
+public key is present. If it is present, it will replace the key with the
+public key for the generated public key.
+
+Additionally, if the insecure public key is present, it will delete the
+passwords for root and vagrant, so that you cannot login using a password.
+
+Whenever vagrant tries to SSH into a box using an SSH key, this plugin will
+add the generated SSH key to the list of keys it tries. This ensures that
+you will still be able to SSH into boxes that have the insecure key installed.
+
+Installation
+------------
+
+    vagrant plugin install vagrant-rekey-ssh
+
+Usage
+-----
+
+Just install the plugin. It will do its magic automatically when you provision
+a box.
+
+To secure already running VMs, you will need to run `vagrant provision` on
+them.
+
+Settings
+--------
+
+You can set these settings in an individual Vagrantfile, or you can specify
+this in your global Vagrantfile (~/.vagrant.d/Vagrantfile)
+
+* `config.rekey_ssh.enable` - Enables or disables the plugin. Default: enabled
+
+
+Compatibility
+-------------
+
+I've only tested this on Vagrant 1.3.5 using the Virtualbox provider on Ubuntu
+and OSX. Let me know if it works on earlier versions of Vagrant, and I'll put
+that here.
+
+Known Issues
+------------
+
+This isn't going to work on a Vagrant VM that is running a non-unix operating
+system.
+
+I haven't figured out a generic way to override a machine's configuration
+without hooking specific actions, which results in the following bugs that
+I am aware of:
+
+* The ssh-config command does not include the correct keys
+* May not work with commands that are not built in to vagrant
+
+If you can figure out a good way to fix these, please submit a pull request.
+
+Contributing new changes
+========================
+
+1. Fork this repository
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+Development
+===========
+
+To work on the `vagrant-rekey-ssh` plugin, clone this repository out, and use
+[Bundler](http://gembundler.com) to get the dependencies:
+
+    $ bundle
+
+You can test the plugin without installing it into your Vagrant environment 
+by just creating a `Vagrantfile` in the top level of this directory (it is
+gitignored) that uses it, and uses bundler to execute Vagrant:
+
+    $ bundle exec vagrant WHATEVER
+
+Credits
+=======
+
+Since I'm not really a ruby programmer, a lot of the skeleton of this plugin
+came from other Vagrant plugins, particularly `vagrant-ohai` and 
+`vagrant-openstack-plugin`. 
+
+Author
+======
+
+Author:: Dustin Spicuzza (dustin@virtualroadside.com)

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/vagrant-rekey-ssh.rb

@@ -0,0 +1,27 @@
+require "pathname"
+require 'vagrant-rekey-ssh/plugin'
+
+module VagrantPlugins
+  module RekeySSH
+    lib_path = Pathname.new(File.expand_path("../vagrant-rekey-ssh", __FILE__))
+    autoload :Errors, lib_path.join("errors")
+
+    # This initializes the i18n load path so that the plugin-specific
+    # translations work.
+    def self.init_i18n
+      I18n.load_path << File.expand_path("locales/en.yml", source_root)
+      I18n.reload!
+    end
+
+    # This returns the path to the source of this plugin.
+    #
+    # @return [Pathname]
+    def self.source_root
+      @source_root ||= Pathname.new(File.expand_path("../../", __FILE__))
+    end
+  end
+end
+
+if defined?(Vagrant)
+  VagrantPlugins::RekeySSH.init_i18n()
+end

data/lib/vagrant-rekey-ssh/actions/secure_box.rb

@@ -0,0 +1,59 @@
+
+require "vagrant-rekey-ssh/helpers"
+
+module VagrantPlugins
+  module RekeySSH
+    class ActionSecureBox
+      
+      def initialize(app, env)
+        @app = app
+        @env = env
+        @machine = env[:machine]
+        @vagrant_insecure_public_key = "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=="
+      end
+      
+      def call(env)
+        @app.call(env)
+        return unless @machine.communicate.ready?
+        
+        if @machine.config.rekey_ssh.enable
+            
+          generate_ssh_key
+          
+          key = ssh_public_key()
+          unless key.length > 0
+            raise Errors::ErrorInvalidGeneratedSshKey
+          end
+          
+          # remove the vagrant insecure public key
+          cmd = "grep #{@vagrant_insecure_public_key} ~/.ssh/authorized_keys|| exit 1"
+          cmd += ";sed -i 's/^.*#{@vagrant_insecure_public_key}.*$/#{key.gsub("/","\\/")}  vagrant less insecure private key/' ~/.ssh/authorized_keys || exit 2"
+          cmd += ";exit 3"
+          
+          result = @machine.communicate.execute(cmd, sudo: false, error_check: false)
+          
+          if result == 1
+            @machine.ui.info(I18n.t("vagrant_rekey_ssh.info.no_key"))
+          elsif result == 2
+            raise Errors::ErrorReplacingInsecureKey
+          elsif result == 3
+            @machine.ui.info(I18n.t("vagrant_rekey_ssh.info.key_replaced"))
+            
+            # if the insecure key *was* there, disable the user's and root's password too
+            # -> this prevents the user from logging in using 'vagrant'
+            # -> we only do this if the insecure key was found, because if it
+            #    wasn't then perhaps it's a custom box and we shouldn't mess with it
+            @machine.communicate.execute("sudo passwd --delete $USER; sudo passwd --delete root", sudo: false)  
+            
+          end
+          
+        end
+      end
+      
+      protected
+      
+      include VagrantPlugins::RekeySSH::Helpers
+      
+    end
+  end
+end

data/lib/vagrant-rekey-ssh/actions/ssh_info.rb

@@ -0,0 +1,43 @@
+
+require 'vagrant/util/subprocess'
+require "vagrant-rekey-ssh/helpers"
+
+module VagrantPlugins
+  module RekeySSH
+    class ActionSSHInfo
+      
+      def initialize(app, env)
+        @app = app
+        @env = env
+        @machine = env[:machine]
+      end
+      
+      def call(env)
+        
+        if @machine.config.rekey_ssh.enable
+        
+          # ensure we have a key
+          generate_ssh_key
+          
+          # if the user's config hasn't specified a key, then set our key
+          # in here. We also specify the insecure key too so that it works
+          # in case we haven't replaced the key yet.
+          # -> TODO: only specify the insecure key when we haven't set the
+          #    less insecure key on the box.
+          if @machine.config.ssh.private_key_path.nil?
+            @machine.config.ssh.private_key_path = [ssh_key_path, @machine.env.default_private_key_path]
+          end
+          
+        end
+        
+        @app.call(env)
+        
+      end
+      
+      protected
+      
+      include VagrantPlugins::RekeySSH::Helpers
+      
+    end
+  end
+end

data/lib/vagrant-rekey-ssh/config.rb

@@ -0,0 +1,24 @@
+module VagrantPlugins
+  module RekeySSH
+    class Config < Vagrant.plugin(2, :config)
+      attr_accessor :enable
+
+      def initialize
+        @enable = UNSET_VALUE
+      end
+      def finalize!
+        @enable = true if @enable == UNSET_VALUE
+      end
+
+      def validate(machine)
+        case @enable
+        when TrueClass, FalseClass
+          {}
+        else
+          {"enable" => [I18n.t("vagrant_rekey_ssh.config.enable")] }
+        end
+      end
+
+    end
+  end
+end

data/lib/vagrant-rekey-ssh/errors.rb

@@ -0,0 +1,24 @@
+require "vagrant"
+
+module VagrantPlugins
+  module RekeySSH
+    module Errors
+      class VagrantRekeySSHError < Vagrant::Errors::VagrantError
+        error_namespace("vagrant_rekey_ssh.errors")
+      end
+      
+      class ErrorSshKeygenNotFound < VagrantRekeySSHError
+        error_key(:ssh_keygen_not_found)
+      end
+      
+      class ErrorCreatingSshKey < VagrantRekeySSHError
+        error_key(:creating_ssh_key)
+      end
+      
+      class ErrorInvalidGeneratedSshKey < VagrantRekeySSHError
+        error_key(:invalid_generated_ssh_key)
+      end
+      
+    end
+  end
+end

data/lib/vagrant-rekey-ssh/helpers.rb

@@ -0,0 +1,36 @@
+
+module VagrantPlugins
+  module RekeySSH
+    module Helpers
+      
+      def generate_ssh_key
+        unless ::File.exists?(ssh_key_path)
+
+          @machine.ui.info(I18n.t("vagrant_rekey_ssh.info.generating_key"))
+                    
+          result = Vagrant::Util::Subprocess.execute("ssh-keygen", "-f", ssh_key_path, "-N", "")
+          
+          if result.exit_code != 0
+            raise Errors::ErrorCreatingSshKey, exit_code: result.exit_code
+          end
+          
+          @machine.ui.info(I18n.t("vagrant_rekey_ssh.info.key_generated", :path => ssh_key_path))
+          
+        end
+      end
+      
+      def ssh_public_key
+        IO.read(ssh_pubkey_path).scan( /^(\S+\s+\S+).*$/ ).last.first
+      end
+      
+      def ssh_key_path
+        ::File.join(@env[:home_path], "less_insecure_private_key")
+      end
+      
+      def ssh_pubkey_path
+         ::File.join(@env[:home_path], "less_insecure_private_key.pub")
+      end
+    end
+    
+  end
+end

data/lib/vagrant-rekey-ssh/plugin.rb

@@ -0,0 +1,37 @@
+require "vagrant-rekey-ssh/version"
+require "vagrant/plugin"
+
+module VagrantPlugins
+  module RekeySSH  
+    class Plugin < Vagrant.plugin("2")
+      name "vagrant-rekey-ssh"
+      description <<-DESC
+        Automatically secure vagrant boxes with a randomly generated SSH key
+      DESC
+
+      #
+      # what I really want to do is wrap the virtualbox provider somehow so we
+      # can modify the machine configuration. This is good enough for now..
+      #
+      
+      require_relative 'actions/secure_box'
+      require_relative 'actions/ssh_info'
+      
+      %w{halt provision reload ssh ssh_run ssh_config up}.each do |action|
+        action_hook(:rekey_ssh, "machine_action_#{action}".to_sym) do |hook|
+          
+          hook.before(Vagrant::Action::Builtin::ConfigValidate, ActionSSHInfo)
+          hook.before(Vagrant::Action::Builtin::GracefulHalt, ActionSSHInfo)
+          hook.before(Vagrant::Action::Builtin::SSHExec, ActionSSHInfo)
+          
+          hook.after(Vagrant::Action::Builtin::Provision, ActionSecureBox)
+        end
+      end
+
+      config(:rekey_ssh) do
+        require_relative "config"
+        Config
+      end
+    end
+  end
+end

data/lib/vagrant-rekey-ssh/version.rb

@@ -0,0 +1,5 @@
+module VagrantPlugins
+  module RekeySSH
+    VERSION = "0.1.0"
+  end
+end

data/locales/en.yml

@@ -0,0 +1,22 @@
+---
+en:
+  vagrant_rekey_ssh:  
+    config:
+      enable: |-
+        Enable must be true or false
+
+    info:
+      generating_key: |-
+        Less insecure SSH key not found, generating key
+      key_generated: |-
+        Less insecure SSH key generated and stored at %{path}
+      key_replaced: |-
+        Replaced insecure vagrant key with less insecure key!
+      no_key: |-
+        Insecure vagrant key not present.
+
+    errors:
+      creating_ssh_key: |-
+        Error occurred when creating the ssh key (ssh-keygen returned %{exit_code})
+      invalid_generated_ssh_key: |-
+        Generated SSH key was not in an expected format! Perhaps it was corrupted?

data/vagrant-rekey-ssh.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'vagrant-rekey-ssh/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "vagrant-rekey-ssh"
+  spec.version       = VagrantPlugins::RekeySSH::VERSION
+  spec.authors       = ["Dustin Spicuzza"]
+  spec.email         = ["dustin@virtualroadside.com"]
+  spec.description   = "Automatically secure vagrant boxes with a randomly generated SSH key"
+  spec.summary       = "Automatically secure vagrant boxes with a randomly generated SSH key"
+  spec.homepage      = "https://github.com/virtuald/vagrant-rekey-ssh.git"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+end

metadata

@@ -0,0 +1,87 @@
+--- !ruby/object:Gem::Specification
+name: vagrant-rekey-ssh
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Dustin Spicuzza
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-12-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Automatically secure vagrant boxes with a randomly generated SSH key
+email:
+- dustin@virtualroadside.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/vagrant-rekey-ssh.rb
+- lib/vagrant-rekey-ssh/actions/secure_box.rb
+- lib/vagrant-rekey-ssh/actions/ssh_info.rb
+- lib/vagrant-rekey-ssh/config.rb
+- lib/vagrant-rekey-ssh/errors.rb
+- lib/vagrant-rekey-ssh/helpers.rb
+- lib/vagrant-rekey-ssh/plugin.rb
+- lib/vagrant-rekey-ssh/version.rb
+- locales/en.yml
+- vagrant-rekey-ssh.gemspec
+homepage: https://github.com/virtuald/vagrant-rekey-ssh.git
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.1.10
+signing_key: 
+specification_version: 4
+summary: Automatically secure vagrant boxes with a randomly generated SSH key
+test_files: []