Vagrant insecure by default?

security vagrant
oseiskar picture oseiskar · Feb 5, 2013 · Viewed 39k times · Source

EDIT 2: TL;DR: the answer was yes in 2013, but this flaw has been fixed

By following the Getting Started instructions on vagrantup.com, I seem to end up with a virtual machine that is accepting SSH connections on port 2222 so that anyone can get root access to my VM and read my host working directory using the default credentials (username=password=vagrant or vagrant_insecure_private_key).

Is this true? If yes, why is it not considered a gaping security vulnerability? What if I had copied sensitive data to the VM?

EDIT: and for those who think anyone on the internet being able to read your sources and executing arbitrary code on your VM is not that bad, I recommend reading the "Breaking out" section in this blog post http://blog.ontoillogical.com/blog/2012/10/31/breaking-in-and-out-of-vagrant/

In a nutshell: running Vagrant "as intended" can also enable anyone to break into your host/development machine (e.g., by using a malicious git post-commit hook).

Answer

Terry Wang picture Terry Wang · Feb 6, 2013

The short answer is YES.

Why?

When building Vagrant base boxes (manually or using tools like Veewee to automate), builders follow the vagrant base boxes specifications which defines the following:

  1. User root and vagrant use vagrant as password
  2. Public key authentication (password-less) for the user vagrant.

Vagrant project provides an insecure key pair for SSH Public Key Authentication so that vagrant ssh works.

Because everyone has access to the private key, anyone can use the private key to login to your VMs (suppose they know your IP of the host machine, port is by default 2222 as forwarding rules in place.)

It is NOT secure OOTB. However, you can remove the trusted key from ~vagrant/.ssh/authorized_keys and add your own, change password for vagrant and root, then it's considered relatively safe.

Update

Since Vagrant 1.2.3, by default SSH forwarded port binds to 127.0.0.1 so only local connections are allowed [GH-1785].

IMPORTANT Update

Since Vagrant 1.7.0 (PR #4707) Vagrant will replace the default insecure ssh keypair with randomly generated keypair on first vagrant up.

See in the CHANGELOG: the default insecure keypair is used, Vagrant will automatically replace it with a randomly generated keypair on first vagrant up. GH-2608

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error: SecurityError: Blocked a frame with origin "…

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More