Vagrant 1.7 Breaking Change for SSH Client Users
April 21, 2015
Vagrant recently introduced an unannounced (and potentially breaking) change in its default handing of SSH keys. Previously, Vagrant would generate a single insecure SSH key upon installation, and use that key for all SSH connections across all your vagrant boxes.
Starting in version
1.7, the default behavior has changed, opting to generate a random SSH key for each box. From the documentation:
When Vagrant boots a box and detects the insecure keypair, it will automatically replace it with a randomly generated keypair for additional security while the box is running.
If you use the
vagrant ssh command to connect to your vagrant boxes, then you have nothing to worry about, as the
vagrant executable handles the change transparently. However if you connect using an external SSH or SFTP client, such as Putty, WinSCP, OpenSSH, etc., then you will likely get this when you attempt to connect after upgrading:
Using username "vagrant". Server refused our key vagrant@localhost's password:
Revert to the old behavior by adding the following line to your
Vagrantfile, inside the
config.ssh.insert_key = false
Note that I had to destroy and rebuild the box in order to get the appropriate behavior. YMMV.
For further insight into this change, and to voice your opinion, have look at these references on Vagrant’s GitHub repository:
- Issue #2608 - Generate dynamic key on vagrant up to better protect VMs
- PR #4707 - Generate Random SSH key on vagrant up