Vagrant ssh authentication failure

Question

For general information: by default to ssh-connect you may simply use

user: vagrant password: vagrant

https://www.vagrantup.com/docs/boxes/base.html#quot-vagrant-quot-user

First, try: to see what vagrant insecure_private_key is in your machine config

$ vagrant ssh-config

Example:

$ vagrant ssh-config
Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile C:/Users/konst/.vagrant.d/insecure_private_key
  IdentitiesOnly yes
  LogLevel FATAL

http://docs.vagrantup.com/v2/cli/ssh_config.html

Second, do: Change the contents of file insecure_private_key with the contents of your personal system private key

Or use: Add it to the Vagrantfile:

Vagrant.configure("2") do |config|
  config.ssh.private_key_path = "~/.ssh/id_rsa"
  config.ssh.forward_agent = true
end

1. config.ssh.private_key_path is your local private key
2. Your private key must be available to the local ssh-agent. You can check with ssh-add -L. If it's not listed, add it with ssh-add ~/.ssh/id_rsa
3. Don't forget to add your public key to ~/.ssh/authorized_keys on the Vagrant VM. You can do it by copy-and-pasting or using a tool like ssh-copy-id (user: root password: vagrant port: 2222) ssh-copy-id '-p 2222 [email protected]'

If still does not work try this:

1. Remove insecure_private_key file from c:\Users\USERNAME\.vagrant.d\insecure_private_key

2. Run vagrant up (vagrant will be generate a new insecure_private_key file)

In other cases, it is helpful to just set forward_agent in Vagrantfile:

Vagrant::Config.run do |config|
   config.ssh.forward_agent = true
end

Useful:

Configurating git may be with git-scm.com

After setup this program and creating personal system private key will be in yours profile path: c:\users\USERNAME\.ssh\id_rsa.pub

PS: Finally - suggest you look at Ubuntu on Windows 10

None of the above worked for me. Somehow the box had the wrong public key added in the vagrant user authorised_keys file.

If you can still ssh on the box with the vagrant password (password is vagrant), i.e.

ssh vagrant@localhost -p 2222

then copy the public key content from https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub to the authorised_keys file with the following command

echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" > .ssh/authorized_keys

When done exit the VM and try vagrant ssh again. It should work now.

If you experience this issue on vagrant 1.8.5, then check out this thread on github:

https://github.com/mitchellh/vagrant/issues/7610

It's caused basically by a permission issue, the workaround is just

vagrant ssh 
password: vagrant 
chmod 0600 ~/.ssh/authorized_keys
exit

then

vagrant reload 

FYI: this issue only affects CentOS, Ubuntu works fine.

Run the following commands in guest machine/VM:

wget https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub -O ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown -R vagrant:vagrant ~/.ssh

Then do vagrant halt. This will remove and regenerate your private keys.

(These steps assume you have already created or already have the ~/.ssh/ and ~/.ssh/authorized_keys directories under your home folder.)

In my experience, this has been a surprisingly frequent problem with new vagrant machines. By far the easiest way to solve it, instead of altering the configuration itself, has been creating the required ssh keys manually on the client, then using the private key on the host.

1. Log in to vagrant machine: vagrant ssh, use default password vagrant.
2. Create ssh keys: for example, ssh-keygen -t rsa -b 4096 -C "vagrant" (as adviced by GitHub's relevant guide).
3. Rename the public key file (by default id_rsa.pub), overriding the old one: mv .ssh/id_rsa.pub .ssh/authorized_keys.
4. Reload ssh service in case needed: sudo service ssh reload.
5. Copy the private key file (by default id_rsa) to the host machine: for instance, use a fine combination of cat and clipboard, cat .ssh/id_rsa, paint and copy (better ways must exist, go invent one!).
6. Logout from the vagrant machine: logout.
7. Find the current private key used by vagrant by looking at its configuration: vagrant ssh-config (look for instance ÌdentityFile "/[...]/private_key".
8. Replace the current private key with the one you created at the host machine: for example, nano /[...]/private_key and paste from the clipboard, if all else fails. (Note, however, that if your private_key is not project specific but shared by multiple vagrant machines, you better configure the path yourself in order to not break other perfectly working machines! Changing the path is as simple as adding a line config.ssh.private_key_path = "path/to/private_key" into the Vagrantfile.) Furthermore, if you are using PuPHPet generated machine, you can store your private key to file puphpet/files/dot/ssh/id_rsa and it will be added to Vagrantfile's ssh config automatically.
9. Test the setup: vagrant ssh should now work.

Should that be the case, congratulate yourself, logout, run vagrant provision if needed and carry on with the meaningful task at hand.

If you still face problems, it may come handy to add verbose flag to ssh command to ease debugging. You can pass that (or any other option, for that matter) after double dash. For example, typing vagrant ssh -- -v. Feel free to add as many v's as you need, each will give you more information.

Unable to run vagrant up because it gets stuck and times out? I recently had a "water in laptop incident" and had to migrate to a new one(on a MAC by the way). I successfully got all my projects up and running beside the one, which was using vagrant.

$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
    default: Adapter 2: hostonly
==> default: Forwarding ports...
    default: 8000 (guest) => 8877 (host) (adapter 1)
    default: 8001 (guest) => 8878 (host) (adapter 1)
    default: 8080 (guest) => 7777 (host) (adapter 1)
    default: 5432 (guest) => 2345 (host) (adapter 1)
    default: 5000 (guest) => 8855 (host) (adapter 1)
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...
    default: Warning: Authentication failure. Retrying...

It couldn't authenticate, retried again and again and eventually gave up.

---

This is how I got it back in shape in 3 steps:

1 - Find the IdentityFile used by Vagrant:

$ vagrant ssh-config

Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile /Users/ned/.vagrant.d/insecure_private_key
  IdentitiesOnly yes
  LogLevel FATAL

2 - Check the public key in the IdentityFile:

$ ssh-keygen -y -f <path-to-insecure_private_key>

It'd output something like this:

ssh-rsa AAAAB3Nyc2EAAA...9gE98OHlnVYCzRdK8jlqm8hQ==

3 - Log in to the Vagrant guest with the password vagrant:

ssh -p 2222 -o UserKnownHostsFile=/dev/null [email protected]

The authenticity of host '[127.0.0.1]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is dc:48:73:c3:18:e4:9d:34:a2:7d:4b:20:6a:e7:3d:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
[email protected]'s password: vagrant
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)
...

NOTE: if vagrant guest is configured to disallow password authentication you need to open VBox' GUI, double click guest name, login as vagrant/vagrant, then sudo -s and edit /etc/ssh/sshd_config and look for PasswordAuthentication no line (usually at the end of the file), replace no with yes and restart sshd (i.e. systemctl reload sshd or /etc/init.d/sshd restart).

4 - Add the public key to the /home/vagrant/authorized_keys file.

$ echo "ssh-rsa AA2EAAA...9gEdK8jlqm8hQ== vagrant" > /home/vagrant/.ssh/authorized_keys

5 - Exit (CTRL+d) and stop the Vagrant guest and then bring it back up.

IMPORTANT if you use any provisioning tools (i.e. Ansible etc) disable it before restarting your guest as Vagrant will think your guest is not provisioned because of use of insecure private key. It will reinstall the key and then run your provisioner!

$ vagrant halt
$ vagrant up

Hopefully you will have your arms in the air now...

I got this, with just a minor amend, from Ned Batchelders article - Ned you are a champ!

This can also happen if you're trying to force your VM to use a root user by default for SSH....

For example, a config like so in your Vagrantfile may cause this failure:

config.ssh.username = 'root'
config.ssh.password = 'vagrant'
config.ssh.insert_key = 'true'

Solution: Comment out those lines and try again!