From 443ff01ab73ea08a1d3e64e8f702b61764832e70 Mon Sep 17 00:00:00 2001
From: Chris Roberts <croberts@hashicorp.com>
Date: Wed, 10 Jan 2024 11:37:50 -0800
Subject: [PATCH] Add key_type configuration option for ssh

Adds a new `key_type` option to the Vagrantfile ssh configuration. It
defaults to :auto which allows auto detection of key type to use.
Otherwise it can be set to an explicit type supported by Vagrant.
---
 plugins/kernel_v2/config/ssh_connect.rb       | 15 +++++++++++
 templates/locales/en.yml                      |  2 ++
 .../kernel_v2/config/ssh_connect_test.rb      | 27 +++++++++++++++++++
 .../content/docs/vagrantfile/ssh_settings.mdx |  6 +++++
 4 files changed, 50 insertions(+)

diff --git a/plugins/kernel_v2/config/ssh_connect.rb b/plugins/kernel_v2/config/ssh_connect.rb
index 89c8e168b..a305025d1 100644
--- a/plugins/kernel_v2/config/ssh_connect.rb
+++ b/plugins/kernel_v2/config/ssh_connect.rb
@@ -15,6 +15,7 @@ module VagrantPlugins
       attr_accessor :password
       attr_accessor :insert_key
       attr_accessor :keys_only
+      attr_accessor :key_type
       attr_accessor :paranoid
       attr_accessor :verify_host_key
       attr_accessor :compression
@@ -33,6 +34,7 @@ module VagrantPlugins
         @password         = UNSET_VALUE
         @insert_key       = UNSET_VALUE
         @keys_only        = UNSET_VALUE
+        @key_type         = UNSET_VALUE
         @paranoid         = UNSET_VALUE
         @verify_host_key  = UNSET_VALUE
         @compression      = UNSET_VALUE
@@ -50,6 +52,7 @@ module VagrantPlugins
         @password         = nil if @password == UNSET_VALUE
         @insert_key       = true if @insert_key == UNSET_VALUE
         @keys_only        = true if @keys_only == UNSET_VALUE
+        @key_type         = :auto if @key_type == UNSET_VALUE
         @paranoid         = false if @paranoid == UNSET_VALUE
         @verify_host_key  = :never if @verify_host_key == UNSET_VALUE
         @compression      = true if @compression == UNSET_VALUE
@@ -96,6 +99,10 @@ module VagrantPlugins
         rescue
           # ignore
         end
+
+        if @key_type
+          @key_type = @key_type.to_sym
+        end
       end
 
       # NOTE: This is _not_ a valid config validation method, since it
@@ -140,6 +147,14 @@ module VagrantPlugins
             given: @connect_timeout.to_s)
         end
 
+        if @key_type != :auto && !Vagrant::Util::Keypair.valid_type?(@key_type)
+          errors << I18n.t(
+            "vagrant.config.ssh.connect_invalid_key_type",
+            given: @key_type.to_s,
+            supported: Vagrant::Util::Keypair.available_types.join(", ")
+          )
+        end
+
         errors
       end
     end
diff --git a/templates/locales/en.yml b/templates/locales/en.yml
index a66eabfae..58042eb32 100644
--- a/templates/locales/en.yml
+++ b/templates/locales/en.yml
@@ -2065,6 +2065,8 @@ en:
           `%{given}` type which cannot be converted to an Integer type.
         connect_timeout_invalid_value: |-
           The `connect_timeout` key only accepts values greater than 1 (received `%{given}`)
+        connect_invalid_key_type: |-
+          Invalid SSH key type set ('%{given}'). Supported types: %{supported}
       triggers:
         bad_trigger_type: |-
           The type '%{type}' defined for trigger '%{trigger}' is not valid. Must be one of the following types: '%{types}'
diff --git a/test/unit/plugins/kernel_v2/config/ssh_connect_test.rb b/test/unit/plugins/kernel_v2/config/ssh_connect_test.rb
index a6dbdef70..9969a2918 100644
--- a/test/unit/plugins/kernel_v2/config/ssh_connect_test.rb
+++ b/test/unit/plugins/kernel_v2/config/ssh_connect_test.rb
@@ -44,6 +44,33 @@ describe VagrantPlugins::Kernel_V2::SSHConnectConfig do
     end
   end
 
+  describe "#key_type" do
+    it "defaults to :auto" do
+      subject.finalize!
+      expect(subject.key_type).to eq(:auto)
+    end
+
+    it "should allow supported key type" do
+      subject.key_type = :ed25519
+      subject.finalize!
+      errors = subject.validate(machine)
+      expect(errors).to be_empty
+    end
+
+    it "should not allow unsupported key type" do
+      subject.key_type = :unknown_type
+      subject.finalize!
+      errors = subject.validate(machine)
+      expect(errors).not_to be_empty
+    end
+
+    it "should convert string values to symbol" do
+      subject.key_type = "ecdsa521"
+      subject.finalize!
+      expect(subject.key_type).to eq(:ecdsa521)
+    end
+  end
+
   describe "#config" do
     let(:config_file) { "/path/to/config" }
 
diff --git a/website/content/docs/vagrantfile/ssh_settings.mdx b/website/content/docs/vagrantfile/ssh_settings.mdx
index 5ec2bff7b..605650923 100644
--- a/website/content/docs/vagrantfile/ssh_settings.mdx
+++ b/website/content/docs/vagrantfile/ssh_settings.mdx
@@ -90,6 +90,12 @@ defaults are typically fine, but you can fine tune whatever you would like.
 - `config.ssh.keys_only` (boolean) - Only use Vagrant-provided SSH private keys (do not use
   any keys stored in ssh-agent). The default value is `true`.
 
+- `config.ssh.key_type` (string, symbol) - The SSH key type that should be used when generating
+  a new key to replace the default insecure key. Supported values are: `:ed25519`, `:ecdsa256`,
+  `:ecdsa384`, `:ecdsa521`, `:rsa`, and `:auto`. When the value is set to `:auto`, Vagrant will
+  automatically pick a type based on what is supported by the guest SSH server. The default
+  value is `:auto`.
+
 - `config.ssh.paranoid` (boolean) - Perform strict host-key verification. The default value is
   `false`.