Add ssh key permissions set caps to hosts

plugins/hosts/bsd/cap/ssh.rb

@@ -0,0 +1,16 @@
+module VagrantPlugins
+  module HostBSD
+    module Cap
+      class SSH
+        # Set the ownership and permissions for SSH
+        # private key
+        #
+        # @param [Vagrant::Environment] env
+        # @param [Pathname] key_path
+        def self.set_ssh_key_permissions(env, key_path)
+          key_path.chmod(0600)
+        end
+      end
+    end
+  end
+end

plugins/hosts/bsd/plugin.rb

@@ -35,6 +35,11 @@ module VagrantPlugins
         require_relative "cap/nfs"
         Cap::NFS
       end
+
+      host_capability("bsd", "set_ssh_key_permissions") do
+        require_relative "cap/ssh"
+        Cap::SSH
+      end
     end
   end
 end

plugins/hosts/linux/cap/ssh.rb

@@ -0,0 +1,16 @@
+module VagrantPlugins
+  module HostLinux
+    module Cap
+      class SSH
+        # Set the ownership and permissions for SSH
+        # private key
+        #
+        # @param [Vagrant::Environment] env
+        # @param [Pathname] key_path
+        def self.set_ssh_key_permissions(env, key_path)
+          key_path.chmod(0600)
+        end
+      end
+    end
+  end
+end

plugins/hosts/linux/plugin.rb

@@ -47,6 +47,11 @@ module VagrantPlugins
         require_relative "cap/nfs"
         Cap::NFS
       end
+
+      host_capability("linux", "set_ssh_key_permissions") do
+        require_relative "cap/ssh"
+        Cap::SSH
+      end
     end
   end
 end

plugins/hosts/windows/cap/ssh.rb

@@ -0,0 +1,25 @@
+module VagrantPlugins
+  module HostWindows
+    module Cap
+      class SSH
+        # Set the ownership and permissions for SSH
+        # private key
+        #
+        # @param [Vagrant::Environment] env
+        # @param [Pathname] key_path
+        def self.set_ssh_key_permissions(env, key_path)
+          script_path = Host.scripts_path.join("set_ssh_key_permissions.ps1")
+          result = Vagrant::Util::PowerShell.execute(
+            script_path.to_s, path.to_s,
+            module_path: Host.module_path.to_s
+          )
+          if result.exit_code != 0
+            raise Vagrant::Errors::PowerShellError,
+              script: script_path,
+              stderr: result.stderr
+          end
+        end
+      end
+    end
+  end
+end

plugins/hosts/windows/host.rb

@@ -8,6 +8,16 @@ module VagrantPlugins
       def detect?(env)
         Vagrant::Util::Platform.windows?
       end
+
+      # @return [Pathname] Path to scripts directory
+      def self.scripts_path
+        Pathname.new(File.expand_path("..", __FILE__))
+      end
+
+      # @return [Pathname] Path to modules directory
+      def self.modules_path
+        scripts_path.join("utils")
+      end
     end
   end
 end

plugins/hosts/windows/plugin.rb

@@ -55,6 +55,11 @@ module VagrantPlugins
         require_relative "cap/configured_ip_addresses"
         Cap::ConfiguredIPAddresses
       end
+
+      host_capability("windows", "set_ssh_key_permissions") do
+        require_relative "cap/ssh"
+        Cap::SSH
+      end
     end
   end
 end

plugins/hosts/windows/scripts/set_ssh_key_permissions.ps1

@@ -0,0 +1,17 @@
+#Requires -Modules VagrantSSH
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string] $KeyPath,
+    [Parameter(Mandatory=$false)]
+    [string] $Principal=$null
+)
+
+$ErrorActionPreference = "Stop"
+
+try {
+    Set-SSHKeyPermissions -SSHKeyPath $KeyPath -Principal $Principal
+} catch {
+    Write-Error "Failed to set permissions on key: ${PSItem}"
+    exit 1
+}

plugins/hosts/windows/scripts/utils/VagrantSSH/VagrantSSH.psm1

@@ -0,0 +1,24 @@
+# Vagrant SSH capability functions
+
+function Set-SSHKeyPermissions {
+    param (
+        [parameter(Mandatory=$true)]
+        [string] $SSHKeyPath,
+        [parameter(Mandatory=$false)]
+        [string] $Principal=$null
+    )
+
+    if(!$Principal) {
+        $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+    }
+
+    # Create the new ACL we want to apply
+    $NewAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+        $Principal, "FullControl", "None", "None", "Allow")
+    # Scrub all existing ACLs from the file
+    $ACL = Get-ACL "${SSHKeyPath}"
+    $ACL.Access | %{$ACL.RemoveAccessRule($_)}
+    # Apply the new ACL
+    $ACL.SetAccessRule($NewAccessRule)
+    Set-ACL "${SSHKeyPath}" $ACL
+}