diff --git a/labs/scripts/osbash/enable_vagrant_ssh_keys.sh b/labs/scripts/osbash/enable_vagrant_ssh_keys.sh
index 7be3a77c..ec2b9d8f 100755
--- a/labs/scripts/osbash/enable_vagrant_ssh_keys.sh
+++ b/labs/scripts/osbash/enable_vagrant_ssh_keys.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -o errexit -o nounset
 
-# This script installs the unsecure Vagrant ssh keys. This allows users to
+# This script installs the insecure Vagrant ssh keys. This allows users to
 # log into the VMs using these keys instead of a password.
 
 TOP_DIR=$(cd $(dirname "$0")/.. && pwd)
@@ -12,27 +12,45 @@ indicate_current_auto
 
 exec_logfile
 
-function install_vagrant_public_key {
-    local VAGRANT_KEY_NAME="vagrant.pub"
-    local KEY_URL=https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/$VAGRANT_KEY_NAME
-    local VAGRANT_KEY_DIR=$LIB_DIR/vagrant-ssh-keys
+mkdir -p "$HOME/.ssh"
+chmod 700 "$HOME/.ssh"
 
-    if [ ! -f "$VAGRANT_KEY_DIR/$VAGRANT_KEY_NAME" ]; then
-        wget --output-document "$VAGRANT_KEY_DIR/$VAGRANT_KEY_NAME" "$KEY_URL"
-        if [ $? -ne 0 ]; then
-            echo >&2 "Error when downloading $KEY_URL"
-            return 1
+# Install the requested Vagrant insecure key to $HOME/.ssh. Keep a copy in
+# $LIB_DIR/vagrant-ssh-keys (cache if the directory is shared with the host).
+function get_vagrant_key {
+    local key_name=$1
+    local key_url=https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/$key_name
+    local vagrant_key_dir=$LIB_DIR/vagrant-ssh-keys
+
+    if [ -f "$HOME/.ssh/$key_name" ]; then
+        echo "Vagrant insecure key already installed: $HOME/.ssh/$key_name."
+    else
+        if [ ! -f "$vagrant_key_dir/$key_name" ]; then
+            echo "Downloading Vagrant insecure key $key_name."
+            wget --output-document "$vagrant_key_dir/$key_name" "$key_url"
+            if [ $? -ne 0 ]; then
+                echo >&2 "Error when downloading $key_url"
+                return 1
+            fi
         fi
+        echo "Installing Vagrant insecure key $key_name."
+        cp -v "$vagrant_key_dir/$key_name" "$HOME/.ssh"
     fi
-
-    mkdir -p "$HOME/.ssh"
-    chmod 700 "$HOME/.ssh"
-    cat "$VAGRANT_KEY_DIR/$VAGRANT_KEY_NAME" >> "$HOME/.ssh/authorized_keys"
-    chmod 400 "$HOME/.ssh/authorized_keys"
 }
 
-if grep -qs "vagrant insecure public key" "$HOME/.ssh/authorized_keys"; then
-    echo "Vagrant insecure public key already installed"
-else
-    install_vagrant_public_key
-fi
+# Authorize named key for ssh logins into this VM.
+function authorize_vagrant_key {
+    local pub_key_path=$1
+    local auth_key_path=$HOME/.ssh/authorized_keys
+    if grep -qs "vagrant insecure public key" "$auth_key_path"; then
+        echo "Already authorized."
+    else
+        cat "$pub_key_path" >> "$auth_key_path"
+    fi
+}
+
+get_vagrant_key "vagrant.pub"
+chmod 444 "$HOME/.ssh/vagrant.pub"
+
+echo "Authorizing Vagrant public key (connections from host and other VMs)."
+authorize_vagrant_key "$HOME/.ssh/vagrant.pub"