Closed marji closed 5 years ago
@marji good points. We should document what those are needed/wanted.
For now, here's an explanation.
We use this so we have SSH_ORIGINAL_COMMAND
available during pam
auth so we can send slack notifications.
https://github.com/cloudposse/bastion/blob/master/patches/openssh/original-command.diff
We use this to hide the SSH version so it's not announced to port-scanners. https://github.com/cloudposse/bastion/blob/master/patches/openssh/obfuscate-version.diff
All the rest of the patches are from the original alpine
image, here:
https://git.alpinelinux.org/cgit/aports/tree/main/openssh
Upgrading is hopefully straightforward, but we haven't tried yet. Patches might need to be regenerated. If you give it a go and submit PR, we'll gladly accept it! Thanks
-Erik
There are quite a few patches in the Dockerfile applied to openssh before it is compiled.
Could these patches, their source and purpose be documented, please? As the bastion server security is very important, any changes to the openssh implementation should be documented so it can be audited.
Also, would the current patch set prevent upgrading the Dockerfile to use the current openssh version
V_7_6_P1
instead ofV_7_4_P1
which is used currently?Thank you!