search

cloudposse / bastion

🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
https://cloudposse.com/accelerate
Apache License 2.0
643 stars 112 forks source link

Document openssh patches #16

Closed marji closed 5 years ago

marji commented 6 years ago

There are quite a few patches in the Dockerfile applied to openssh before it is compiled.

Could these patches, their source and purpose be documented, please? As the bastion server security is very important, any changes to the openssh implementation should be documented so it can be audited.

Also, would the current patch set prevent upgrading the Dockerfile to use the current openssh version V_7_6_P1 instead of V_7_4_P1 which is used currently?

Thank you!

osterman commented 6 years ago

@marji good points. We should document what those are needed/wanted.

For now, here's an explanation.

We use this so we have SSH_ORIGINAL_COMMAND available during pam auth so we can send slack notifications. https://github.com/cloudposse/bastion/blob/master/patches/openssh/original-command.diff

We use this to hide the SSH version so it's not announced to port-scanners. https://github.com/cloudposse/bastion/blob/master/patches/openssh/obfuscate-version.diff

All the rest of the patches are from the original alpine image, here: https://git.alpinelinux.org/cgit/aports/tree/main/openssh

Upgrading is hopefully straightforward, but we haven't tried yet. Patches might need to be regenerated. If you give it a go and submit PR, we'll gladly accept it! Thanks

-Erik