rleins
commented
7 years ago Anything new on this?
Since I want to use the web-feature as my main access path, i would be very expectant waiting for some Auth_Mechanism on the HTTP API.
thx in advance...
Open jeroenpeeters opened 7 years ago
rleins
commented
7 years ago Anything new on this?
Since I want to use the web-feature as my main access path, i would be very expectant waiting for some Auth_Mechanism on the HTTP API.
thx in advance...
Currently Docker-SSH comes with an HTTP API and a web client. This invalidates the 'single-responsibility' concept. Docker-SSH does not only bridge the ssh session with a shell started through docker exec, but implements an HTTP API that exposes the shell over an unsecured channel.
Furthermore, the authentication mechanisms implemented for SSH do not apply to the HTTP API. The API, when enabled, simply by-passes these security settings. This makes this channel very insecure.
I propose to remove the HTTP API and the web client from docker-ssh and re-implement it on top of Docker-SSH. This ensures that ssh security is respected and will not be by-passed when configured. The API and the web client need to implement the appropriate authentication and security measures.