HTTP API should be split off from Docker-SSH #17
Milestone
Comments
|
Anything new on this? Since I want to use the web-feature as my main access path, i would be very expectant waiting for some Auth_Mechanism on the HTTP API. thx in advance... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently Docker-SSH comes with an HTTP API and a web client. This invalidates the 'single-responsibility' concept. Docker-SSH does not only bridge the ssh session with a shell started through docker exec, but implements an HTTP API that exposes the shell over an unsecured channel.
Furthermore, the authentication mechanisms implemented for SSH do not apply to the HTTP API. The API, when enabled, simply by-passes these security settings. This makes this channel very insecure.
I propose to remove the HTTP API and the web client from docker-ssh and re-implement it on top of Docker-SSH. This ensures that ssh security is respected and will not be by-passed when configured.
The API and the web client need to implement the appropriate authentication and security measures.
The text was updated successfully, but these errors were encountered: