I have not looked into how this code works, as I don't personally use Docker for anything at the moment, but a friend mentioned this repository to me, and when I saw the id_rsa file, I couldn't help myself but create an issue. I can imagine no scenario where having an RSA private key in the wild for something that someone may use for production is a good idea.
You mention in the readme:
The Docker-SSH container comes with a default RSA key that will be used.
Is that not bad security practice? I mean, in most situations when someone would use this, it's not going to be publicly accessible, but is that really a smart idea to have a default security key for anything in the first place? You even discourage people from setting up no authentication in the readme (and mention that it will log every event in that case):
This mechanism is nevertheless discouraged and should be used with care! The use of this authentication mechanism will create an error entry in the log.
Why not generate the key on setup; many systems have the required system packages in place.
I have not looked into how this code works, as I don't personally use Docker for anything at the moment, but a friend mentioned this repository to me, and when I saw the
id_rsafile, I couldn't help myself but create an issue. I can imagine no scenario where having an RSA private key in the wild for something that someone may use for production is a good idea.You mention in the readme:
Is that not bad security practice? I mean, in most situations when someone would use this, it's not going to be publicly accessible, but is that really a smart idea to have a default security key for anything in the first place? You even discourage people from setting up no authentication in the readme (and mention that it will log every event in that case):
Why not generate the key on setup; many systems have the required system packages in place.