5.7 Do not run ssh within containers

Information

SSH server should not be running within the container. You should SSH into the Docker
host, and use nsenter tool to enter a container from a remote host.

Running SSH within the container increases the complexity of security management by
making it. Difficult to manage access policies and security compliance for SSH server
. Difficult to manage keys and passwords across various containers
. Difficult to manage security upgrades for SSH serverIt is possible to have shell access to a container without using SSH, the needlessly
increasing the complexity of security management should be avoided.

Solution

Uninstall SSH server from the container and use nsenter or any other commands such as
docker exec or docker attach to interact with the container instance.docker exec -i -t $INSTANCE_ID shORdocker attach $INSTANCE_ID

Impact-None.

Default Value-
By default, SSH server is not running inside the container. Only one process per container is
allowed.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: d1f45455c2583bda103c0507364bd9027579d90c53029d3f8d9677636542b5b1