Document openssh patches

[marji]

There are quite a few patches in the Dockerfile applied to openssh before it is compiled.

Could these patches, their source and purpose be documented, please? As the bastion server security is very important, any changes to the openssh implementation should be documented so it can be audited.

Also, would the current patch set prevent upgrading the Dockerfile to use the current openssh version V_7_6_P1 instead of V_7_4_P1 which is used currently?

Thank you!

[osterman]

@marji good points. We should document what those are needed/wanted.

For now, here's an explanation.

We use this so we have SSH_ORIGINAL_COMMAND available during pam auth so we can send slack notifications.
https://github.com/cloudposse/bastion/blob/master/patches/openssh/original-command.diff

We use this to hide the SSH version so it's not announced to port-scanners.
https://github.com/cloudposse/bastion/blob/master/patches/openssh/obfuscate-version.diff

All the rest of the patches are from the original alpine image, here:
https://git.alpinelinux.org/cgit/aports/tree/main/openssh

Upgrading is hopefully straightforward, but we haven't tried yet. Patches might need to be regenerated. If you give it a go and submit PR, we'll gladly accept it! Thanks

-Erik