I can certainly confirm that for Intel this feature would be required for us
to use ssh/scp access at all, and maybe not even then. We've been selling
Cloud Foundry to our security folks as a huge improvement in app security
specifically because developers don't have access to the containers and they
don't need to be "system admins". Enabling this feature goes a long way
towards unwinding that and having this extra control might give us some
wiggle room to enable it. In any case, the default configuration should
always be the most secure and it can be easily configured off if desired.

I think it's been said before, but I also strongly feel that "cf files"
needs to continue to work in Diego even if ssh/scp access is disabled. If
we're not allowed to enable ssh/scp access and "cf files" goes away then
we've effectively lost all access to the containers for developers which
will be frustrating. If "cf files" is going away, then we'd need some way
to enforce that the only access allowed is read-only. Even destroying the
container after the ssh session ends may not be good enough - an argument
can easily be made that a malicious user could keep the ssh session open
after intentionally modifying the container in some way.

Aaron Huber
Intel Corporation



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-SSH-access-to-CF-app-instances-on-Diego-tp531p549.html
Sent from the CF Dev mailing list archive at Nabble.com.