From fcba1b8c806ffa895b8c87b5cf5cc8268462bcc3 Mon Sep 17 00:00:00 2001
From: Christian Fetzer <fetzer.ch@gmail.com>
Date: Thu, 16 Apr 2015 18:54:00 +0200
Subject: [PATCH 1/2] install: Send OpenSSH logs to logfile

OpenSSH logs to syslog per default which is not available in the
container. This changes the behavior and lets sshd send its log output
to a file instead. In addition the LogLevel is increased to VERBOSE
so that also failed connection attempts are logged.
---
 assets/setup/install | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/assets/setup/install b/assets/setup/install
index 10b316c0..1ffc24d0 100755
--- a/assets/setup/install
+++ b/assets/setup/install
@@ -101,6 +101,9 @@ sed 's/UsePAM yes/UsePAM no/' -i /etc/ssh/sshd_config
 sed 's/UsePrivilegeSeparation yes/UsePrivilegeSeparation no/' -i /etc/ssh/sshd_config
 echo "UseDNS no" >> /etc/ssh/sshd_config
 
+# configure verbose logging for sshd
+sed 's/LogLevel INFO/LogLevel VERBOSE/' -i /etc/ssh/sshd_config
+
 # move supervisord.log file to ${GITLAB_LOG_DIR}/supervisor/
 sed 's|^logfile=.*|logfile='"${GITLAB_LOG_DIR}"'/supervisor/supervisord.log ;|' -i /etc/supervisor/supervisord.conf
 
@@ -204,7 +207,7 @@ mkdir -p /var/run/sshd
 cat > /etc/supervisor/conf.d/sshd.conf <<EOF
 [program:sshd]
 directory=/
-command=/usr/sbin/sshd -D
+command=/usr/sbin/sshd -D -E ${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 user=root
 autostart=true
 autorestart=true

From 60b9f2b05b78d7580ff9c7e6cf4ee05aa5e12631 Mon Sep 17 00:00:00 2001
From: Christian Fetzer <fetzer.ch@gmail.com>
Date: Thu, 16 Apr 2015 18:56:40 +0200
Subject: [PATCH 2/2] install: Deny ssh login with password

Gitlab requires users to configure public key authentication for ssh.
Therefore password login should be disabled to increase security.
---
 assets/setup/install | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/assets/setup/install b/assets/setup/install
index 1ffc24d0..ea56152e 100755
--- a/assets/setup/install
+++ b/assets/setup/install
@@ -101,6 +101,9 @@ sed 's/UsePAM yes/UsePAM no/' -i /etc/ssh/sshd_config
 sed 's/UsePrivilegeSeparation yes/UsePrivilegeSeparation no/' -i /etc/ssh/sshd_config
 echo "UseDNS no" >> /etc/ssh/sshd_config
 
+# permit password login
+sed 's/#PasswordAuthentication yes/PasswordAuthentication no/' -i /etc/ssh/sshd_config
+
 # configure verbose logging for sshd
 sed 's/LogLevel INFO/LogLevel VERBOSE/' -i /etc/ssh/sshd_config