[tahoe-lafs-trac-stream] [Tahoe-LAFS] #1410: sftp server listens on reachable IP addresses by default
Tahoe-LAFS
trac at tahoe-lafs.org
Tue Dec 2 19:52:34 UTC 2014
#1410: sftp server listens on reachable IP addresses by default
----------------------------------------+---------------------------
Reporter: gdt | Owner:
Type: defect | Status: new
Priority: minor | Milestone: undecided
Component: code-frontend-ftp-sftp | Version: 1.8.2
Resolution: | Keywords: sftp security
Launchpad Bug: |
----------------------------------------+---------------------------
Changes (by warner):
* component: code-frontend => code-frontend-ftp-sftp
Old description:
> The sftp server listens without binding to localhost by default. While
> the docs advise (see #1175) to specify 127.0.0.1, sftp should default to
> local because it's the standard approach for FUSE mounting, and mounting
> a filesystem locally should not cause any globally listening sockets.
>
> Eventually we'll have IPv6, so listening should be on not only 127.0.0.1
> but also ::1. Therefore I suggest a variable in the sftpd section
> "global", defaulting to false, that if false causes listening on
> localhost only, and if true the current behavior.
New description:
The sftp server listens without binding to localhost by default. While
the docs advise (see #1175) to specify 127.0.0.1, sftp should default to
local because it's the standard approach for FUSE mounting, and mounting a
filesystem locally should not cause any globally listening sockets.
Eventually we'll have IPv6, so listening should be on not only 127.0.0.1
but also ::1. Therefore I suggest a variable in the sftpd section
"global", defaulting to false, that if false causes listening on localhost
only, and if true the current behavior.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1410#comment:1>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list