#1410 new defect

sftp server listens on reachable IP addresses by default

Reported by: gdt Owned by:
Priority: minor Milestone: undecided
Component: code-frontend-ftp-sftp Version: 1.8.2
Keywords: sftp security Cc:
Launchpad Bug:

Description (last modified by warner)

The sftp server listens without binding to localhost by default. While the docs advise (see #1175) to specify, sftp should default to local because it's the standard approach for FUSE mounting, and mounting a filesystem locally should not cause any globally listening sockets.

Eventually we'll have IPv6, so listening should be on not only but also ::1. Therefore I suggest a variable in the sftpd section "global", defaulting to false, that if false causes listening on localhost only, and if true the current behavior.

Change History (1)

comment:1 Changed at 2014-12-02T19:52:34Z by warner

  • Component changed from code-frontend to code-frontend-ftp-sftp
  • Description modified (diff)
Note: See TracTickets for help on using tickets.