Plaintext netconf server was bound to any local interface. This is a security risk
because there is no authentication. The ssh server should be used as public endpoint instead.
Change-Id: I805ec065548e017dd2244d37e3275d379761e490
Signed-off-by: Tomas Olvecky <tolvecky@cisco.com>
reference\:file\:../lib/jersey-server-1.17.jar@2:start
# Netconf startup configuration
reference\:file\:../lib/jersey-server-1.17.jar@2:start
# Netconf startup configuration
-netconf.tcp.address=0.0.0.0
+netconf.tcp.address=127.0.0.1
netconf.tcp.port=8383
netconf.tcp.client.address=127.0.0.1
netconf.tcp.port=8383
netconf.tcp.client.address=127.0.0.1
if (inetSocketAddressOptional.isPresent() == false) {
throw new IllegalStateException("Netconf tcp address not found." + exceptionMessageIfNotFound);
}
if (inetSocketAddressOptional.isPresent() == false) {
throw new IllegalStateException("Netconf tcp address not found." + exceptionMessageIfNotFound);
}
- return inetSocketAddressOptional.get();
+ InetSocketAddress inetSocketAddress = inetSocketAddressOptional.get();
+ if (inetSocketAddress.getAddress().isAnyLocalAddress()) {
+ logger.warn("Unprotected netconf TCP address is configured to ANY local address. This is a security risk. " +
+ "Consider changing {} to 127.0.0.1", PREFIX_PROP + InfixProp.tcp + ADDRESS_SUFFIX_PROP);
+ }
+ return inetSocketAddress;
}
public static Optional<InetSocketAddress> extractSSHNetconfAddress(BundleContext context, String exceptionMessage) {
}
public static Optional<InetSocketAddress> extractSSHNetconfAddress(BundleContext context, String exceptionMessage) {