From: Tomas Olvecky <tolvecky@cisco.com>
Date: Fri, 31 Jan 2014 14:13:40 +0000 (+0100)
Subject: Change unprotected netconf address from 0.0.0.0 to 127.0.0.1 .
X-Git-Tag: autorelease-tag-v20140601202136_82eb3f9~539^2
X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?p=controller.git;a=commitdiff_plain;h=b825b2a5b92734113eae6c9c1176ec160ec8776b

Change unprotected netconf address from 0.0.0.0 to 127.0.0.1 .

Plaintext netconf server was bound to any local interface. This is a security risk
because there is no authentication. The ssh server should be used as public endpoint instead.

Change-Id: I805ec065548e017dd2244d37e3275d379761e490
Signed-off-by: Tomas Olvecky <tolvecky@cisco.com>
---

diff --git a/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini b/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini
index 47563b94cf..1ddfe1c7f3 100644
--- a/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini
+++ b/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini
@@ -13,7 +13,7 @@ osgi.bundles=\
     reference\:file\:../lib/jersey-server-1.17.jar@2:start
 
 # Netconf startup configuration
-netconf.tcp.address=0.0.0.0
+netconf.tcp.address=127.0.0.1
 netconf.tcp.port=8383
 
 netconf.tcp.client.address=127.0.0.1
diff --git a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java
index f2f0419b9d..38563cba93 100644
--- a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java
+++ b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java
@@ -57,7 +57,12 @@ public class NetconfConfigUtil {
         if (inetSocketAddressOptional.isPresent() == false) {
             throw new IllegalStateException("Netconf tcp address not found." + exceptionMessageIfNotFound);
         }
-        return inetSocketAddressOptional.get();
+        InetSocketAddress inetSocketAddress = inetSocketAddressOptional.get();
+        if (inetSocketAddress.getAddress().isAnyLocalAddress()) {
+            logger.warn("Unprotected netconf TCP address is configured to ANY local address. This is a security risk. " +
+                    "Consider changing {} to 127.0.0.1", PREFIX_PROP + InfixProp.tcp + ADDRESS_SUFFIX_PROP);
+        }
+        return inetSocketAddress;
     }
 
     public static Optional<InetSocketAddress> extractSSHNetconfAddress(BundleContext context, String exceptionMessage) {