-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sftp disabled by default #128
Comments
@wojciech-kopras thanks for raising this issue! We definitively should have a look here. @chris-rock @atomic111 @mcgege @rndmh3ro Somehow I don't really like the idea to have sftp enabled per default, scp is not recommended by openssh, rsync isn't always installed per default (e.g. some minimal images). Any ideas how we can handle that long-term? To keep sftp disabled as users of dev-sec can always switch the according implementation to enable it? |
I'm really not sure. Having a default (and enabled) way to securely transfer files is a must-have in terms of usabilty in my opinion. On the other hand disabling unused things is more secure. Since sftp uses ssh to transfer files, sftp is as secure (ignoring potential bugs in the sftp-code) as ssh itself. So I see no real downside in enabling sftp by default. |
That is an interesting use case. We should look for standard recommendations from CIS/NIST/BSI. As we always want to make sure that users can tweak their implementation, sftp should be enable-able if required. I could not find a recommendation for disabling scp yet. I think we all agree that plain ftp is never a good idea. @atomic111 What is your opinion? |
Describe the bug
Protocol sftp is disabled by default. This enforces using scp. Described in README:
Expected behavior
Today I have read release notes of OpenSSH 8.0 when they say:
So maybe it would be better to use sftp, rather than scp..
The text was updated successfully, but these errors were encountered: