From: Zooko Wilcox-O'Hearn Date: Tue, 22 Jul 2014 05:16:04 +0000 (+0000) Subject: link to Twisted ticket #4633 X-Git-Tag: allmydata-tahoe-1.10.1a1~176^2 X-Git-Url: https://git.rkrishnan.org/pf/content/en/seg/priv.html?a=commitdiff_plain;h=refs%2Fpull%2F94%2Fhead;p=tahoe-lafs%2Ftahoe-lafs.git link to Twisted ticket #4633 --- diff --git a/docs/frontends/FTP-and-SFTP.rst b/docs/frontends/FTP-and-SFTP.rst index 3b418a57..4d174d59 100644 --- a/docs/frontends/FTP-and-SFTP.rst +++ b/docs/frontends/FTP-and-SFTP.rst @@ -119,12 +119,16 @@ Exercise caution when connecting to the SFTP server remotely. The AES implementation used by the SFTP code does not have defenses against timing attacks. The code for encrypting the SFTP connection was not written by the Tahoe-LAFS team, and we have not reviewed it as carefully as we have reviewed -the code for encrypting files and directories in Tahoe-LAFS itself. If you -can connect to the SFTP server (which is provided by the Tahoe-LAFS gateway) -only from a client on the same host, then you would be safe from any problem -with the SFTP connection security. The examples given below enforce this -policy by including ":interface=127.0.0.1" in the "port" option, which causes -the server to only accept connections from localhost. +the code for encrypting files and directories in Tahoe-LAFS itself. (See +`Twisted ticket #4633`_ for a possible fix to this issue.) + +.. _Twisted ticket #4633: https://twistedmatrix.com/trac/ticket/4633 + +If you can connect to the SFTP server (which is provided by the Tahoe-LAFS +gateway) only from a client on the same host, then you would be safe from any +problem with the SFTP connection security. The examples given below enforce +this policy by including ":interface=127.0.0.1" in the "port" option, which +causes the server to only accept connections from localhost. You will use directives in the tahoe.cfg file to tell the SFTP code where to find these keys. To create one, use the ``ssh-keygen`` tool (which comes with