I guess I found a not so cool feature/bug which is at this moment is a major security flaw for locally authenticated ssh use or from another host on the network .
The API signature and key are not checked at all - I'm able to run the commands against API port with any key - and command is executed without checking the validity of Key/Signature. Is this a known bug that may have been addressed or do I need to file one? How do we restrict access to 8096 from another host? Is it done via iptables or some access rule in tomcat? If its iptables we need a deny rule for 8096 from external hosts by default probably with setup script. Thanks ilya
