When you access cloudstack through the regular api endpoint <host>:8080/client you will need to authenticate to execute commands. 8096 is the unauthenticated admin port, which should be locked down on production installs.
On 10/22/12 1:25 PM, "Musayev, Ilya" <imusa...@webmd.net> wrote: >I c. . so the API Key and Signature generation is obsolete as well? > >-----Original Message----- >From: Edison Su [mailto:edison...@citrix.com] >Sent: Monday, October 22, 2012 4:16 PM >To: cloudstack-dev@incubator.apache.org >Subject: RE: API Key and Signature security flaw on CS4 - jenkins build >non-oss 137 > >By default, port 8096 is disabled, and is intended to be without API >signature/key check. >If the 8096 is turned on by yourself, then somehow, it's up to you how to >secure it. > >> -----Original Message----- >> From: Musayev, Ilya [mailto:imusa...@webmd.net] >> Sent: Monday, October 22, 2012 1:04 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: API Key and Signature security flaw on CS4 - jenkins build >> non-oss 137 >> >> I guess I found a not so cool feature/bug which is at this moment is a >> major security flaw for locally authenticated ssh use or from another >> host on the network . >> >> The API signature and key are not checked at all - I'm able to run the >> commands against API port with any key - and command is executed >> without checking the validity of Key/Signature. >> >> Is this a known bug that may have been addressed or do I need to file >> one? >> >> How do we restrict access to 8096 from another host? Is it done via >> iptables or some access rule in tomcat? >> >> If its iptables we need a deny rule for 8096 from external hosts by >> default probably with setup script. >> >> Thanks >> ilya > > > -- Æ
