On 10/22/12 1:27 PM, "Ahmad Emneina" <ahmad.emne...@citrix.com> wrote:
>When you access cloudstack through the regular api endpoint ><host>:8080/client you will need to authenticate to execute commands. 8096 >is the unauthenticated admin port, which should be locked down on >production installs. > >On 10/22/12 1:25 PM, "Musayev, Ilya" <imusa...@webmd.net> wrote: > >>I c. . so the API Key and Signature generation is obsolete as well? >> >>-----Original Message----- >>From: Edison Su [mailto:edison...@citrix.com] >>Sent: Monday, October 22, 2012 4:16 PM >>To: cloudstack-dev@incubator.apache.org >>Subject: RE: API Key and Signature security flaw on CS4 - jenkins build >>non-oss 137 >> >>By default, port 8096 is disabled, and is intended to be without API >>signature/key check. >>If the 8096 is turned on by yourself, then somehow, it's up to you how to >>secure it. >> >>> -----Original Message----- >>> From: Musayev, Ilya [mailto:imusa...@webmd.net] >>> Sent: Monday, October 22, 2012 1:04 PM >>> To: cloudstack-dev@incubator.apache.org >>> Subject: API Key and Signature security flaw on CS4 - jenkins build >>> non-oss 137 >>> >>> I guess I found a not so cool feature/bug which is at this moment is a >>> major security flaw for locally authenticated ssh use or from another >>> host on the network . >>> >>> The API signature and key are not checked at all - I'm able to run the >>> commands against API port with any key - and command is executed >>> without checking the validity of Key/Signature. >>> >>> Is this a known bug that may have been addressed or do I need to file >>> one? >>> >>> How do we restrict access to 8096 from another host? Is it done via >>> iptables or some access rule in tomcat? >>> >>> If its iptables we need a deny rule for 8096 from external hosts by >>> default probably with setup script. >>> >>> Thanks >>> ilya >> >> >> > > >-- >Æ > > > > To disable the admin api port, set the following param to 0, in your global settings: integration.api.port -- Æ
