Thanks for the fix, G4JC.
I agree that this is a major security vuln, and I'm kicking myself for not
noticing it sooner.
I use SSH to make outgoing connections to my server, but I have absolutely no
reason to run the server daemon on my desktop, and certainly would never use
password-based authentication(!!!).
I can't understand why this is enabled by default - it's exactly the kind of
functionality that anyone who needs it knows how to install and enable it.
I hope it's removed promptly from future versions.
