Comment 5 for bug 858867

In my opinion as the maintainer, this is not a bug and will not be fixed upstream. Any functions that modify data require a login, and certain functions (like those performed by koan) require access to the XMLRPC endpoint without a login or access to the token stored locally for the CLI. At no point did we say all XMLRPC functions require a login.

Beyond that, a lot of the same data that can be accessed over the web interface (namely the kickstart/preseed data) which contains information that could be considered just as sensitive (IP's, MACs, etc.). You should never have unencrypted data like plain-text passwords in your automated response files unless there is absolutely no other option and you can ensure the network they're traversing is secured.