OpenSSH and it's built-in denial of service "feature"

[prev] [thread] [next] [lurker] [Date index for 2003/12/11]

From: Daniel Pittman
Subject: OpenSSH and it's built-in denial of service "feature"
Date: 03:48 on 11 Dec 2003
...I hate OpenSSH.  It's sure nice to have a free SSH server and all,
but it is *so* full of hateful half-complete features.

In this case, we need to use password expiration on our systems, because
company policy demands it. So, we enable this. Life is good.[1]

Then a password expires. Fine, whatever. So, user tries to log in to the
master server where they need to change the password.[2]

OpenSSH knows that the password is expired, so they are not permitted to
log in. That is a fine feature, except...

...OpenSSH does not implement changing passwords.


Oh, yes, it can tell you to sod off if your password is now expired,
because that is so useful, especially when that is the only way to get
in to the machine to change the password.


Advice to programmers:  if you want to leave your feature half finished,
do it is a way that isn't going to suddenly impale someone through the
heart and have them bleed to death.


At least the server isn't in the data center in Kansas yet...

   Daniel


Footnotes: 
[1]  Well, the interface is hateful, and distributing passwords across
     machines is hateful, but not quite as hateful as OpenSSH.

[2]  See point one. All distributed password systems suck.

-- 
Many of my favorite shamans are rock stars. They probably don't even know
they're shamans but they know how to get to ecstasy and back, and how to take
others with them. They may not have a license, but they know how how to drive.
        -- Gabrielle Roth, _Maps to Ecstasy_

Generated at 14:02 on 01 Jul 2004 by mariachi 0.52