Subject: Re: tcp-wrappers, tcpd, and NetBSD
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: current-users
Date: 03/15/1997 22:26:12
>> [various alternative implementations of identd]
> The best one of these alternative identd servers I ever saw was a
> small piece of C code that always identified the user as Dan
> Bernstein.
That's fine if you care more about making a religious point than you do
about keeping your system secure. The security benefits accruing to a
site running a (real) pidentd are very real, if you either (a) have any
users who might misbehave or (b) might ever have any of your user
logins cracked. (There are doubtless a few machines that fall into
neither category, but I daresay they're pretty rare even among the
OS-hacking crowd.)
As for the remark that NetBSD's sendmail should come with use of ident
disabled, I strongly disagree. If you're attacked from my site, for
example, I'm going to ask you what my pidentd returned for the
attacking connection; if you can't tell me, I'm unlikely to be able to
do more than wish you luck (unless the attacking machine happens to be
one of the few without any real users).
der Mouse
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B