Subject: Re: tcp-wrappers, tcpd, and NetBSD
To: Bill Sommerfeld <sommerfeld@orchard.east-arlington.ma.us>
From: Warner Losh <imp@village.org>
List: current-users
Date: 03/15/1997 23:01:49
In message <199703160427.EAA11488@orchard.east-arlington.ma.us> Bill Sommerfeld writes:
: If you have a multiuser system and you want to trace which users are
: doing "interesting" things to the network, it would make far more
: sense to arrange for networking activity to be auditable (e.g.,
: logging the time, operation, and user).  

identd is useful to the operator of a machine iff 1) that operator
absolutely 100% trusts those with root privs and 2) that machine has
many users that might do bad things and the machine operator wants to
be able to punish those users at a later date (or you want to make it
harder to forge things from your site).

For all other uses, it is completely useless due to broken by design
problems with the protocol.  All it does is give warm fuzzies to the
remote side of the equasion, since the fundamental trust model is
broken (eg that you can trust the remote side to return useful
information, which in the general case you can't).

Other methods exist to help prevent these problems, like Bill was
saying.  Logging connection when they are made is likely the best way
to do this.

Warner