Subject: Re: identd with NAT and IPv6 support.
To: Jim Wise <jwise@draga.com>
From: Aidan Cully <aidan@kublai.com>
List: netbsd-users
Date: 03/27/2002 21:22:04
On Wed, Mar 27, 2002 at 08:17:06PM -0500, Jim Wise wrote:
> On Wed, 27 Mar 2002, Aidan Cully wrote:
> 
> >I take some issue with that...  ident can be very useful in limited
> >situations.  If you've got a multi-user shell service, and don't want
> >to ask your users for passwords when they connect over TCP to another
> >service you've got, but this service provides different things to
> >different users, ident is not a bad way to go.  INN's nnrpd can
> >resolve users over ident because of just this situation.
> >
> >ident is useless once you leave a trusted area.
> 
> Which is to say that you translate a problem of imitating a trusted uer
> at a trusted IP to a problem of imitating jut the trusted IP?  If that's
> your goal, use .rhosts...

You seem to be assuming one-user-per-IP?  Or that we expect people to
be able to read news from the newsserver itself?
To spoof IP you need raw access to the network, which *can* be
prevented, if you trust the admins of the hosts on that network.  When
these admins are "you", it's perfectly trustworthy, unless you're
incompetent.  (on single-user machines, the user is basically an admin,
and ident can't be used.)

I'm not expressing myself clearly, but I don't accept that ident is
100% useless.  It can be removed from basesrc and I won't shed a tear,
but it fills its niche quite nicely.

--aidan