Subject: Re: CVS commit: src (identd -L)
To: Andrew Brown <atatat@atatdot.net>
From: Jim Wise <jwise@draga.com>
List: tech-userlevel
Date: 05/18/1999 14:50:39
-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 18 May 1999, Andrew Brown wrote:

>>>ident stream tcp nowait nobody /bin/echo echo string ?
>>
>>Will not reformat string based on the ports provided by the requesting
>>ident lookup, thus causing an invalid response.  It's true -- a simple
>>script to read an ident request, and produce a reply with the correct
>>ports but a static user string would be pretty trivial to write, but it
>>seemed to me more intuitive to add it as a fast-path within identd...
>
>libwrap?  and "twist"?

Works well in conjunction with identd (when identd is called from
inetd).  But twist (or spawn ... :DENY) will only hand off to another
command, which will still need to construct a valid identd response
with the ports from the initial request, and a static user field.
identd -L is just such a command.

This also means that if for some bizarre reason you _did_ want to
provide true ident information to some hosts (and the other end was
naive enough to ask for it) you could use hosts.allow to choose whether
to call identd or identd -L.

The bigger issue here, of course, is that identd is simply a really bad
idea.  In the vast majority of cases, you really shouldn't be querying
an identd anyway, and you _certainly_ shouldn't trust whatever it
responds with.

- -- 
				Jim Wise
				jwise@draga.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBN0G2g4kLDoBfn5jPAQHekQf/e/f5sUAC7iPnSvyUWA6YJO/igvIovx1a
HJNKcEI3UcGZbA7OiScb/MlS/fsCavQ++Uc/K7Vnp9vmhhcZnPuAVL/SG/MOJfoE
nExVKnRHeOM6eFfQUwtNUfsD9vlmNOijVYHVnHIqPqwGSIaM5hVx7cW7aKasJKX8
A2kpMsi/2jm4bFn8VBrg8a8VJl/EaGo1qz9EwOzzuT/kQE0cMvPaO2kTVCgXYdry
kCIR2DC8kKF9ZC/trkG4j6v34gRGeqD52PeQHU7cJUD2D05MmmBEjkH2Jn36HQtR
L7DdRmhNUufki0+DytA74f1b3T1B9rsH8ZxIaGHvijqV8oDj4TLDpA==
=Gogh
-----END PGP SIGNATURE-----