Subject: Re: CVS commit: src (identd -L)
To: Jim Wise <jwise@draga.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-userlevel
Date: 05/18/1999 14:53:15
>>libwrap?  and "twist"?
>
>Works well in conjunction with identd (when identd is called from
>inetd).  But twist (or spawn ... :DENY) will only hand off to another
>command, which will still need to construct a valid identd response
>with the ports from the initial request, and a static user field.
>identd -L is just such a command.

no...i meant you should have libwrap "twist" (or "spawn") a command
that uses the %a and %A parameters that libwrap can pass to children.
then the script could respond intelligently with the correct port
numbers and stuff.

>This also means that if for some bizarre reason you _did_ want to
>provide true ident information to some hosts (and the other end was
>naive enough to ask for it) you could use hosts.allow to choose whether
>to call identd or identd -L.

more or less, yes...

>The bigger issue here, of course, is that identd is simply a really bad
>idea.  In the vast majority of cases, you really shouldn't be querying
>an identd anyway, and you _certainly_ shouldn't trust whatever it
>responds with.

...except that identd persists, ie, it's marked as a "wait" service in
inetd.conf.  when an inbound connection is noticed by inetd, inetd
just forks off identd with stdin/stdout connected to the listening
socket, not the connected socket.  identd handles the connect itself.
then it waits around and handles a few more if they arrive before it
decides to die.  so you only get access control for the first allowed
connection for whatever period you decide to declare in inetd.conf.

results can certainly be controlled.

   #!/usr/local/bin/perl
   ($_=<>);
   ($mine,$your)=(/(\d+)/g);
   print("$your , $mine : USERID : UNIX :george\r\n");

this is my identd, which runs as a "nowait" service.  the problem is,
of course, that it will hang if the "client" to identd doesn't say
anything.  :)

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."