tech-userlevel: Re: CVS commit: src (identd -L)

Subject: Re: CVS commit: src (identd -L)
To: None <tech-userlevel@netbsd.org>
From: Alan Barrett <apb@iafrica.com>
List: tech-userlevel
Date: 05/19/1999 17:07:42
On Wed, 19 May 1999, Erik E. Fair wrote:
> Speaking as a security-guy, I don't think we should enable identd by
> default. It s a nearly completely useless PoS.

I think that we should enable identd in encrypted cookie mode by
default.  My identd returns cookies that look like this (actual example
from an email Received line):

	[z7yww72ye4vsc217giY1syk88CmgaUUA]

Using a secret key stored in a file readable only by root, I can decrypt
that to (date,time,uid,srcaddr,srcport,dstaddr,dstport). 

> and the current ... "promoter" seemingly has never heard of IBM PC's or
> Macintoshes wherein the system administrator and the user are one in the
> same and thus the information provided is not even vaguely trustworthy. 

I am sure that the "promoter" of ident knows quite well that ident is
not useful with insecure PCs or Macs.  So don't use it with insecure PCs
or Macs.

If you you run a publicly accessible service, I run a multiuser host,
one of my users connects to your service, and you query my ident server,
then (despite what many non security people think) what you get from my
ident server is *not* intended to be directly useful to you for deciding
who my user is or whether you should allow them to use your service.

What you get from my ident server is just a cookie.  The cookie is
almost always useless to *you* (as the person who queried my ident
server) and you don't need to "trust" it in any way.  But if my user
does something naughty with your service then it would be nice if you
could later give me (out of band) a copy of the cookie from your logs.

The cookie from *my* ident server is intended to help *me* determine
which of my users did something naughty with your service.  That's it.
That's all that the ident protocol is useful for.

If my host is sufficiently secure, then *I* can trust what *my* ident
server says, but if my host is an insecure PC or Mac then I would be
stupid to trust what my ident server says.  Regardless of whether or
not my host is secure, nobody else should try to assign any meaning
to what my ident server says.  The only thing somebody else should do
with anything my ident server says is log it, in case it's useful to me
later.

--apb (Alan Barrett)