Subject: Re: CVS commit: src (identd -L)
To: Erik E. Fair <>
From: Jim Wise <>
List: tech-userlevel
Date: 05/19/1999 11:45:24

On Wed, 19 May 1999, Erik E. Fair wrote:

>Speaking as a security-guy, I don't think we should enable identd by
>default. It s a nearly completely useless PoS. The original protocol author
>disavowed this work years ago as a mistaken gedankenexperiment, and the
>current ... "promoter" seemingly has never heard of IBM PC's or Macintoshes
>wherein the system administrator and the user are one in the same and thus
>the information provided is not even vaguely trustworthy.

Agreed on all points.

Note that we don't enable it by default -- as a sysadmin and sometime
security guy, I too would be pretty disgusted if we did.  For whatever
reason, we _do_ ship it though -- I'm departing from that point and have
only added a flag to allow an admin who _does_ want to run it for
whatever reason to specify a static host-wide response.

- From the man page:

       The -L<user name> option instructs identd to lie  brazenly
       about  the  identity  of the user in question.  You didn't
       really intend to trust my assertion about who I  was  any-
       way, right?
       This  flag  provides  a way for a site to support services
       requiring the ident protocol while  providing  a  standard
       answer  to  all ident queries.  All queries to identd will
       respond with a host type of  `OTHER'  and  a  username  of
       <user name>.

Yes, the ident protocol is broken by design.  Unfortunately, it's
incorporation in sendmail, irc servers and elsewhere means there is a
lot of demand for it.  Sigh...

- -- 
				Jim Wise

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv