Subject: Re: CVS commit: src (identd -L)
To: Erik E. Fair <firstname.lastname@example.org>
From: Jim Wise <email@example.com>
Date: 05/19/1999 11:45:24
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 19 May 1999, Erik E. Fair wrote:
>Speaking as a security-guy, I don't think we should enable identd by
>default. It s a nearly completely useless PoS. The original protocol author
>disavowed this work years ago as a mistaken gedankenexperiment, and the
>current ... "promoter" seemingly has never heard of IBM PC's or Macintoshes
>wherein the system administrator and the user are one in the same and thus
>the information provided is not even vaguely trustworthy.
Agreed on all points.
Note that we don't enable it by default -- as a sysadmin and sometime
security guy, I too would be pretty disgusted if we did. For whatever
reason, we _do_ ship it though -- I'm departing from that point and have
only added a flag to allow an admin who _does_ want to run it for
whatever reason to specify a static host-wide response.
- From the man page:
The -L<user name> option instructs identd to lie brazenly
about the identity of the user in question. You didn't
really intend to trust my assertion about who I was any-
This flag provides a way for a site to support services
requiring the ident protocol while providing a standard
answer to all ident queries. All queries to identd will
respond with a host type of `OTHER' and a username of
Yes, the ident protocol is broken by design. Unfortunately, it's
incorporation in sendmail, irc servers and elsewhere means there is a
lot of demand for it. Sigh...
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----