Subject: Re: identd with NAT and IPv6 support.
To: None <netbsd-users@netbsd.org, current-users@netbsd.org, tech-net@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 03/27/2002 21:36:17
On Wed, Mar 27, 2002 at 09:22:04PM -0500, Aidan Cully wrote:
> 
> You seem to be assuming one-user-per-IP?  Or that we expect people to
> be able to read news from the newsserver itself?
> To spoof IP you need raw access to the network, which *can* be
> prevented, if you trust the admins of the hosts on that network.  When
> these admins are "you", it's perfectly trustworthy, unless you're
> incompetent.  (on single-user machines, the user is basically an admin,
> and ident can't be used.)

Just to be clear about this, ident "authentication" is every bit as good
as Kerberos "authentication", given multiuser machines on which a user is
being "authenticated".  If you're root, you can forge ident responses, and
act like you're somebody else, but guess what?  If you're root, you could 
just use their Kerberos credentials, too!

This assumes a trusted network between the machines using identd, but in
many cases -- most cases? -- in which one's got multiuser machines, there
is already such an assumption, for example if NFS is in use.

Thor