Subject: Re: identd with NAT and IPv6 support.
To: , <current-users@netbsd.org>
From: Henry B. Hotz <hotz@jpl.nasa.gov>
List: current-users
Date: 04/02/2002 16:05:05
At 4:47 PM -0500 4/2/02, Greg A. Woods wrote:
>[ On Tuesday, April 2, 2002 at 12:08:15 (-0800), Henry B. Hotz wrote: ]
>>  Subject: Re: identd with NAT and IPv6 support.
>>
>>  One of the easy ways to configure PostgreSQL is to use identd to
>>  identify the user when the request comes from the same machine as the
>>  server is running on.  All the other ways of authenticating a user
>>  connection are a real pain in comparison.  This is a standard
>>  application, compiled as provided.
>
>Yes indeed!
>
>Unfortunately PostgreSQL cannot (yet) deal with more arbitrary IDENT
>reply formatting and encryption using a shared secret....
>
>>  I've always considered that if I couldn't trust the machine I was
>>  running on then I was pretty much hosed anyway.  CFS doesn't prevent
>>  root from seeing your data files, nor Kerberos prevent root from
>>  impersonating you.
>
>Be careful how you deploy this particular application of IDENT though.
>It's not just the systems you have to trust, but the network as well....

As I thought I said above, I only *use* ident within the same machine 
and never over the network, though I usually allow it outside if 
someone else wants the information.  This was an acceptable 
workaround (for me) for some Kerberosv 4 bugs in PostgreSQL back in 
the 6.2 timeframe.

Everyone's getting all bent out of shape about how much you can trust 
identd packets on the Internet at large.  I never thought *anyone* 
trusted it.  It's just a convenient, old protocol that is still used 
and therefore useful in some situations (if you're careful).

In case anyone still remembers the original question on this thread: 
I think we should keep identd around.  If you want to turn it off by 
default and keep it out of the base distribution that's fine.  I'd 
prefer you didn't export it to the package system, at least not yet.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu