Subject: Re: Why ident support in sendmail from NetBSD distribution?
To: Alicia da Conceicao <alicia@cyberstation.ca>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-i386
Date: 01/29/2000 12:03:29
> Why is the sendmail included with NetBSD or built with pkgsrc,
> compiled with IDENT?

This is hardly a port-i386 question....

> Very few sites run IDENT daemons anyone,

Their neck.  I wouldn't be without it, except possibly on machines
completely without multiple users.

> may also be behind firewalls that block the IDENT port.

Their neck.  If they can't even refuse ident connections, they can live
with a connection timeout when they send mail.

> And IDENT is so easy to fake, that it cannot be trusted.

You seem to be under a mistaken impression here.  If you connect to
someone else's port 113 and get a response back, it's not you that has
to trust it; it's the admin of the site that sent it.

For example: suppose someone on one of my machines starts using telnet
to your SMTP port to forge mail.  You send me a complaint.  My first
question is going to be "what's the ident info for the connections?".
If you can't provide it, my response is going to be little more than
"come back once you can provide it".  *You* can't trust my ident info -
or more precisely, you can't know whether to trust it - but *I* can.
It's a good example of a cookie, in fact: all you can reasonably do
with it is fetch it and store it to hand back to me.

Yes, you could lie to me about what it is, if you are trying to frame
one of my users.  But this means you have to be able to conjure up what
look like valid ident responses from my daemon.  Unfortunately (largely
for historical reasons) most ident daemons make this comparatively
easy, by returning unadorned usernames.  There are a few out there that
return encrypted and signed tokens including a timestamp, which is a
much saner thing to do in today's (hostile) Internet.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B