tech-userlevel: Re: CVS commit: src (identd -L)

Subject: Re: CVS commit: src (identd -L)
To: Erik E. Fair <fair@clock.org>
From: Jim Wise <jwise@draga.com>
List: tech-userlevel
Date: 05/19/1999 11:45:24
-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 19 May 1999, Erik E. Fair wrote:

>Speaking as a security-guy, I don't think we should enable identd by
>default. It s a nearly completely useless PoS. The original protocol author
>disavowed this work years ago as a mistaken gedankenexperiment, and the
>current ... "promoter" seemingly has never heard of IBM PC's or Macintoshes
>wherein the system administrator and the user are one in the same and thus
>the information provided is not even vaguely trustworthy.

Agreed on all points.

Note that we don't enable it by default -- as a sysadmin and sometime
security guy, I too would be pretty disgusted if we did.  For whatever
reason, we _do_ ship it though -- I'm departing from that point and have
only added a flag to allow an admin who _does_ want to run it for
whatever reason to specify a static host-wide response.

- From the man page:

       The -L<user name> option instructs identd to lie  brazenly
       about  the  identity  of the user in question.  You didn't
       really intend to trust my assertion about who I  was  any-
       way, right?
       This  flag  provides  a way for a site to support services
       requiring the ident protocol while  providing  a  standard
       answer  to  all ident queries.  All queries to identd will
       respond with a host type of  `OTHER'  and  a  username  of
       <user name>.

Yes, the ident protocol is broken by design.  Unfortunately, it's
incorporation in sendmail, irc servers and elsewhere means there is a
lot of demand for it.  Sigh...

- -- 
				Jim Wise
				jwise@draga.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBN0LcmokLDoBfn5jPAQHl1Qf+IQqxgizLGxQQEKUShFhEGjaAM1NxeSTF
EBHEui/e9CMKSY4h+GCocxxVUxG37HW+nUtbizwyFA93SBhJEnR6fkNVpjv67X8k
G21a47uTuRW339EDncmG59l9aYJS/hGCtIy4EdrrqyduuOQPtrn2LdJdvvW4UotM
QjJ37DtbmljMN6XVJqVIknibwbypoyRU+S/IeAOLUmhqoPdDrbvheMkHKWYHA4ye
hFZijQog/6LKi/8mxSpbdLV/pp/bPNwS6Jddd9fR2UcQPY7EL3Y+X7k3asriBe8n
aOe5ALUbS9N6UUOC8zwQLdT38rIXxC2nPZNRxj8RQ5CFcGUom8pN2w==
=jW8Q
-----END PGP SIGNATURE-----