From owner-freebsd-hackers Sun Jul 11 13:59:20 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from dt054n86.san.rr.com (dt054n86.san.rr.com [24.30.152.134]) by hub.freebsd.org (Postfix) with ESMTP id D277114CFB for ; Sun, 11 Jul 1999 13:59:17 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt054n86.san.rr.com (8.8.8/8.8.8) with ESMTP id NAA27200; Sun, 11 Jul 1999 13:56:57 -0700 (PDT) (envelope-from Doug@gorean.org) Message-ID: <37890518.AA3D70F0@gorean.org> Date: Sun, 11 Jul 1999 13:56:56 -0700 From: Doug Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: hackers@FreeBSD.ORG Subject: Re: a BSD identd References: <199907112034.WAA17651@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Murray wrote: > > > 1. ident is useful as far as it goes. It shouldn't be trusted as > > authentication, but it can give you a good idea of where to start when > > tracking down problem users. > > First thing you say to yourself after a compromise is "trust nothing". > Things like idents can/will/should/are targets. Sure, but I don't think that compromised boxes are the norm, unless I'm missing something here. > > 2. Most shell services do a good job of keeping ident reliable. They need > > to do that because most IRC networks heavily penalize clients that don't > > return any ident. > > This is changing. In the face of ${BIGNUM} Windoze boxes giving ident > answers like "HAX0r", there is little point, except for the administrator > of the box _giving_ the ident. If that was me, it would be _low_ on my > list. I'm talking shell services, not ISP's. All of the large IRC networks have either implemented a global ban system (like dalnet and undernet) or have a "kline information sharing system" (like efnet and ircnet) that allows them to effectively prevent access from the shell system to IRC. Since most shells are sold for IRC, the administrators of these systems are doing everything they can to cooperate with the IRC networks in tracking problem users, and ident is one of the tools to help do this. I agree that windows users being able to supply their own ident makes it less valuable in the general case, but not completely unvaluable. > > 3. Having a built in version of a "real" ident run out of inetd would be > > *very* welcome by the people that need it. pidentd is a bloated, buggy pig. > > Small set of people. Much larger set of dupes who would believe/trust > this. How much code is in the system now that benefits "a small set of people?" That said, I am definitely an anti-bloatist and would almost prefer that this identd be a port. But from what Brian is saying it sounds like this would be a very small addition, and for those few people that need it this would be a huge benefit. I believe the cost:benefit analysis comes out in favor of including it, but perhaps my perspective is biased. > > 4. I agree with Sheldon that returning "real" responses by default would be > > a bad thing. The current ability to send fake responses is a good thing, > > but having the option to do real ident would also be good. > > As long as the documentation is _clear_ that this is not a front-line > security tool, but rather a thing to marginally augment logs with > user-supplied info, then I'll buy it. Yes, I agree wholeheartedly with this point. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message