Date: Sun, 11 Jul 1999 22:34:09 +0200 From: Mark Murray <mark@grondar.za> To: Doug <Doug@gorean.org> Cc: hackers@FreeBSD.ORG Subject: Re: a BSD identd Message-ID: <199907112034.WAA17651@gratis.grondar.za>
next in thread | raw e-mail | index | archive | help
> 1. ident is useful as far as it goes. It shouldn't be trusted as > authentication, but it can give you a good idea of where to start when > tracking down problem users. First thing you say to yourself after a compromise is "trust nothing". Things like idents can/will/should/are targets. > 2. Most shell services do a good job of keeping ident reliable. They need > to do that because most IRC networks heavily penalize clients that don't > return any ident. This is changing. In the face of ${BIGNUM} Windoze boxes giving ident answers like "HAX0r", there is little point, except for the administrator of the box _giving_ the ident. If that was me, it would be _low_ on my list. > 3. Having a built in version of a "real" ident run out of inetd would be > *very* welcome by the people that need it. pidentd is a bloated, buggy pig. Small set of people. Much larger set of dupes who would believe/trust this. > 4. I agree with Sheldon that returning "real" responses by default would be > a bad thing. The current ability to send fake responses is a good thing, > but having the option to do real ident would also be good. As long as the documentation is _clear_ that this is not a front-line security tool, but rather a thing to marginally augment logs with user-supplied info, then I'll buy it. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907112034.WAA17651>