From owner-freebsd-hackers Sun Jul 11 13:35: 8 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 4125114CFB for ; Sun, 11 Jul 1999 13:35:00 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id WAA17651; Sun, 11 Jul 1999 22:34:10 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199907112034.WAA17651@gratis.grondar.za> To: Doug Cc: hackers@FreeBSD.ORG Subject: Re: a BSD identd Date: Sun, 11 Jul 1999 22:34:09 +0200 From: Mark Murray Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > 1. ident is useful as far as it goes. It shouldn't be trusted as > authentication, but it can give you a good idea of where to start when > tracking down problem users. First thing you say to yourself after a compromise is "trust nothing". Things like idents can/will/should/are targets. > 2. Most shell services do a good job of keeping ident reliable. They need > to do that because most IRC networks heavily penalize clients that don't > return any ident. This is changing. In the face of ${BIGNUM} Windoze boxes giving ident answers like "HAX0r", there is little point, except for the administrator of the box _giving_ the ident. If that was me, it would be _low_ on my list. > 3. Having a built in version of a "real" ident run out of inetd would be > *very* welcome by the people that need it. pidentd is a bloated, buggy pig. Small set of people. Much larger set of dupes who would believe/trust this. > 4. I agree with Sheldon that returning "real" responses by default would be > a bad thing. The current ability to send fake responses is a good thing, > but having the option to do real ident would also be good. As long as the documentation is _clear_ that this is not a front-line security tool, but rather a thing to marginally augment logs with user-supplied info, then I'll buy it. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message