From owner-freebsd-hackers Sun Jul 11 13:55: 3 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 8059A14CFB for ; Sun, 11 Jul 1999 13:55:00 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id NAA64487; Sun, 11 Jul 1999 13:54:23 -0700 (PDT) (envelope-from dillon) Date: Sun, 11 Jul 1999 13:54:23 -0700 (PDT) From: Matthew Dillon Message-Id: <199907112054.NAA64487@apollo.backplane.com> To: Mark Murray Cc: Doug , hackers@FreeBSD.ORG Subject: Re: a BSD identd References: <199907112034.WAA17651@gratis.grondar.za> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :> 2. Most shell services do a good job of keeping ident reliable. They need :> to do that because most IRC networks heavily penalize clients that don't :> return any ident. : :This is changing. In the face of ${BIGNUM} Windoze boxes giving ident :answers like "HAX0r", there is little point, except for the administrator :of the box _giving_ the ident. If that was me, it would be _low_ on my :list. ident is extremely useful when taken in the proper context. It doesn't really matter what a user-owned box returns. An IRC administrator only cares about two things: * If the irc client is connecting from an (ISP's) multi-user shell machine, that the ident contain sufficient information to identify the user. * If the irc client is connecting from a single-user machine, such as a windoz box, the IRC administrator has the IP address and times involved, which is again sufficient for the user's ISP to identify the user. When a user is abusing an IRC server, the IRC administrator has two choices: * If it is coming from an ISP who takes abuse seriously, the IRC administrator need only identify the user sufficiently (IP and time, or ident info if coming from a shared shell box) such that the ISP can kick the user off the service. * If it is coming from an ISP who does not take abuse seriously, the IRC administrator locks out the entire ISP. At BEST ident was turned on on all machines and it returned the user's real user name. It did that because it made it a whole lot easier for us to handle abuse issues, it cut abuse significantly, and it cut abuse-related email from remote IRC admins significantly because they could lockout specific users based on the ident info without having to contact us. I don't work at BEST any more, but I would love to see kernel support for ident lookups. To make identd work reasonably well, I had to hack the server to timeout after a few seconds worth of cpu-bound searching through KVM, because it would sometimes get into scanning loops. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message