Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Jul 1999 13:54:23 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Mark Murray <mark@grondar.za>
Cc:        Doug <Doug@gorean.org>, hackers@FreeBSD.ORG
Subject:   Re: a BSD identd 
Message-ID:  <199907112054.NAA64487@apollo.backplane.com>
References:   <199907112034.WAA17651@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
:> 2. Most shell services do a good job of keeping ident reliable. They need
:> to do that because most IRC networks heavily penalize clients that don't
:> return any ident. 
:
:This is changing. In the face of ${BIGNUM} Windoze boxes giving ident
:answers like "HAX0r", there is little point, except for the administrator
:of the box _giving_ the ident. If that was me, it would be _low_ on my
:list.

    ident is extremely useful when taken in the proper context.  It doesn't
    really matter what a user-owned box returns.  An IRC administrator only
    cares about two things:

	* If the irc client is connecting from an (ISP's) multi-user shell 
	  machine, that the ident contain sufficient information to identify
	  the user.

	* If the irc client is connecting from a single-user machine, such as
	  a windoz box, the IRC administrator has the IP address and times
	  involved, which is again sufficient for the user's ISP to identify
	  the user.

    When a user is abusing an IRC server, the IRC administrator has two 
    choices:

	* If it is coming from an ISP who takes abuse seriously, the IRC 
	  administrator need only identify the user sufficiently (IP and time,
	  or ident info if coming from a shared shell box) such that the ISP
	  can kick the user off the service.

	* If it is coming from an ISP who does not take abuse seriously, the
	  IRC administrator locks out the entire ISP.

    At BEST ident was turned on on all machines and it returned the user's
    real user name.  It did that because it made it a whole lot easier for us
    to handle abuse issues, it cut abuse significantly, and it cut 
    abuse-related email from remote IRC admins significantly because they
    could lockout specific users based on the ident info without having to 
    contact us.

    I don't work at BEST any more, but I would love to see kernel support
    for ident lookups.  To make identd work reasonably well, I had to hack
    the server to timeout after a few seconds worth of cpu-bound searching
    through KVM, because it would sometimes get into scanning loops.

							-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907112054.NAA64487>