Date: Sun, 11 Jul 1999 13:56:56 -0700 From: Doug <Doug@gorean.org> To: Mark Murray <mark@grondar.za> Cc: hackers@FreeBSD.ORG Subject: Re: a BSD identd Message-ID: <37890518.AA3D70F0@gorean.org> References: <199907112034.WAA17651@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote:
>
> > 1. ident is useful as far as it goes. It shouldn't be trusted as
> > authentication, but it can give you a good idea of where to start when
> > tracking down problem users.
>
> First thing you say to yourself after a compromise is "trust nothing".
> Things like idents can/will/should/are targets.
Sure, but I don't think that compromised boxes are the norm, unless I'm
missing something here.
> > 2. Most shell services do a good job of keeping ident reliable. They need
> > to do that because most IRC networks heavily penalize clients that don't
> > return any ident.
>
> This is changing. In the face of ${BIGNUM} Windoze boxes giving ident
> answers like "HAX0r", there is little point, except for the administrator
> of the box _giving_ the ident. If that was me, it would be _low_ on my
> list.
I'm talking shell services, not ISP's. All of the large IRC networks have
either implemented a global ban system (like dalnet and undernet) or have a
"kline information sharing system" (like efnet and ircnet) that allows them
to effectively prevent access from the shell system to IRC. Since most
shells are sold for IRC, the administrators of these systems are doing
everything they can to cooperate with the IRC networks in tracking problem
users, and ident is one of the tools to help do this. I agree that windows
users being able to supply their own ident makes it less valuable in the
general case, but not completely unvaluable.
> > 3. Having a built in version of a "real" ident run out of inetd would be
> > *very* welcome by the people that need it. pidentd is a bloated, buggy pig.
>
> Small set of people. Much larger set of dupes who would believe/trust
> this.
How much code is in the system now that benefits "a small set of people?"
That said, I am definitely an anti-bloatist and would almost prefer that
this identd be a port. But from what Brian is saying it sounds like this
would be a very small addition, and for those few people that need it this
would be a huge benefit. I believe the cost:benefit analysis comes out in
favor of including it, but perhaps my perspective is biased.
> > 4. I agree with Sheldon that returning "real" responses by default would be
> > a bad thing. The current ability to send fake responses is a good thing,
> > but having the option to do real ident would also be good.
>
> As long as the documentation is _clear_ that this is not a front-line
> security tool, but rather a thing to marginally augment logs with
> user-supplied info, then I'll buy it.
Yes, I agree wholeheartedly with this point.
Doug
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37890518.AA3D70F0>