Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Oct 1995 16:02:32 +0100 (MET)
From:      torstenb@ramsey.saar.de (Torsten Blum)
To:        peter@jhome.dialix.com (Peter Wemm)
Cc:        pst@shockwave.com, phk@critter.tfs.com, asami@freefall.freebsd.org, CVS-commiters@freefall.freebsd.org, cvs-ports@freefall.freebsd.org
Subject:   Re: cvs commit: ports/security/libident - Imported sources
Message-ID:  <m0t3ld3-000Ok9C@ramsey.saar.de>
In-Reply-To: <Pine.BSF.3.91.951013080920.539B-100000@jhome.DIALix.COM> from "Peter Wemm" at Oct 13, 95 08:26:49 am

next in thread | previous in thread | raw e-mail | index | archive | help
(I'm back ;)

Peter Wemm wrote:

> On Thu, 12 Oct 1995, Paul Traina wrote:
> >   From: Poul-Henning Kamp <phk@critter.tfs.com>
> >   Subject: Re: cvs commit: ports/security/libident - Imported sources 
> >   > IDENT is ***NOT*** a security protocol.  Please remove it from security,
> >   > it is an ACCOUNTING protocol at best, and utter horse-shit at worse.
> >   > 
> >   
> >   But even a shitty authentication tool is a security tool...
> > 
> > excuse me, let me whisper :-) :-) :-)
> > 
> > it's not an authentication tool, I said accounting.
> > it is not inteded for authentication or security.
> > it should not be in this section of the repository
> > it should not even be in the repository (imho) because
> > people make mistakes like this.
> 
> While I can appreciate that there are strong sentiments in this area,
> ident *can* be used very successfully as an authentication and/or security
> tool.  We are quite well aware of it's design limitiations, but it's
> better than nothing for us!  We use it on clusters of machines spread
> around the country that are maintained and operated by a single group of
> people.  There's no politics, so there's no forging or framing etc etc. 
> We trust our own machines, and therefore have no problem with using ident
> between them.

identd has it's limitations (rfc 1413, section 6 "Security Considerations")
but it can be usefull if you know what you are doing.
with an identd query in sendmail one can prevent forged mails
from joe average user (I know it's still possible - but it's better than
nothing) for example.

> I would have preferred libident and pidentd to go into the same 
> repository area though.  If it would keep the peace, I'd suggest moving 
> libident into "net" (since we dont have "accounting").  I dont think 
> anybody could argue that it wasn't networking related.. :-)

there are too many ports in ports/net - one reason we moved pidentd to
security.
libident and pidentd belong to ports/security - maybe we should add a
big warning about it's limitations...

 -tb



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0t3ld3-000Ok9C>