[illumos-Developer] Integrating identd
River Tarnell
r.tarnell at IEEE.ORG
Sun Apr 3 17:43:17 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan McDonald:
> On Sun, Apr 03, 2011 at 02:26:08PM -0700, Garrett D'Amore wrote:
> > Historically, identd has been one of those protocols that various
> > security folks have discouraged the use of, since you can't really rely
> > on it to do anything meaningful, and improperly configured systems can
> > wind up having identd give away information that it should not.
> I discarded a flame-o-gram to the original note, because it's ident I have
> the problem with, not the original poster.
> I strongly object to ident appearing in base Illumos. For the reasons cited
> above.
I disagree. identd is not a cryptographically secure protocol; this is
well-known, any anyone relying on it for that is doing something wrong.
However, it *is* useful for tracking abuse from local users on a
multi-user Unix system. For example, many IRC, NNTP and SMTP servers
log the ident reply of the connecting user; this information can be used
to identify the user making the connection in case of abuse. The only
other solution is using BSM auditing, but this is less reliable, because
it requires the remote system to log the source port (which is unusual)
and an accurate timestamp to match against the audit logs.
No, it's not 100% secure, but short of either compromising the system to
obtain root access, or having MitM access to the Internet connection, it
*is* sufficient to identify the user who originated the connection.
Of course you can disagree, and you're free to not use identd, but for
those people who find it useful, I see no reason not to include it in
the base system. Many other vendors (including HP-UX and most Linux
distributions) already do so, and the various threads on the OpenSolaris
forums/mailing lists asking for a working identd suggest that this is
something people want. (pidentd doesn't work on current oi_148; I've
rewritten the kmem code to make it work again.)
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk2ZFCUACgkQIXd7fCuc5vJ3KQCghe4AZNMzQGs0nP1BN19XYosH
gmcAnj6kFNAFYZ4kaMmbbcoDXtQYGoU3
=vqHE
-----END PGP SIGNATURE-----
More information about the Developer
mailing list