[illumos-Developer] Integrating identd

Garrett D'Amore garrett at damore.org
Sun Apr 3 18:23:38 PDT 2011 

There's another option of course, which is that identd could reasonably
be provided by a *distribution* outside of the core illumos-gate.  In
fact, I generally prefer that.  We don't put a web server or an NNTP
server here, and the presence of servers for SMTP, finger, etc. is
largely a historical accident that some day I'd like to rectify.

	- Garrett

On Mon, 2011-04-04 at 01:43 +0100, River Tarnell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dan McDonald:
> > On Sun, Apr 03, 2011 at 02:26:08PM -0700, Garrett D'Amore wrote:
> > > Historically, identd has been one of those protocols that various
> > > security folks have discouraged the use of, since you can't really rely
> > > on it to do anything meaningful, and improperly configured systems can
> > > wind up having identd give away information that it should not.
>  
> > I discarded a flame-o-gram to the original note, because it's ident I have
> > the problem with, not the original poster.
>  
> > I strongly object to ident appearing in base Illumos.  For the reasons cited
> > above.
> 
> I disagree.  identd is not a cryptographically secure protocol; this is 
> well-known, any anyone relying on it for that is doing something wrong.  
> 
> However, it *is* useful for tracking abuse from local users on a 
> multi-user Unix system.  For example, many IRC, NNTP and SMTP servers 
> log the ident reply of the connecting user; this information can be used 
> to identify the user making the connection in case of abuse.  The only 
> other solution is using BSM auditing, but this is less reliable, because 
> it requires the remote system to log the source port (which is unusual) 
> and an accurate timestamp to match against the audit logs.
> 
> No, it's not 100% secure, but short of either compromising the system to 
> obtain root access, or having MitM access to the Internet connection, it 
> *is* sufficient to identify the user who originated the connection.
> 
> Of course you can disagree, and you're free to not use identd, but for 
> those people who find it useful, I see no reason not to include it in 
> the base system.  Many other vendors (including HP-UX and most Linux 
> distributions) already do so, and the various threads on the OpenSolaris 
> forums/mailing lists asking for a working identd suggest that this is 
> something people want.  (pidentd doesn't work on current oi_148; I've 
> rewritten the kmem code to make it work again.)
> 
> 	- river.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (SunOS)
> 
> iEYEARECAAYFAk2ZFCUACgkQIXd7fCuc5vJ3KQCghe4AZNMzQGs0nP1BN19XYosH
> gmcAnj6kFNAFYZ4kaMmbbcoDXtQYGoU3
> =vqHE
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Developer mailing list
> Developer at lists.illumos.org
> http://lists.illumos.org/m/listinfo/developer

More information about the Developer mailing list