[illumos-Developer] Integrating identd
Dan McDonald
danmcd at nexenta.com
Mon Apr 4 10:21:59 PDT 2011
On Mon, Apr 04, 2011 at 05:25:22PM +0100, Andrew Gabriel wrote:
<SNIP!>
> >but perhaps something else that calls this interface would find it
> >useful. Other bits of the system have similar zone-aware
> >interfaces (SO_ALLZONES being a similar example).
>
> Well, you're adding an API for which there are no consumers or use
> cases and there are some extra security concerns. This part sounds
> rather questionable.
Agreed.
> I have no objections to adding identd, together with the syscall API
> it actually needs to operate. (I don't subscribe to the view that just
> because telnetd, rshd, identd, etc may not be the most secure things
> in the world, no binaries for them should exist in a general purpose
> OS.)
Okay, I'm mildly convinced. identd MUST be disabled by default, and
documented with a well-written SECURITY CONSIDERATIONS section. See
ipseckey(1M) for a perhaps overzealous example.
Dan
More information about the Developer
mailing list