Date: Sun, 11 Jul 1999 12:47:30 -0700 From: Doug <Doug@gorean.org> To: John Polstra <jdp@polstra.com> Cc: imp@village.org, hackers@freebsd.org Subject: Re: a BSD identd Message-ID: <3788F4D2.17CBD8C7@gorean.org> References: <57350.931626797@axl.noc.iafrica.com> <199907111658.JAA32031@vashon.polstra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John Polstra wrote: > > In article <199907102150.PAA33167@harmony.village.org>, > Warner Losh <imp@village.org> wrote: > > > > Some ftpd and sendmail servers make the queries. When I have my fake > > identd in place, they go much faster... :-) > > Are you sure? If you simply don't run an identd, the queries will get > an instant connection refused error. That's even faster than sending > back a bogus response. Many daemons that request ident, and almost all IRC daemons that I'm aware of don't take "NO" for an answer. They sit waiting for a valid response, and timeout after X seconds, where X is c. 30 seconds. Whether this behavior is good or not begs the question, that is how it works. I'd also like to throw in some thoughts on ident in general, since I have several years of experience both in IRC administration and having been through this debate several times. :) 1. ident is useful as far as it goes. It shouldn't be trusted as authentication, but it can give you a good idea of where to start when tracking down problem users. 2. Most shell services do a good job of keeping ident reliable. They need to do that because most IRC networks heavily penalize clients that don't return any ident. 3. Having a built in version of a "real" ident run out of inetd would be *very* welcome by the people that need it. pidentd is a bloated, buggy pig. 4. I agree with Sheldon that returning "real" responses by default would be a bad thing. The current ability to send fake responses is a good thing, but having the option to do real ident would also be good. Finally, Brian might want to search the bugtraq archives before he commits anything. There have been quite a few identd related discussions, and it would be points in our favor if we didn't come out with anything that had known exploits. HTH, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3788F4D2.17CBD8C7>