Date: Sun, 11 Jul 1999 17:22:48 -0400 (EDT) From: "Brian F. Feldman" <green@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Mark Murray <mark@grondar.za>, Doug <Doug@gorean.org>, hackers@FreeBSD.org Subject: Re: a BSD identd Message-ID: <Pine.BSF.4.10.9907111718550.27818-100000@janus.syracuse.net> In-Reply-To: <199907112054.NAA64487@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 11 Jul 1999, Matthew Dillon wrote:
> :> 2. Most shell services do a good job of keeping ident reliable. They need
> :> to do that because most IRC networks heavily penalize clients that don't
> :> return any ident.
> :
> :This is changing. In the face of ${BIGNUM} Windoze boxes giving ident
> :answers like "HAX0r", there is little point, except for the administrator
> :of the box _giving_ the ident. If that was me, it would be _low_ on my
> :list.
>
> ident is extremely useful when taken in the proper context. It doesn't
> really matter what a user-owned box returns. An IRC administrator only
> cares about two things:
>
> * If the irc client is connecting from an (ISP's) multi-user shell
> machine, that the ident contain sufficient information to identify
> the user.
>
> * If the irc client is connecting from a single-user machine, such as
> a windoz box, the IRC administrator has the IP address and times
> involved, which is again sufficient for the user's ISP to identify
> the user.
>
> When a user is abusing an IRC server, the IRC administrator has two
> choices:
>
> * If it is coming from an ISP who takes abuse seriously, the IRC
> administrator need only identify the user sufficiently (IP and time,
> or ident info if coming from a shared shell box) such that the ISP
> can kick the user off the service.
>
> * If it is coming from an ISP who does not take abuse seriously, the
> IRC administrator locks out the entire ISP.
>
> At BEST ident was turned on on all machines and it returned the user's
> real user name. It did that because it made it a whole lot easier for us
> to handle abuse issues, it cut abuse significantly, and it cut
> abuse-related email from remote IRC admins significantly because they
> could lockout specific users based on the ident info without having to
> contact us.
>
> I don't work at BEST any more, but I would love to see kernel support
> for ident lookups. To make identd work reasonably well, I had to hack
> the server to timeout after a few seconds worth of cpu-bound searching
> through KVM, because it would sometimes get into scanning loops.
Well, it's here now. I've committed it in 4.0, and would MFC it except it
would require the struct socket changes I made in -CURRENT. See my pidentd
freebsd.c replacement (using this) at http://www.FreeBSD.org/~green/freebsd4.c
>
> -Matt
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___
green@FreeBSD.org _ __ ___ | _ ) __| \
FreeBSD: The Power to Serve! _ __ | _ \._ \ |) |
http://www.FreeBSD.org/ _ |___/___/___/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907111718550.27818-100000>