[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: master.debian.org using identd?

amos@dsi.co.il (Amos Shapira)  wrote on 04.04.97 in <199704041554.SAA00448@birnam.dsi.co.il>:

> I don't see the point in using identd, it has been explained many
> times in many forums that this protocol is totally unreliable, as
> anyone (especially today) can install a "daemon" which will fake any
> user name.

It has two uses which are, IMHO, completely unaffected by this "problem".

When a site has identd running, then

a. If some sort of abuse is related to only one user on a site, it is  
possible to just block that specific user, and

b. On complaining to that site's admin, one can tell him which of his  
users was responsible.

If someone fakes identd replies, then he must obviously have root access  
(or the equivalent for other OSes) on his machine.

In case a, this doesn't help him - he'd have to change userids after one  
stopped working, and that would probably provoke blocking the whole site,  
which would be appropriate anyway.

And in case b, it's the admin of the site running identd that's really  
interested in this data. If he's the bad boy, then obviously he didn't  
need the data in the first place.

> I therefore suggest that master.debian.org will cease to relay on this
> protocol.

That's a different problem - what is reasonable to do if there is no  
identd. I'd suggest blocking finger should not be dependant on identd -  
either allow it for everyone, or for nobody.

The only case where blocking for no identd seems reasonable to me is  
where, if there were an identd, you would block some, but not all users  
from a machine.

In general, I think identd is most useful to gather logging information.  
It's only ever reasonable for (weak) authentication where you want to  
allow access based on user in addition to domain. Disallowing access to  
domains without identd never seems to make any sense that I can detect.

(Now, this is very different from disallowing access where there is no  
reverse resolution (PTR record) from DNS.)

MfG Kai

Reply to: