Re: master.debian.org using identd?
email@example.com (Amos Shapira) wrote on 04.04.97 in <199704041554.SAA00448@birnam.dsi.co.il>:
> I don't see the point in using identd, it has been explained many
> times in many forums that this protocol is totally unreliable, as
> anyone (especially today) can install a "daemon" which will fake any
> user name.
It has two uses which are, IMHO, completely unaffected by this "problem".
When a site has identd running, then
a. If some sort of abuse is related to only one user on a site, it is
possible to just block that specific user, and
b. On complaining to that site's admin, one can tell him which of his
users was responsible.
If someone fakes identd replies, then he must obviously have root access
(or the equivalent for other OSes) on his machine.
In case a, this doesn't help him - he'd have to change userids after one
stopped working, and that would probably provoke blocking the whole site,
which would be appropriate anyway.
And in case b, it's the admin of the site running identd that's really
interested in this data. If he's the bad boy, then obviously he didn't
need the data in the first place.
> I therefore suggest that master.debian.org will cease to relay on this
That's a different problem - what is reasonable to do if there is no
identd. I'd suggest blocking finger should not be dependant on identd -
either allow it for everyone, or for nobody.
The only case where blocking for no identd seems reasonable to me is
where, if there were an identd, you would block some, but not all users
from a machine.
In general, I think identd is most useful to gather logging information.
It's only ever reasonable for (weak) authentication where you want to
allow access based on user in addition to domain. Disallowing access to
domains without identd never seems to make any sense that I can detect.
(Now, this is very different from disallowing access where there is no
reverse resolution (PTR record) from DNS.)