*BSD News Article 43744


Return to BSD News archive

Xref: sserve comp.protocols.tcp-ip:36273 comp.unix.bsd.bsdi.misc:156
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!yarrina.connect.com.au!classic.iinet.com.au!news.uoknor.edu!news.ecn.uoknor.edu!paladin.american.edu!zombie.ncsc.mil!news.mathworks.com!gatech!newsxfer.itd.umich.edu!agate!dog.ee.lbl.gov!news.cs.utah.edu!news.provo.novell.com!park.uvsc.edu!usenet
From: Terry Lambert <terry@cs.weber.edu>
Newsgroups: comp.protocols.tcp-ip,comp.unix.bsd.bsdi.misc
Subject: Re: What uses identd
Date: 8 May 1995 17:38:09 GMT
Organization: Utah Valley State College, Orem, Utah
Lines: 34
Message-ID: <3olku1$ffp@park.uvsc.edu>
References: <3ohon1$i35@news.voicenet.com> <3ojm8b$5tg@park.uvsc.edu> <DJM.95May8110133@jeeves.va.pubnix.com>
NNTP-Posting-Host: hecate.artisoft.com

djm@va.pubnix.com (David J. MacKenzie) wrote:
] > ] I was wondering what utilities use the identd server, which returns the
] > ] remote user name using a tcp/ip port.
] 
] > Major one is TCPWrappers to let you reject everyone but specific
] > users from a machine from connecting to specific services.
] 
] httpd can also be configured to use it in log files.  But most systems
] have the ident service turned off, or configured to return a bogus
] answer.  Since it's not authenticated, it's pretty much worthless.

It's authenticated by virtue of needing you to use a reserved
port on the server to present the daemon.

That is, if I trust <machine> enough to put it in my allowed host
list, then I can trust it to not lie about <foo>@<machine> being
the owner of the socket rather than <fee>@<machine>.

I don't see how you could authenticate anyway -- public keys are
a vouchsafe system at best.  I have to trust <fee> that he wasn't
lying when he told me <foo> had public key <XXX>.

Other than having the NSA control the account creation and the
administration of all systems, I don't see how you are going to
get anything stronger without ensuring the machine is inside the
secure zone (on your side of your firewall)... and then you
already trust it, or it wouldn't have been placed in the secure
zone instead of outside it.

                                        Terry Lambert
                                        terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.