Why do we still use IDENTD? 102
Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"
Plenty of identd servers for Win32 (Score:5, Informative)
http://identd.sourceforge.net/ [sourceforge.net]
http://freeware.teledanmark.no/identd/ [teledanmark.no]
http://sourceforge.net/projects/winidentd/ [sourceforge.net]
http://identd.dyndns.org/identd/ [dyndns.org]
But on the other hand, here [clock.org] are some reasons why your question is valid...
Re:Plenty of identd servers for Win32 (Score:5, Funny)
Re:Plenty of identd servers for Win32 (Score:4, Interesting)
Re:Plenty of identd servers for Win32 (Score:3, Informative)
Now, which do you think is the more likely scenario: All the l-users here that have never run an IRC server and are taking out of their ass know best, or that hundreds of experienced server and network ops know what they're doing and require identd for a reason?
Re:Plenty of identd servers for Win32 (Score:1, Insightful)
Re:Plenty of identd servers for Win32 (Score:5, Informative)
I've run several IRC servers since 1996. I am an "experienced server and network op", and I still can't figure it out. Speaking as an admin, I can assure you that ident buys me absolutely nothing in terms of dealing with problematic users. Every single one of them has spoofed a valid ident response, either by changing their "Username" value in mIRC, or by running a randomizing ident server. The commonly-held belief among IRC admins that ident provides security and some sort of audit trail is unquestionably false.
I turned off ident checking on my servers a few months ago, and encourage others I know to do the same.
- A.P.
Re:Plenty of identd servers for Win32 (Score:3, Informative)
The reason you are so confused is because you think that identd is supposed to help you in some way. It doesn't help you as the IRC server admin. The ident information is to help the administrator of the client. You see, if your abusive user is on a shell account, and you go to report abuse to the service provider, that admin is going to ask you for the ident information. Without it he is not going to know which of his users is the abuser. If you turn it off identd checking, you will have no recourse against the abuse.
The commonly-held belief among IRC admins that ident provides security and some sort of audit trail is unquestionably false.
I wasn't aware that this was a commonly held belief of experienced admins. This is something a newbie operator that doesn't know how to deal with abuse would think. Ident doesn't provide security, nor is it supposed to. The only time you are going to look at your ident information is when it is requested by the administrator of the multi-user client after you report abuse for his IP address. It's not good for anything else.
Re:Plenty of identd servers for Win32 (Score:1)
It's never going to happen. identd is a useless pile of garbage, and IRC is the only service on earth that still uses it for anything, as far as I've seen. Actually, out of the last 16 years of internet usage.. I think IRC is the ONLY service that has ever used it for anything...
Re:Plenty of identd servers for Win32 (Score:1)
That't funny, because I care, and I know alot of admins that care. We don't want our bandwidth being used up simply for the abuse of somebody else's network.
Re:Plenty of identd servers for Win32 (Score:3, Interesting)
The reason you are so confused is because you think that identd is supposed to help you in some way. It doesn't help you as the IRC server admin.
Then why do IRC server admins require it?
The ident information is to help the administrator of the client. You see, if your abusive user is on a shell account, and you go to report abuse to the service provider, that admin is going to ask you for the ident information. Without it he is not going to know which of his users is the abuser. If you turn it off identd checking, you will have no recourse against the abuse.
So, if I go to report an abusive user, and his ident string is "gofuckyourself@some.unix.box.somewhere", you're saying, chances are, it'll be helpful, even when 99% of ident responses are phony? Does anyone even read their "root@" or "abuse@" email? In my experience, these mailboxes go to
Why not just ditch ident, and simply ban the entire hostname, subnet, or domain of an abusive user, and let the admin sort it out once he starts receiving complaints from other, legit users? Hell, this is done all the time, anyway. When's the last time you saw a K-line for a single user@unix.box?
Requiring everyone to run ident simply because there are one or two abusive shell account users out there is downright retarded. It's like forcing backward compatibility for Netscape 1.1N users. The times, they have a-changed. Ident must die.
- A.P.
- A.P.
Re:Plenty of identd servers for Win32 (Score:2)
Admitedly, requiring it is silly, but requesting it and logging the response are not.
So, if I go to report an abusive user, and his ident string is "gofuckyourself@some.unix.box.somewhere", you're saying, chances are, it'll be helpful, even when 99% of ident responses are phony?
You would only look in the ident log if the admin you were reporting an abuser to requested the information, and in that case you would be assuerd it was valid.
Why not just ditch ident, and simply ban the entire hostname, subnet, or domain of an abusive user, and let the admin sort it out once he starts receiving complaints from other, legit users? Hell, this is done all the time, anyway. When's the last time you saw a K-line for a single user@unix.box?
What if you are dealing with a university UNIX server, and one student is abusing your network from their shell account, while at the same time some of your network ops access your network through the same system?
I've never seen a single user banned from the IRC server side, but I have seen users loose their shell access (or worse) after an IRC server admin complained and the ident log was consulted.
Re:Plenty of identd servers for Win32 (Score:1)
Re:Plenty of identd servers for Win32 (Score:2)
I'll choose the third scenario: The hundreds of experienced server and network ops are living in the last decade and have completely forgotten that the case for a giant portion of internet users is that they are on single-user machines but sharing IP addresses with other users because their network or ISP has more users than IP addresses and is using network address translation.
Thinking that identd is useful for security in this situation seems about as smart as assuming that anonymous ftp logs really do keep an accurate list of the e-mail addresses of people who have connected to the server.
Similar to reverse DNS? (Score:1)
Why identd is used (Score:5, Insightful)
Say I get on an IRC server and start abusing it. It's pretty easy to just ban my IP (or in extreme cases, up to my class B if dynamic IPs are in use and there's no better solution). So single-user machines are pretty easy to handle.
A not-unreasonable people still use public access machines, however. And you can't just ban their IPs without potentially screwing a lot of people -- if I ban MITs or CMU's public access UNIX boxes, I'm going to hurt a lot of people to block one baddie. However, these machines can be trusted to run a legtimate identd, so I can say "Don't block *everyone* on these machines...just this one user".
Granted, the utility value of identd is less now that Windows machines and single-user UNIX machines are dominant, but it still does solve a nasty problem sometimes.
However, even given that identd helps, I don't see why it's *required*. You can just say "if the remote host isn't running identd, just ban the entire IP if we get a baddie on that machine".
Knock, Knock (Score:4, Funny)
Bots/Abuse (Score:3, Insightful)
Re:Bots/Abuse (Score:2)
IRC Servers do have a use (Score:3, Interesting)
Re:IRC Servers do have a use (Score:1)
Re:IRC Servers do have a use (Score:4, Interesting)
If I run mIRC, it's even easier to change my ident response. I don't even need to compile or install anything, let alone enable it in
- A.P.
Re:IRC Servers do have a use (Score:2)
In that case (Score:2)
If it's running, then it may provide useful data.
If it's not running, then almost surely if it were running it wouldn't provide trustworthy data.
In short: If the user has the option of turning it on or off, the service can't be trusted. The ident data is nice to have in the case that it might actually be true, but it's too easy to fake.
Re:IRC Servers do have a use (Score:1)
If we get abuse from a user in the trustgroup, we just:
/msg o trustgline some_shell_with_5000_vhosts ident 99y abuse
and they're gone, with all possible vhosts banned (with that ident).
Very very useful!
Re:IRC Servers do have a use (Score:2, Informative)
- A.P.
Worthless for unix accounts too. (Score:4, Insightful)
There is NO good reason for crappy old fake-able, spoof-able, deny-able ident to be a requirement anymore. Certain IRC admins just need to get their heads out of their asses.
Re:Worthless for unix accounts too. (Score:2)
Valuable information like the username?
If I have a username on your system, then I have half the information I need to login to it. Admittedly, less useful than it used to be, but better than nothing.
Re:Worthless for unix accounts too. (Score:2)
Which you might have been able to get from my email address or my www address or by guessing I use the same user name everywhere. It's not that hard to get.
Re:Worthless for unix accounts too. (Score:3, Interesting)
Almost every single ident response on IRC is faked. hell, even the stock identd daemons support .fakeid files these days. (at least FreeBSD's builtin identd does)
identd is a protocol which only works if every user is trusted. despite this, some very ignorant irc admins try to use the protocol to create trust. clearly this is a poorly thought out plan. add to that the fact that identd listens on a low port, so it needs to be a privileged process and you have ignorant admins exposing their network's users to unneccessary risk, for no gain.
Re:Worthless for unix accounts too. (Score:2, Insightful)
"No serious systems administrator."
Give me a break! SFU's system admins were some of the best UNIX-heads I've ever met!
Re:Worthless for unix accounts too. (Score:1)
Most IRC servers i know don't *require* identd if you have *one* irc session opened. They do *require* it if you want to have several sessions coming from the same IP, through. It is aimed at shell accounts boxes, those providing BitchX/BNC/eggdrop connnectivity to IRC.
Pretty Simple (Score:5, Informative)
First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.
So why? IRC is well known for countless attacks against the servers and the users of it. It really seems to bring out the worst in a large group of people who, perhaps encouraged by anonymity(?), feel they can do anything to make other peoples use of the service a hassle.
So how to defend against it? Knowing who a user is is the easiest defence. You can then ban that person from entering youre chatroom/network. There are a couple of pieces of information that are known when you use IRC.
So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups. However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts). Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.
Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.
Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it. Don't like the rules? Don't use the service. Think you can do better? Run youre own.
Re:Pretty Simple (Score:5, Insightful)
But does it make their lives easier? Consider: Unix reserves ports up to 1024 for the superuser. The theory was always that you could trust these ports on a remote host, if you trusted the sysadmin, because no ordinary user could bind a process to them. If the sysadmin was an employee of a university or a major corporation, then it was quite reasonable to do so. Barring man-in-the-middle attacks, this system worked quite well. At the time this convention was created, it was considered highly unlikely that you could buy your own Unix host for under $500! You could trust the owners of the machine because machines were expensive, and the owners would take adequate action to ensure that only legitimate users had accounts. The convention also allowed the designers of TCP/IP to cut corners; unlike DECnet they only needed to route by port and IP address, not by the username/process name of the source and destination processes. (That's a seperate rant of mine, how brain-dead the designers of TCP/IP were, and how DECnet is infinitely superior).
Nowadays, identd is useless for confirming the identity of a remote user, since you cannot trust the sysadmin of a remote host any more than you can trust an ordinary user, because in the Linux world, they are most likely one and the same.
The logical successor to identd is PKI, but no-one's quite sure how to make that work seamlessly yet.
Re:Pretty Simple (Score:2)
I do agree that PKI is the way to go though. There are organisation that know how to make it work seamlessly though. Ask Novell.
Re:Pretty Simple (Score:1)
Get it? Jesus you people, get a fuckin clue!
Re:Pretty Simple (Score:1)
1. Make sure that the user has complete control over the system and isn't just a subverted single process.
2. Ensure that there's some modicum of proficiency on the part of the user: stupid people need not apply.
3. They're forcing people on multi-user machines to have some measure of self-accountability.
Fine by me: whiners are the ones who find it inconvenient. One minute of setup, and I never have to worry about it again. Why are you people whining about it?
Re:Pretty Simple (Score:5, Insightful)
Not true. The real ident servers need to run as root (since they're running on a low port), or if you want to be fancy, they can be started by root and assume another (perhaps jailed) user's identity. Let's assume they all running as root, since I've not seen one that doesn't do so. They need to access
I tend to treat every service I run on my machines as exploitable. To this end, I disable as many as possible, and, if I have to run a service, I make sure I keep up with it from a security standpoint. Running ident is more work for me, for no real reason.
That someone requires I run a useless service like identd in order to connect to their network has always bugged me. In this day and age, when ident responses are faked far more often than they aren't (EVERY Windows IRC client fakes ident!!), what's the point of opening up a low port and exposing my systems to even more abuse?
So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups.
On just about every setup, you mean.
However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts).
Very few people use their university shell accounts to IRC these days.
Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.
So are Wingate hosts, but there are other ways of dealing with that kind of abuse, as well. If someone's fucking with my server from a shell account (or from anywhere else), banning that hostname or IP range is more than enough.
Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.
Yes, and others have noted that "ident" is built into most Windows IRC clients. In nearly all cases, on Windows, ident is faked; I can type whatever I want into the "Username" box in mIRC.
- A.P.
Re:Pretty Simple (Score:2)
The real ident servers need to run as root (since they're running on a low port), or if you want to be fancy, they can be started by root and assume another (perhaps jailed) user's identity. Let's assume they all running as root, since I've not seen one that doesn't do so. They need to access /etc/passwd (or the NIS equivalent) as well.
You're just scratching the surface of the problem here. It goes even deeper than that. An ident daemon needs to be able to read kernel memory. Why? Think about it. You connect from host A port a to host B port b. Host B then connects to host A port 113 and says "What is the name of the user who connected to me from port a?" A normal userspace daemon has no way to answer this question. It needs to go poking around inside kernel memory in order to learn who has bound to port a.
In addition to this, I'd like to point out another problem associated with identd: firewalls. Right now, I'm at work, behind a firewall. When I connect from my workstation to a remote service, it might wish to connect back to me for purposes of querying my ident service. But it can't -- port 113 is blocked at the router. Even if I wanted to run ident (which I don't), I wouldn't be able to respond to that query, because I never receive it. Eventually the request times out. This means that connecting to any service that blocks awaiting an ident response has a built-in delay. And if the ident response is mandatory, it means I'm completely shut out.
At home, I just run nullidentd. I return the string rfc1413 for the response. Most people don't react to that, but I've had a few people ask "Which RFC is that?", and one or two have complimented me on it.
Re:Pretty Simple (Score:2)
Or use netstat (-p under linux?) or lsof.
Re:Pretty Simple (Score:1)
Lets look at what the server can find out:
Nick, =/
Hostname/IP, at home I have a modem account and each time I dial out I get a new IP/hostname
Ident, well I run oidentd on my box and that provides a ~/.oident for users to config their responce (inc random), there is a /etc/oident to limit what users can do, but hey I know the root pw to my box (plus windows irc clients eg mirc have a configurable identd build in)
public/private keys, users can always generate a new key pair, and if you try stop this be handing out keys whats stop the user just getting more?
Theres a whole load of ideas to ID users, but each one doesn't stop those who want to get round them. Because there is no system that doesn't place some trust on the client system!
In my part of the world... (Score:2)
-Derek
Re:No up upheaval of the IRC protocol (Score:2)
Checkout the percentage of people using IRC. Remember 94-96? When IRC was the coolest reason to get online? Why did people stop using IRC since then? Security, and being blocked from channels you never offended/visited.
Effnet is packed due to the fast growing size of the Internet.
IRC is not dying... (Score:2)
Re:No up upheaval of the IRC protocol (Score:2)
Agreed on the security thing.
However, I think IRC is also dying because things like identd make it difficult for a lot of users, including those behind firewalls, to find a good irc server.
Wold Wide Conferencing Protocol (next gen irc?) (Score:1)
Years ago, Gerrit Hiddink (now doctor in Computer Sience) designed the World Wide Conferencing Protocol so he could build a World Wide Conferencing Network [wwcn.org], designed for scalability, security and productivity.
It lacks 'bans' and 'kicks' but does allow for a group consented ignore.
It was far superior than IRC in 1994 and it still is, though everyone seems to stick with IRC. Then again there is something cool about being able to 'kick' someone. ;)
Re:No up upheaval of the IRC protocol (Score:1)
Myself, I'm trying to write yet another replacement, but oriented to small groups who want to talk without being bothered. It doesn't scale to the amount of people IRC accepts, or at least not yet. But even though I and probably a hundred of other people are trying to write the "ultimate chat server" IRC still haven't been defeated. Curious, isn't it?
For local use diagnostic use only (Score:2)
Identd is perfectly usable and mostly trustable when on hosts that you have control over.
Now, probably should run it in DES encrypted mode, but most sites do not.
As for why IRC does it? Who knows, doesn't seem to accomplish anything much to me.
postgresql (Score:2)
Is it still 1993 in some part of the world? (Score:2)
It's a layer 8 problem. (Score:1)
The solution to any problem with IRC is simple:
It's a layer 8 problem.
Everyone remembers the 7 layer ISO model for networks right... and what's just above layer 7 -- the human (ie: layer 8) and in my years of IRCing, I have yet to meet a sane IRC layer 8. I'm sure there must be one, or at a stretch, two sane ircadmins, but I've certainly never encountered them.
Think that netsplit is due to some massive connectivity problem on the internet -- nope, it's a netadmin doing layer 8 routing. Having trouble with a jerk and want to have a ban placed -- except *.com gets banned -- that's a layer 8 problem.
rant on These people think that identd will save them from the world... when really, the only solution is getting the hell off of IRC and getting a life rant off.
Sigh Some days, it's just not worth thinking about.
Layer 8 or 9, they're both human issues... (Score:2, Interesting)
Re:Layer 8 or 9, they're both human issues... (Score:1)
Thank you for an intelligent reply!
I've often encountered these issues and never bothered to google -- most of the people I work with are in the quoted layer 8 and 9 -- and I'd pretty much just lumped them all together with the incompetant administrators as a problem layer!
I've just been reading BOFH (Score:1)
----
"NO! Then they'll call you back when the problem recurs. Your job is to make them FEAR calling you. How can you work when people are calling? So, you make them pay for calling in the first place. What would you do?"
"Delete their files?"
"Yeah, it's a start, but then they may call back when they get new files. You want them NEVER to call back. What could you do?"
"Swear at them?"
"No. I can see we'll have to demonstrate. Have you got a metal ballpoint?"
"Yes"
"See that wallsocket over there. Take the refill out of the pen and poke in into the wallsocket."
"But it's live!"
"Would I really make you do it if it were live?"
"Oh" >fiddlefiddleBZZZZZZZEEEEERT!THUD!
Of course I would.
Identd is the least of our worries. (Score:3, Insightful)
SMTP! Mailbox filled with spam? Well, that's because we use a mail transfer protocol that makes it trivial to forge the from: address and to create thousands of messages from one!
FTP! Password in the cleartext? Carriage returns dropped? 3rd-party interceptible/forgeable downloads? That's FTP...
Identd is simple enough to fake, so it shouldn't really trouble anyone. But it's pretty hard to get by day-to-day without using SMTP.
Re:Identd is the least of our worries. (Score:2)
You insensitive clod!
In Soviet Russia, the Penis Bird Man owns YOU!
One reason to use it... (Score:2)
Re:So why require it? (Score:2)
Make it optional, so UNIX admins can run identd for the reason you mentioned.
Next Generation Protocols? (Score:1)
Encryption/PKI seems to be where it's at now, and P2P as well. P2P IRC? P2P email? How about it?
If the old toys are broken and laying in the corner, perhaps it's time to build some new ones.
Re:Next Generation Protocols? (Score:1)
Is it still 1993 in some part of the world? (Score:2)
It is really interesting to travel back in time, by just traveling to some parts of the US where they are still 50 years behind the times.
Yes. We still need it. (Score:1)
Two part qusetion (Score:2)
A) Why do the servers require it?
Well, its their servers. If they want to say you must kill a dog before connecting and if you dont you are banned, that is their call.
b) Ident is useful to the server admin.
If i let users use my system, and i know my own ident server is reliable, i know which user did something by remote and local logs.
If someone else claims to have ident info, i can match the exact TCP connection in their logs with mine, and thus gain exact timestamps (as most people dont sync to the same clocks) as well as if it occoured at all or not, thus weather to believe anything else they claim or not.
Granetd one can do the same thing with a logging firewall, but again, its the admins choice on how to run a system.
Banning proxy connections (Score:2)
IRC servers prevent this in a few ways; they will actively test if the address a connection comes from has an open proxy server on the standard port and will automatically disallow the connection. This doesn't help when the proxy server is closed but is still being hijacked, though. Further, some proxy servers don't use the standard port, and it's not efficient for the IRC server to scan all possible ports, while an attacker has the leisure to find and use these servers.
By checking for ident response, only people going through proxy servers whose admins also run ident can get through. These are few and far between, and are usually closed, private proxy servers run by people who have specific need of them. Those few which are abused can be individually k-lined.
Well, two valid reasons... (Score:2, Informative)
Then, there's irc-enabled trojans/viruses. These things spread by means of email, newsgroups, outlook/IE exploits, open windows shares, and IRC itself. They come on IRC as a convenient spot for whoever wrote the virus to control them all and use for ddos attacks. They take up space, and they're generally not nice things to have lying around. However, the majority of these viruses were never coded with identd support, and they run on windows machines of users who never use IRC. Therefore, by banning users who do not have ident enabled, you are banning a huge amount of ddos attack drones.
I'm actively involved in this kind of thing.
Imitate SPEWS (Score:2)
If there's someone abusive, you want to be able to ban them, not the entire shell server.
If you ban the entire shell server, you force the legitimate users on that shell server to force the shell server's admin to force the misbehaving user not to misbehave. It works on the same principle as SPEWS banning a whole /24 or larger IPv4 address block.
Mail doesn't use identd.
Use this if you need to (Score:2, Interesting)
I agree with the poster that identd is kinda pointless but that doesn't change the fact that it's a headache trying to find an irc server (on some networks) which doesn't require you to have identd running. FakeIdentd is small and simple, you start it up and give it a text string which it will use to reply to any servers. No bells & whistles but it does the job and compiles on pretty much every UNIX-like operating system I've tried.
same reason. (Score:1)
get used to it.
Identd requirement for irc is stupid (Score:1)
1) Proxies
Proxies are scanned for and blocked on connect to most major irc networks, so that isn't a good reason.
2) Shells
Shell users are already running identd, this means that no matter what username i try to use it will be superseded by the identd response sent by the box.
3) Multiple connects
When running a legit shell on any host that doesn't have it's own domain name, ie a cable or dsl user, they still block multiple connects even when you have a legit identd.
Let's face it, requiring identd is stupid and doesn't make sense.
Why we require Ident (Score:4, Informative)
A lot of people on IRC (for whatever reason) like to IRC from (brought) shell accounts. It's in these shell account owners best interest to run Ident, otherwise the only way to ban an abusive user is to ban the entire netblock of the shell provider, basically killing off their entire customer base. If we see that there are multiple people from the same IP with different Ident and only one of them is abusing we'll ban by ident. If they change ident and come back, we ban the entire IP (or netblock).
Many servers have different "connection classes" or different levels of service to different people. You can say for instance that you will allow 5,000 people from your country to connect, 2,000 other people from around the world that are on helpful and cooperative ISP's, and 1,000 people from elsewhere. Thus, if you're outside an IRC servers catchment area, they start placing harsh rules on you, like requiring ident. eg: If your server is in the US, and it's a lot easier to track down abusers within the US than outside it, so you require people outside the US to make a "better effort" to use your server.
Kinda going back to the previous point, a lot of boxes that are used on IRC are hacked, or people aren't supposed to be IRCing from (eg company machines). Running an ident server is trivial if you (legitmately) have root on the machine, if you don't then it starts making it more obvious that the machine is hacked ("Hmm, I don't remember that machine having ident enabled...")
Re:Why we require Ident (Score:1)
If an irc network won't let me connect I'll go elsewhere.
Re:Why we require Ident (Score:2, Interesting)
I run an ident daemon, but first I audited the entire thing by hand, they're not complicated pieces of software, and are fairly trivial to audit.
I personally think that you shouldn't require ident to connect, and afaik no undernet server requires ident to connect, but I can understand the reasoning of why people would do it.
1993 (Score:2)
[Some indeterminate music is heard in the background, probably Spin Doctors]
What? 1993? Um, dude...let me check Webcrawler on that.
ident is not worthless in all cases (Score:1)
Now thats not saying ident can't be useful. If you run a large system with multiple users, running ident can help you track down the 1 or 2 abusers since you know your ident is offering the correct information. If the server is logging ident, then when problems arise you can ask them for it and make your life a hell of a lot easier.
So ident isn't something you should be using to authenticate your clients, but keeping track of it (when it is available on the client) can prove useful when working with the administration of the client's host.
I think i've rambled enough to get to the point now:
Don't REQUIRE ident, it'll just get spoofed 99.9% of the time. However, if it is available, you might as well use it to your advantage when the friendly sysadmin asks you for it so he can cut off the jerk who's abusing you.
Monitoring who's monitoring (Score:2)
I'm surprised that not a single post here mentioned this aspect of running the daemon. You guys are so friggin' busy trying to be anonymous you fail to see the obvious point of watching who's watching you. To me, that smacks of more time spent bein' a kiddie than an administrator.
Well, for one... (Score:2)
What do you mean why do we still use identd? (Score:2)
Because it is better to run perl -pi -e 's/(?<=nullidentd\s)John/Dick/' /etc/inetd.conf; killall -HUP inetd; echo "This John won't bother you again, Sir." | mail admin@complaining.to.abuse.at.your.system.com
than it is to have your IP banned.
Isn't that obvious?
Re:Question (Score:2)
All other allow only processes operating under SYSTEM or members of the administrators groups to bind to ports 1024.
Re:Question (Score:1)