Re: a BSD identd

Sun, 11 Jul 1999 13:00:57 -0700 

:> 2. Most shell services do a good job of keeping ident reliable. They need
:> to do that because most IRC networks heavily penalize clients that don't
:> return any ident. 
:
:This is changing. In the face of ${BIGNUM} Windoze boxes giving ident
:answers like "HAX0r", there is little point, except for the administrator
:of the box _giving_ the ident. If that was me, it would be _low_ on my
:list.

    ident is extremely useful when taken in the proper context.  It doesn't
    really matter what a user-owned box returns.  An IRC administrator only
    cares about two things:

        * If the irc client is connecting from an (ISP's) multi-user shell 
          machine, that the ident contain sufficient information to identify
          the user.

        * If the irc client is connecting from a single-user machine, such as
          a windoz box, the IRC administrator has the IP address and times
          involved, which is again sufficient for the user's ISP to identify
          the user.

    When a user is abusing an IRC server, the IRC administrator has two 
    choices:

        * If it is coming from an ISP who takes abuse seriously, the IRC 
          administrator need only identify the user sufficiently (IP and time,
          or ident info if coming from a shared shell box) such that the ISP
          can kick the user off the service.

        * If it is coming from an ISP who does not take abuse seriously, the
          IRC administrator locks out the entire ISP.

    At BEST ident was turned on on all machines and it returned the user's
    real user name.  It did that because it made it a whole lot easier for us
    to handle abuse issues, it cut abuse significantly, and it cut 
    abuse-related email from remote IRC admins significantly because they
    could lockout specific users based on the ident info without having to 
    contact us.

    I don't work at BEST any more, but I would love to see kernel support
    for ident lookups.  To make identd work reasonably well, I had to hack
    the server to timeout after a few seconds worth of cpu-bound searching
    through KVM, because it would sometimes get into scanning loops.

                                                        -Matt



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to