John Polstra wrote:
>
> In article <199907102150.paa33...@harmony.village.org>,
> Warner Losh <i...@village.org> wrote:
> >
> > Some ftpd and sendmail servers make the queries. When I have my fake
> > identd in place, they go much faster... :-)
>
> Are you sure? If you simply don't run an identd, the queries will get
> an instant connection refused error. That's even faster than sending
> back a bogus response.
Many daemons that request ident, and almost all IRC daemons that I'm
aware
of don't take "NO" for an answer. They sit waiting for a valid response,
and timeout after X seconds, where X is c. 30 seconds. Whether this
behavior is good or not begs the question, that is how it works.
I'd also like to throw in some thoughts on ident in general, since I
have
several years of experience both in IRC administration and having been
through this debate several times. :)
1. ident is useful as far as it goes. It shouldn't be trusted as
authentication, but it can give you a good idea of where to start when
tracking down problem users.
2. Most shell services do a good job of keeping ident reliable. They need
to do that because most IRC networks heavily penalize clients that don't
return any ident.
3. Having a built in version of a "real" ident run out of inetd would be
*very* welcome by the people that need it. pidentd is a bloated, buggy pig.
4. I agree with Sheldon that returning "real" responses by default would be
a bad thing. The current ability to send fake responses is a good thing,
but having the option to do real ident would also be good.
Finally, Brian might want to search the bugtraq archives before he
commits
anything. There have been quite a few identd related discussions, and it
would be points in our favor if we didn't come out with anything that had
known exploits.
HTH,
Doug
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
