> 1. ident is useful as far as it goes. It shouldn't be trusted as
> authentication, but it can give you a good idea of where to start when
> tracking down problem users.
First thing you say to yourself after a compromise is "trust nothing".
Things like idents can/will/should/are targets.
> 2. Most shell services do a good job of keeping ident reliable. They need
> to do that because most IRC networks heavily penalize clients that don't
> return any ident.
This is changing. In the face of ${BIGNUM} Windoze boxes giving ident
answers like "HAX0r", there is little point, except for the administrator
of the box _giving_ the ident. If that was me, it would be _low_ on my
list.
> 3. Having a built in version of a "real" ident run out of inetd would be
> *very* welcome by the people that need it. pidentd is a bloated, buggy pig.
Small set of people. Much larger set of dupes who would believe/trust
this.
> 4. I agree with Sheldon that returning "real" responses by default would be
> a bad thing. The current ability to send fake responses is a good thing,
> but having the option to do real ident would also be good.
As long as the documentation is _clear_ that this is not a front-line
security tool, but rather a thing to marginally augment logs with
user-supplied info, then I'll buy it.
M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
