Subject: Re: tcp-wrappers, tcpd, and NetBSD
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: current-users
Date: 03/15/1997 20:02:26
> The best one of these alternative identd servers I ever saw was a
> small piece of C code that always identified the user as Dan
> Bernstein.

I would think "Mike St. Johns" would be a more intelligent response...



>That's fine if you care more about making a religious point than you do
>about keeping your system secure.  The security benefits accruing to a
>site running a (real) pidentd are very real, if you either (a) have any
>users who might misbehave or (b) might ever have any of your user
>logins cracked.

But it's utterly, absoutely worthless if your user community knows the
root password. If you have the root password, then you can forge the
cookies that identd would return.  At that point the IDENT cookies are
worthless for any serious security purposes: they can be plausibly
denied, or forged, and the perp can claim someone broke into their system.

Almost everyone I know has the root password on their system: you just
can't do systems work if you don't know the root password.  That' s
not even starting with the explosive growth of personal Unix systems
(e.g,. the Linux phenomenon).

One place pidentd is genuinely useful is sites with:

  * aggressively managed security policy (to defeat breakin as an
    excuse for denying responsibility for what identd may cause a
    third party to log),
  * a population of unprivileged users.

Assuming a campus or business environment with IDENT-emabled SMTP
daemons, identd is an effectiev tool for stopping undergrads on
timesharing hosts from forging e-mail; and that's about all it *does*
do.  Identd (and tcp wrappers) are basically useless for security
purposes in an unrestricted Internet environment.

I'm sure this is an FAQ, but are the authors of ircd somehow lacking
in clue?  rfc1413 clearly allows OTHER as an operating system, and
even enumerates some cases where it's the preferable thing for a
unix-like system to return.  And if this is insurmountable, what's
wrong with returning "UNIX-BSD", or for the perverse, "MULTICS" or
"X11R3"?