Subject: Re: OT ident thru IPnR?
To: None <charlie@rubberduck.com, port-mac68k@netbsd.org>
From: Armen Babikyan <armenb@moof.ai.mit.edu>
List: port-mac68k
Date: 07/05/2000 00:53:08
At 11:34 PM -0400 7/4/00, charlie allom wrote:
>hi,
>
>im having trouble getting libident (from pkgsrc) to work on my se/30.
>
>the se/30 goes thru an IPNetRouter firewall on my MacOS box. should i just
>open up port 113 on the MacOS side?
>
>i did this and started libident. i managed to get myself k-lined from most
>EFnet servers within 2 minutes. quite an achievment i thought ;)
>
>has anyone else had this setup working before, or can show me a nice
>identd or a brief description on what exactly identd does?
>
As far as I can tell, which might not be very far, identd doesn't matter
much for use with personal computers or anything non-un*x anyway. The idea
behind its use on a multi-user system is that the IRC server has a means of
knowing what username on the un*x system the irc process is running under,
so that one user can't impersonate another on the same system. It does this
by querying a daemon that is installed on the un*x box, called identd.
When an IRC connection is made to the server by bob@mybox, the IRC server
knows the source and destination port numbers on the ends of the tcp
connection IRC is making. It connects back to the machine on port 113
(identd), and asks the daemon what the username of the account is that has
that source port, which is unique on that system. The identd server (which
runs as root) responds to the IRC server, saying user 'bob' has that source
port. The IRC server is satisfied, and lets the person onto IRC.
In the personal computer world, there's no real distinguishment between a
program running as root or a program not running as root. ircle for MacOS,
for example, has the identd daemon built into the program. This
authentication business happens, and ircle's ident tells the irc server
whatever you put in the preferences. you can put anything there. same goes
with windows 95/98/nt.
When you use IP-NAT, and make a connection from an internal machine to the
IRC server, the server tries contacting your computer back at the ident
port. it connects to your gateway machine, but identd running on this port
doesn't recognize the source port number that the irc server gives it (in
netbsd, because the NAT code circumvents the resources identd looks at in
netbsd somehow), so it returns an error. this means the server gives you a
'~' preceding your username, or doesn't let you on at all (as you've
figured out).
There are a few things that can be done when this happens - write an identd
which always responds with a single, static string no matter what port
number the IRC server supplies (like 'bob'), or even become a little
creative and add some functionality which randomizes the username (like
'gTyuJek' for example), or whatever. If you are root on your own un*x
computer, you can do whatever you want in this regard. The original idea
behind identd was that most users on a system weren't root, and so they
couldn't run a program which uses a priviledged port (like identd's 113.
priviledged ports are < 1024 i think).
There are identd's which have the aforementioned features. oidentd has this
feature, for example. oidentd is only available for un*x, meaning that
you'll want to use netbsd as your gateway machine if you use this option.
You could also use ipnat's "redir" directive (something ipnr probably has
too), and forward port 113 on your gateway system to a particular computer
on your internal lan ('mybox'). Doing this assumes that the only computer
you IRC from is mybox. If you use another computer on your internal lan,
the identd request will get sent to mybox, and it might not have an identd,
so you'll be stuck at square one again. This also means identd won't work
for clients on your gateway machine itself, because the identd requests are
forwarded somewhere else.
Someone with a lot of time could probably write a kernel module that is
able to detect outgoing IRC ports and automatically predict that an IRC
server will be contacting it back soon for identd information on a
particular user, and know what computer on the internal lan requested it,
and forward identd connections appropriately, but err that sounds ugly.
also prone to race condition vulnerabilities too! :)
Ramble, ramble. I hope what I said is accurate...please correct me if im wrong.
good luck,
- a
>
>--
>charlie@rubberduck.com
>Melbourne, Australia
>http://rubberduck.com/ - PGP available