Subject: Re: identd with NAT and IPv6 support.
To: Jim Wise <jwise@draga.com>
From: Aidan Cully <aidan@kublai.com>
List: tech-net
Date: 03/27/2002 21:22:04
On Wed, Mar 27, 2002 at 08:17:06PM -0500, Jim Wise wrote:
> On Wed, 27 Mar 2002, Aidan Cully wrote:
>
> >I take some issue with that... ident can be very useful in limited
> >situations. If you've got a multi-user shell service, and don't want
> >to ask your users for passwords when they connect over TCP to another
> >service you've got, but this service provides different things to
> >different users, ident is not a bad way to go. INN's nnrpd can
> >resolve users over ident because of just this situation.
> >
> >ident is useless once you leave a trusted area.
>
> Which is to say that you translate a problem of imitating a trusted uer
> at a trusted IP to a problem of imitating jut the trusted IP? If that's
> your goal, use .rhosts...
You seem to be assuming one-user-per-IP? Or that we expect people to
be able to read news from the newsserver itself?
To spoof IP you need raw access to the network, which *can* be
prevented, if you trust the admins of the hosts on that network. When
these admins are "you", it's perfectly trustworthy, unless you're
incompetent. (on single-user machines, the user is basically an admin,
and ident can't be used.)
I'm not expressing myself clearly, but I don't accept that ident is
100% useless. It can be removed from basesrc and I won't shed a tear,
but it fills its niche quite nicely.
--aidan