Sorry for the delay,
My replies were:
Your user is slightly messing up things here: An IDENT request returns
some information CLAIMING to disclose (in some form) the user on whose
behalf a connection is made; In order to be sure, you have to check
back with a (trusted) systems administrator that the identd returning
the information is trustable. However, this is a very common
misconception. For this very reason, some identd's actually don't give
out user names or UIds but cryptographic tokens that have to be
translated into readable information by the admin of the questioned
system:
penthesilea% netstat -f inet | grep dragoni | grep telnet
tcp 0 0 penthesilea.telnet dragoni.trier.it.2301
ESTABLISHED
penthesilea% telnet dragoni ident
Connected to dragoni.
Escape character is '^]'.
2301,23
2301 , 23 : USERID : OTHER , ISO-8859-1 :
[jMbAG2sNZhVHsxM2gtsjn3MFBmUlhpsG]
Dragoni# echo "[jMbAG2sNZhVHsxM2gtsjn3MFBmUlhpsG]" |
/usr/local/sbin/idecrypt
Tue Oct 13 17:30:16 1998 16211 153.96.230.71 2301 136.199.55.61 23
Other issues to think about are "do I want to give out User Names or
UIds?", "do I want to allow users to have a ~/.noident ?", etc.
I've used pidentd all over the place, no horror stories so far.
Having *some* identd (just echo a fixed string if you must ;-) is
advantageous, as some FTP servers insist on an IDENT request being
served before they let you log in. By sheer numbers, the main usage is
sendmail (starting with version 8 IIRC) - watch these Received: headers
from your SUN-Managers mail:
First of all, ident (or identd) is an implementation of an
authentication protocol which is correctly called "Identification
Protocol" (But then
the authors of the RFC used the name in the INTRO section of the RFC
...)
I don't think IDENT works quite the way your user thinks it does ...
Ident is a client/server protocol but I'm going to almost reverse the
terminology (ala X).
If you (the client) make a connection to a service on a remote system
(the server), an ident capable service will then query the client on
port 113 (auth/ident well known port) and ask "what user on your
system opened a TCP socket with endpoints of: MyTCPPort,YourTCPPort?"
IF the client is running the identd server it will respond with
"YourTCPPort , MyTCPPort : USERID :<username>"
As you can see, the problems are that 1) The service must have ident
capability included (or write a wrapper that does authentication, does
logging and then calls the real service) and 2) The client must be
running the authentication service.
<> Ident is, allegedly, part of RFC1413.
Um, no. Ident +is+ RFC1413 (or more correctly, RFC 1413 documents the
entire protocol) If you want to read it yourself, retrieve:
ftp.uu.net/inet/rfc/rfc1413.Z
Ident is a protocol by which a host can verify the true source of a
connection by username.
That is, if I telnetted from machine1 to machine2, machine2 could
request ident from machine1 and log that I performed the telnet as user
"sabrina." It's a pretty useful utility to have around. sendmail and
lots of utilities use it to log extra information. It's also often used
by IRC servers -- some servers require ident to allow a client to
connect. (That's to help prevent people from abusing their servers.)
You can probably find source for pidentd pretty easily. If you need
it, I can get you a source tarfile (but it might be a year old or so,
so you probably want to do the archie thing first. :)
Inetd implements RFC1413 and is mentioned in the Solaris2 FAQ (Part 2
Question 3). You can get the source from
ftp://ftp.lysator.liu.se/pub/ident/servers/ or several mirrors. The
most common user reason for requesting inetd is IRC.
benoit@Mathematik.Uni-Marburg.DE
The "Identification Protocol" is an Internet Standard, defined in RFC
1413. It provides Information about the identity of users on a machine.
Certain network-programs need this service, the most often used is
probably IRC, the Internet Relay Chat where an IRC-server requests
information about the identity of an user via ident-protocol.
Some other software may need this also ...
Read the RFC on how it works
(ftp://ftp.fu-berlin.de/pub/doc/rfc/rfc1413.gz)
There are quite a few ident-daemons available:
ftp://ftp.fu-berlin.de/pub/unix/security/ident/
Ident is a protocol that, given a port number, returns the owner of
process using that connection. There are free identd sources
available. Some email. web, and ftp servers do ident requests to log
more detail on who is connecting to them, and some wait for the request
to time out before moving on, so running an ident daemon may help you
in those cases.
Some think it is giving out more info than you want, since it gives a
username that someone could then try to hack, but if this is an issue
you can configure most idents to return a generic bogus name on every
request.
I would consider why they want ident running, since it is easily
spoofed (if all the machines are not controlled someone can run their
own ident and return any name they want), and if you are running a
service that requires some authentication you need something a lot more
secure than ident.
You need the package "pidentd" available at
ftp.cert.dfn.de/pub/tools/audit/pidentd -- the identd server basically
verifies to the outside world who is opening a given tcp connection.
The ident daemon must be running on the client side for identification
to take place. Example: Machine A has a user who wants to access a
process on Machine B. When the service on machine B gets accessed it
asks the client machine for the identity of the user of the source
port. Machine A then should respond with the user name of the source
port. If the client and server are on the same machine then it make
sense for you to install the identd on your machine. Otherwise it is
the client machine that must install the identd daemon.
Here's the excerpt from the Berkeley sendmail 8.9.1a distribution file:
Sendmail 8 supports the IDENT protocol, as defined by RFC 1413.
No ident server is included with this distribution. I have found
copies available on:
ftp.lysator.liu.se /pub/ident/servers
romulus.ucs.uoknor.edu /networking/ident/servers
ftp.cyf-kr.edu.pl /agh/uciagh/network/ident
If you want to run an IDENT server, I suggest getting a copy from one
of those sites. Versions are available for several different systems,
including Apollo, BSD, NeXT, AIX, TOPS20, and VMS.
Some time ago, I couldn't access two of the above sites. The one I
could access: ftp.lysator.liu.se, had three versions of the ident daemon
software: 2.7.4, 2.8.2, and 3.0b1. I could only get 2.8.2 to work.
Thorsten.Biel@ks.sel.alcatel.de
I admit not having read the RFC, but AFAIK, ident *is* RFC1413. It's a
service (daemon) that has to run on the client initiating a network
connection. The server accepting the connection returns an ident query
to the client, to which the ident daemon responds with its
interpretation
of the initiator's userID. The server may then use this information -
if it can be trusted - for access purposes or simply for logging.
You can find an implementation of the ident daemon for almost all Unix
flavors at ftp://ftp.lysator.liu.se/pub/ident/servers. I don't know
about any non-Unix implementations, sorry.
Get "pidentd" it works for me. The problem being the Sun PAM library
I have checked my servers and both of them have the ability to run
ident but because of a typo in the /etc/inetd.conf, it was looking in
the wrong place. I have now pointed ident at the correct file and it
fires up.
Thanks for the replies.
Internet communications are not secure and therefore the Barclays Group does
not accept legal responsibility for the contents of this message. Any views
or opinions presented are solely those of the author and do not necessarily
represent those of the Barclays Group unless otherwise specifically stated.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:51 CDT