[lug] open port

rise rise at knavery.net
Thu Mar 28 12:53:46 MST 2002 

On Thu, 28 Mar 2002, Riggs, Rob wrote:

> Personally, I think AUTH stinks. It is only valid in a trusted environment.
> It made sense when everyone logged in to a central server to read and send
> mail. When 99% of all mail is composed on individual workstations and
> relayed through a central server, it is a waste of bandwidth.

Rant warning (not directed at you, Rob, you're right about using it as
an authentication mechanism):

The Identification Protocol[0] stinks _as an authentication mechanism_
because it isn't one.  It's meant to be an identification mechanism,
in this case something that hands you an opaque token that you can
take to the server admin of the remote site and say "figure out who
this person is and LART them".  The now self-perpetuating confusion or
laziness of developers and admins who ended up handing out usernames
instead of something truly opaque has ruined it for the rest of us[1].
The RFC writer whose first example is a username probably should have
been more careful, but the standard is clear. And yes, there is "OTHER
support" and some servers do provide cryptographic tokens.

Yet another useful protocol or service gone down in flames because of
people who didn't bother to read and understand the RFCs (or the Fine
Manual) before writing conceptually broken software and actively wrong
documentation.

RFC1413
http://www.ietf.org/rfc/rfc1413.txt?number=1413
----

   The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident
   Protocol") provides a means to determine the identity of a user of
   a particular TCP connection.  Given a TCP port number pair, it
   returns a character string which identifies the owner of that
   connection on the server's system.
...
   The information returned by this protocol is at most as trustworthy
   as the host providing it OR the organization operating the host.  For
   example, a PC in an open lab has few if any controls on it to prevent
   a user from having this protocol return any identifier the user
   wants.  Likewise, if the host has been compromised the information
   returned may be completely erroneous and misleading.

   The Identification Protocol is not intended as an authorization or
   access control protocol.  At best, it provides some additional
   auditing information with respect to TCP connections.  At worst, it
   can provide misleading, incorrect, or maliciously incorrect
   information.

   The use of the information returned by this protocol for other than
   auditing is strongly discouraged.  Specifically, using Identification
   Protocol information to make access control decisions - either as the
   primary method (i.e., no other checks) or as an adjunct to other
   methods may result in a weakening of normal host security.
----


[0] Yes, almost everyone calls it auth, that's part of the problem -
    it was badly named and has now been renamed (for 1993 values of
    "now"), but nobody bothers to remember or find out.

[1] I don't run an ident server anymore either, largely because I
    figure it's now a lost cause.  One day that may change (hmm, ident
    meets ipsec could be fun).

-- 
Jonathan Conway						      rise at knavery.net
history is paling & my surge protection failed, & so I FRIED
						- Concrete Blonde, "Fried"

More information about the LUG mailing list