[lug] open port

Peter Hutnick peter at fpcc.net
Thu Mar 28 13:22:50 MST 2002


On Thursday 28 March 2002 12:53 pm, rise wrote:
> On Thu, 28 Mar 2002, Riggs, Rob wrote:
> > Personally, I think AUTH stinks. It is only valid in a trusted
> > environment. It made sense when everyone logged in to a central server to
> > read and send mail. When 99% of all mail is composed on individual
> > workstations and relayed through a central server, it is a waste of
> > bandwidth.
>
> Rant warning (not directed at you, Rob, you're right about using it as
> an authentication mechanism):
>
> The Identification Protocol[0] stinks _as an authentication mechanism_
> because it isn't one.  It's meant to be an identification mechanism,
> in this case something that hands you an opaque token that you can
> take to the server admin of the remote site and say "figure out who
> this person is and LART them".  The now self-perpetuating confusion or
> laziness of developers and admins who ended up handing out usernames
> instead of something truly opaque has ruined it for the rest of us[1].
> The RFC writer whose first example is a username probably should have
> been more careful, but the standard is clear. And yes, there is "OTHER
> support" and some servers do provide cryptographic tokens.
>
> Yet another useful protocol or service gone down in flames because of
> people who didn't bother to read and understand the RFCs (or the Fine
> Manual) before writing conceptually broken software and actively wrong
> documentation.

I agree with everything you have said here.

The /other/ problem with ident is that it leaks too much info IMO.

A while back I toyed with the idea of an (probably RFC busting :-(  ) 
identalike I called shydent that issued an arbitrary string on any ident 
request and logged it locally.  That way users responsible for connections 
could be held responsible by the local admin, but it didn't, for instance, 
announce to anyone that asks that you're running such-and-such service as 
root or whatever.

This would also remove the temptation to use it for authentication.

I mentioned this to someone smarter than me at the time (about 18 months ago) 
and he explained that there was already a feature in identd that met my 
requirements but worked differently.  Unfortunately I can't remember what it 
was, and can't find it in the man page :-(  Maybe it was the -N option.  Does 
that log the port and user?  I don't think that was it because it would not 
work well on a busy server.  "Was your ident request at 15:14:18 or 
15:14:38?"  "Well, my servers clock is about 18 seconds faster than yours . . 
."  Not cool.  Unless maybe it gives the local time along with "HIDDEN-USER" 
response.

-Peter



More information about the LUG mailing list