[lug] open port

rise rise at knavery.net
Thu Mar 28 16:36:40 MST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 28 Mar 2002, Peter Hutnick wrote:

> The /other/ problem with ident is that it leaks too much info IMO.

But isn't required to...

> A while back I toyed with the idea of an (probably RFC busting :-( )
> identalike I called shydent that issued an arbitrary string on any
> ident request and logged it locally.  That way users responsible for
> connections could be held responsible by the local admin, but it
> didn't, for instance, announce to anyone that asks that you're
> running such-and-such service as root or whatever.

Doesn't bust the RFC at all:

     "OTHER" indicates the identifier is an unformatted
     character string consisting of printable characters in
     the specified character set.  "OTHER" should be
     specified if the user identifier does not meet the
     constraints of the previous paragraph.  Sending an
     encrypted audit token, or returning other non-userid
     information about a user (such as the real name and
     phone number of a user from a UNIX passwd file) are
     both examples of when "OTHER" should be used.

Explicitly allowed by the RFC sounds good enough to me...

> This would also remove the temptation to use it for authentication.

Exactly.

> I mentioned this to someone smarter than me at the time (about 18
> months ago) and he explained that there was already a feature in
> identd that met my requirements but worked differently.
> Unfortunately I can't remember what it was, and can't find it in the
> man page :-(

Perhaps you have a different identd?  This is from the identd(1) manpage
from the pidentd package (ftp://ftp.lysator.liu.se/pub/ident/servers/)
that SuSE ships:

       -E        Enables DES encryption of the returned data (see
                 below for more information).

Gives you an encrypted token with timestamp, socket pair, uid,
etc. that you can then decrypt using idecrypt.  Seems just about
perfect to me.  I may have to start running identd again.

> don't think that was it because it would not work well on a busy
> server.  "Was your ident request at 15:14:18 or 15:14:38?"  "Well,
> my servers clock is about 18 seconds faster than yours . .  ."  Not
> cool.  Unless maybe it gives the local time along with "HIDDEN-USER"
> response.

Nope, that's just to let users opt-out from ident.

- -- 
Jonathan Conway						      rise at knavery.net
history is paling & my surge protection failed, & so I FRIED
						- Concrete Blonde, "Fried"


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQE8o6kQx9v8xy9f0yoRAg8iAJ4oLcaY1/n/PgQTe9ZofFPaBFUhRQCfbNVx
UfjY6m8oXQYNiSGK2R8zyWU=
=teYW
-----END PGP SIGNATURE-----

More information about the LUG mailing list