[lug] open port
D. Stimits
stimits at idcomm.com
Fri Mar 29 15:37:22 MST 2002
"Riggs, Rob" wrote:
>
> I understand your rant. But I do disagree. IDENT is a relic of a more naive
> time. Now, when anyone on a workstation has admin rights (my Linux box, the
> Win95 box down the hall, etc.) IDENT cannot be trusted for anything.
> Furthermore, IDENT came about at a time when most people used timesharing
> systems (1984). And it *was* mean to be an authentication protocol. Heck,
> prior to 1413, it was called the Authentication Service Protocol[1][2]. And
> the original author did intend it to be used as such! This is why it is
> still labeled "auth" in /etc/services and called the AUTH protocol by many.
>
> But my point was that it's useless for even basic identification, especially
> for email, since most SMTP conversations are between daemons, and not user
> to server. It's completely unnecessary between border MTAs. The "Received"
> header is a far more useful tool for LART activation.
>
> -Rob
>
> [1] http://www.faqs.org/rfcs/rfc912.html
> [2] http://www.faqs.org/rfcs/rfc931.html
>
> -----Original Message-----
> From: rise [mailto:rise at knavery.net]
> Sent: Thursday, March 28, 2002 12:54 PM
> To: 'lug at lug.boulder.co.us'
> Subject: RE: [lug] open port
>
> On Thu, 28 Mar 2002, Riggs, Rob wrote:
>
> > Personally, I think AUTH stinks. It is only valid in a trusted
> environment.
> > It made sense when everyone logged in to a central server to read and send
> > mail. When 99% of all mail is composed on individual workstations and
> > relayed through a central server, it is a waste of bandwidth.
>
> Rant warning (not directed at you, Rob, you're right about using it as
> an authentication mechanism):
>
> The Identification Protocol[0] stinks _as an authentication mechanism_
> because it isn't one. It's meant to be an identification mechanism,
> in this case something that hands you an opaque token that you can
> take to the server admin of the remote site and say "figure out who
> this person is and LART them".
Ident isn't really authentication, it's only real purpose is
anti-spoofing. If someone demans auth, and machine A wants to talk to
machine B, machine B asks A if the ports named are a valid pair. If it
is spoofed on that port pair, or if the name of the user connecting
(done in a sanely private way) does not really exist on the remove
machine (lying about who their account name is), it fails. The ident
mechanism is still useful, it has some minor ability to stop spoofing
and man-in-middle attacks. It won't give out any information that isn't
required anyway. It's archaic and weak, but I don't think it is a risk,
it is a help.
D. Stimits, stimits at idcomm.com
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list