Slashdot Mirror
Why do we still use IDENTD?
Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"
Much abuse tends to come(or came) from commercial unix systems whos users would have purchased an account. Identd works well for keeping track of these people, even if it is of no use for individual users with thier own machines.
No serious systems administrator running a public or private access unix system with user accounts allows such valuable user information out onto the net. Anyone who does (maybe the same idiots who run IRC servers that require ident?) deserve to have their user accounts 0wned. Everyone I know makes sure ident is at least faked, but usually plain dropped silently.
There is NO good reason for crappy old fake-able, spoof-able, deny-able ident to be a requirement anymore. Certain IRC admins just need to get their heads out of their asses.
Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin.-John von Neumann
Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it.
But does it make their lives easier? Consider: Unix reserves ports up to 1024 for the superuser. The theory was always that you could trust these ports on a remote host, if you trusted the sysadmin, because no ordinary user could bind a process to them. If the sysadmin was an employee of a university or a major corporation, then it was quite reasonable to do so. Barring man-in-the-middle attacks, this system worked quite well. At the time this convention was created, it was considered highly unlikely that you could buy your own Unix host for under $500! You could trust the owners of the machine because machines were expensive, and the owners would take adequate action to ensure that only legitimate users had accounts. The convention also allowed the designers of TCP/IP to cut corners; unlike DECnet they only needed to route by port and IP address, not by the username/process name of the source and destination processes. (That's a seperate rant of mine, how brain-dead the designers of TCP/IP were, and how DECnet is infinitely superior).
Nowadays, identd is useless for confirming the identity of a remote user, since you cannot trust the sysadmin of a remote host any more than you can trust an ordinary user, because in the Linux world, they are most likely one and the same.
The logical successor to identd is PKI, but no-one's quite sure how to make that work seamlessly yet.
First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.
/etc/passwd (or the NIS equivalent) as well. Some day or another, someone will figure out a way to exploit the most common version of the ident server(s). It's happened before, it'll happen again.
Not true. The real ident servers need to run as root (since they're running on a low port), or if you want to be fancy, they can be started by root and assume another (perhaps jailed) user's identity. Let's assume they all running as root, since I've not seen one that doesn't do so. They need to access
I tend to treat every service I run on my machines as exploitable. To this end, I disable as many as possible, and, if I have to run a service, I make sure I keep up with it from a security standpoint. Running ident is more work for me, for no real reason.
That someone requires I run a useless service like identd in order to connect to their network has always bugged me. In this day and age, when ident responses are faked far more often than they aren't (EVERY Windows IRC client fakes ident!!), what's the point of opening up a low port and exposing my systems to even more abuse?
So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups.
On just about every setup, you mean.
However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts).
Very few people use their university shell accounts to IRC these days.
Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.
So are Wingate hosts, but there are other ways of dealing with that kind of abuse, as well. If someone's fucking with my server from a shell account (or from anywhere else), banning that hostname or IP range is more than enough.
Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.
Yes, and others have noted that "ident" is built into most Windows IRC clients. In nearly all cases, on Windows, ident is faked; I can type whatever I want into the "Username" box in mIRC.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
But since identd requires cooperation of the client system admin in all cases, why would an irc admin require that user systems have identd running? If the client admin is cooperative he is going to run the daemon, if just to have more information when it comes to delegating blame. If he is hostile or paranoid, he can just as easily fake identd as have it not running at all. It's not that identd can't be useful, but does requiring it make sense?
The reason identd is required is pretty straightforward, actually.
Say I get on an IRC server and start abusing it. It's pretty easy to just ban my IP (or in extreme cases, up to my class B if dynamic IPs are in use and there's no better solution). So single-user machines are pretty easy to handle.
A not-unreasonable people still use public access machines, however. And you can't just ban their IPs without potentially screwing a lot of people -- if I ban MITs or CMU's public access UNIX boxes, I'm going to hurt a lot of people to block one baddie. However, these machines can be trusted to run a legtimate identd, so I can say "Don't block *everyone* on these machines...just this one user".
Granted, the utility value of identd is less now that Windows machines and single-user UNIX machines are dominant, but it still does solve a nasty problem sometimes.
However, even given that identd helps, I don't see why it's *required*. You can just say "if the remote host isn't running identd, just ban the entire IP if we get a baddie on that machine".
May we never see th
There are loads of obsolete, insecure protocols that we still insist on using. Identd is the least of our worries. Let's take some examples:
SMTP! Mailbox filled with spam? Well, that's because we use a mail transfer protocol that makes it trivial to forge the from: address and to create thousands of messages from one!
FTP! Password in the cleartext? Carriage returns dropped? 3rd-party interceptible/forgeable downloads? That's FTP...
Identd is simple enough to fake, so it shouldn't really trouble anyone. But it's pretty hard to get by day-to-day without using SMTP.