Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why do we still use IDENTD?

Posted by Cliff on from the I've-been-wondering-the-same-thing dept.

Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"

19 of 102 comments (clear)

  1. Plenty of identd servers for Win32 by aderuwe · · Score: 5, Informative
    There are plenty of identd servers for Win32:

    http://identd.sourceforge.net/
    http://freeware.teledanmark.no/identd/
    http://sourceforge.net/projects/winidentd/
    http://identd.dyndns.org/identd/

    But on the other hand, here are some reasons why your question is valid...

    1. Re:Plenty of identd servers for Win32 by aderuwe · · Score: 5, Funny

      Heh, that last link even has some funny source code I didn't notice at first glance. ;)

    2. Re:Plenty of identd servers for Win32 by Anonymous Coward · · Score: 4, Interesting

      And every self-respecting irc-client has one built-in. That's not the point. The question is: Why do we want users to have identd running when the majority of users is in full control of the client machine anyway? Identd only makes sense in scenarios with multiple users per client ip and identd can't be manipulated by the users.

    3. Re:Plenty of identd servers for Win32 by ivan256 · · Score: 3, Informative

      The answer is that all systems aren't single user. On a single user system, the IP address is probably sufficient to track somebody down with, and the ident responce can be ignored. On a multi-user system it isn't. Those multi-user systems also typically have more bandwidth than hundreds of single user systems combined. If somebody on one of those systems is abusing your service, you're really going to want to inform the administrator of that system which of his/her users should be booted. Just because 99% of the data is worthless doesn't mean that the 1% that isn't doesn't make up for the rest in value.

      Now, which do you think is the more likely scenario: All the l-users here that have never run an IRC server and are taking out of their ass know best, or that hundreds of experienced server and network ops know what they're doing and require identd for a reason?

    4. Re:Plenty of identd servers for Win32 by Wakko+Warner · · Score: 5, Informative

      Now, which do you think is the more likely scenario: All the l-users here that have never run an IRC server and are taking out of their ass know best, or that hundreds of experienced server and network ops know what they're doing and require identd for a reason?

      I've run several IRC servers since 1996. I am an "experienced server and network op", and I still can't figure it out. Speaking as an admin, I can assure you that ident buys me absolutely nothing in terms of dealing with problematic users. Every single one of them has spoofed a valid ident response, either by changing their "Username" value in mIRC, or by running a randomizing ident server. The commonly-held belief among IRC admins that ident provides security and some sort of audit trail is unquestionably false.

      I turned off ident checking on my servers a few months ago, and encourage others I know to do the same.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
    5. Re:Plenty of identd servers for Win32 by ivan256 · · Score: 3, Informative

      I've run several IRC servers since 1996. I am an "experienced server and network op", and I still can't figure it out. Speaking as an admin, I can assure you that ident buys me absolutely nothing in terms of dealing with problematic users. Every single one of them has spoofed a valid ident response, either by changing their "Username" value in mIRC, or by running a randomizing ident server.

      The reason you are so confused is because you think that identd is supposed to help you in some way. It doesn't help you as the IRC server admin. The ident information is to help the administrator of the client. You see, if your abusive user is on a shell account, and you go to report abuse to the service provider, that admin is going to ask you for the ident information. Without it he is not going to know which of his users is the abuser. If you turn it off identd checking, you will have no recourse against the abuse.

      The commonly-held belief among IRC admins that ident provides security and some sort of audit trail is unquestionably false.

      I wasn't aware that this was a commonly held belief of experienced admins. This is something a newbie operator that doesn't know how to deal with abuse would think. Ident doesn't provide security, nor is it supposed to. The only time you are going to look at your ident information is when it is requested by the administrator of the multi-user client after you report abuse for his IP address. It's not good for anything else.

    6. Re:Plenty of identd servers for Win32 by Wakko+Warner · · Score: 3, Interesting


      The reason you are so confused is because you think that identd is supposed to help you in some way. It doesn't help you as the IRC server admin.

      Then why do IRC server admins require it?

      The ident information is to help the administrator of the client. You see, if your abusive user is on a shell account, and you go to report abuse to the service provider, that admin is going to ask you for the ident information. Without it he is not going to know which of his users is the abuser. If you turn it off identd checking, you will have no recourse against the abuse.

      So, if I go to report an abusive user, and his ident string is "gofuckyourself@some.unix.box.somewhere", you're saying, chances are, it'll be helpful, even when 99% of ident responses are phony? Does anyone even read their "root@" or "abuse@" email? In my experience, these mailboxes go to /dev/null, either explicitly or through neglect.

      Why not just ditch ident, and simply ban the entire hostname, subnet, or domain of an abusive user, and let the admin sort it out once he starts receiving complaints from other, legit users? Hell, this is done all the time, anyway. When's the last time you saw a K-line for a single user@unix.box?

      Requiring everyone to run ident simply because there are one or two abusive shell account users out there is downright retarded. It's like forcing backward compatibility for Netscape 1.1N users. The times, they have a-changed. Ident must die.

      - A.P.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  2. Knock, Knock by cramped+bowels · · Score: 4, Funny

    SNL said it best : knock, knock Belushi : who's there ? voice on the other side of the door : candygram! (Belushi opens door) Belushi : Ahhhh! Landshark! (shark head consumes John Belushi) IOW , "identd" is only as trustworthy as the one who runs it; Odama's identd is not likely to respond "BinLadin".

  3. Bots/Abuse by Inominate · · Score: 3, Insightful

    Much abuse tends to come(or came) from commercial unix systems whos users would have purchased an account. Identd works well for keeping track of these people, even if it is of no use for individual users with thier own machines.

  4. IRC Servers do have a use by Komarosu · · Score: 3, Interesting

    By enforcing identd usage on IRC, operators of channels can sucessfully ban abuse bots and users who use BNC relays or unix shells. has some sense of use in this case...

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
    1. Re:IRC Servers do have a use by Wakko+Warner · · Score: 4, Interesting

      What if I run this identd server, which appears to give perfectly valid ident responses (though they're completely random strings of gibberish)? There are others in the FreeBSD ports collection and in Debian's dpkg list (and, I'm sure, elsewhere) that allow me to do the same.

      If I run mIRC, it's even easier to change my ident response. I don't even need to compile or install anything, let alone enable it in /etc/inetd.conf.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  5. Worthless for unix accounts too. by AntipodesTroll · · Score: 4, Insightful

    No serious systems administrator running a public or private access unix system with user accounts allows such valuable user information out onto the net. Anyone who does (maybe the same idiots who run IRC servers that require ident?) deserve to have their user accounts 0wned. Everyone I know makes sure ident is at least faked, but usually plain dropped silently.

    There is NO good reason for crappy old fake-able, spoof-able, deny-able ident to be a requirement anymore. Certain IRC admins just need to get their heads out of their asses.

    --
    Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin.-John von Neumann
    1. Re:Worthless for unix accounts too. by mosch · · Score: 3, Interesting
      Amen brother, preach on!

      Almost every single ident response on IRC is faked. hell, even the stock identd daemons support .fakeid files these days. (at least FreeBSD's builtin identd does)

      identd is a protocol which only works if every user is trusted. despite this, some very ignorant irc admins try to use the protocol to create trust. clearly this is a poorly thought out plan. add to that the fact that identd listens on a low port, so it needs to be a privileged process and you have ignorant admins exposing their network's users to unneccessary risk, for no gain.

  6. Pretty Simple by SmallFurryCreature · · Score: 5, Informative

    First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.

    So why? IRC is well known for countless attacks against the servers and the users of it. It really seems to bring out the worst in a large group of people who, perhaps encouraged by anonymity(?), feel they can do anything to make other peoples use of the service a hassle.

    So how to defend against it? Knowing who a user is is the easiest defence. You can then ban that person from entering youre chatroom/network. There are a couple of pieces of information that are known when you use IRC.

    1. Youre nick. Obviously needs to be there but can be easily randomly changed or be changed to the nicks of other people. Useless for identification therefore. Ban on nick is useless except to stop unwanted nicknames.
    2. Youre IP/hostname. Not really unique, think proxy situations and for some people extremely easy to change. Modem users and users of shell accounts. Ban on IP doesn't work since it could also affect a large group of innocent users who use the same network.
    3. Ident. This is an extra service run on port 113 it reports on query a string containing data corresponding to user information. In fact all you can be really certain of is that if it runs it will return something when you connect to it. Mine for instance always responds the same info. It can also be setup to return a random string each time. Pretty useless therefore as well.

    So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups. However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts). Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.

    Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.

    Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it. Don't like the rules? Don't use the service. Think you can do better? Run youre own.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

    1. Re:Pretty Simple by sql*kitten · · Score: 5, Insightful

      Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it.

      But does it make their lives easier? Consider: Unix reserves ports up to 1024 for the superuser. The theory was always that you could trust these ports on a remote host, if you trusted the sysadmin, because no ordinary user could bind a process to them. If the sysadmin was an employee of a university or a major corporation, then it was quite reasonable to do so. Barring man-in-the-middle attacks, this system worked quite well. At the time this convention was created, it was considered highly unlikely that you could buy your own Unix host for under $500! You could trust the owners of the machine because machines were expensive, and the owners would take adequate action to ensure that only legitimate users had accounts. The convention also allowed the designers of TCP/IP to cut corners; unlike DECnet they only needed to route by port and IP address, not by the username/process name of the source and destination processes. (That's a seperate rant of mine, how brain-dead the designers of TCP/IP were, and how DECnet is infinitely superior).

      Nowadays, identd is useless for confirming the identity of a remote user, since you cannot trust the sysadmin of a remote host any more than you can trust an ordinary user, because in the Linux world, they are most likely one and the same.

      The logical successor to identd is PKI, but no-one's quite sure how to make that work seamlessly yet.

    2. Re:Pretty Simple by Wakko+Warner · · Score: 5, Insightful

      First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.

      Not true. The real ident servers need to run as root (since they're running on a low port), or if you want to be fancy, they can be started by root and assume another (perhaps jailed) user's identity. Let's assume they all running as root, since I've not seen one that doesn't do so. They need to access /etc/passwd (or the NIS equivalent) as well. Some day or another, someone will figure out a way to exploit the most common version of the ident server(s). It's happened before, it'll happen again.

      I tend to treat every service I run on my machines as exploitable. To this end, I disable as many as possible, and, if I have to run a service, I make sure I keep up with it from a security standpoint. Running ident is more work for me, for no real reason.

      That someone requires I run a useless service like identd in order to connect to their network has always bugged me. In this day and age, when ident responses are faked far more often than they aren't (EVERY Windows IRC client fakes ident!!), what's the point of opening up a low port and exposing my systems to even more abuse?

      So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups.

      On just about every setup, you mean.

      However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts).

      Very few people use their university shell accounts to IRC these days.

      Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.

      So are Wingate hosts, but there are other ways of dealing with that kind of abuse, as well. If someone's fucking with my server from a shell account (or from anywhere else), banning that hostname or IP range is more than enough.

      Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.

      Yes, and others have noted that "ident" is built into most Windows IRC clients. In nearly all cases, on Windows, ident is faked; I can type whatever I want into the "Username" box in mIRC.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  7. Why identd is used by 0x0d0a · · Score: 5, Insightful

    The reason identd is required is pretty straightforward, actually.

    Say I get on an IRC server and start abusing it. It's pretty easy to just ban my IP (or in extreme cases, up to my class B if dynamic IPs are in use and there's no better solution). So single-user machines are pretty easy to handle.

    A not-unreasonable people still use public access machines, however. And you can't just ban their IPs without potentially screwing a lot of people -- if I ban MITs or CMU's public access UNIX boxes, I'm going to hurt a lot of people to block one baddie. However, these machines can be trusted to run a legtimate identd, so I can say "Don't block *everyone* on these machines...just this one user".

    Granted, the utility value of identd is less now that Windows machines and single-user UNIX machines are dominant, but it still does solve a nasty problem sometimes.

    However, even given that identd helps, I don't see why it's *required*. You can just say "if the remote host isn't running identd, just ban the entire IP if we get a baddie on that machine".

    --
    May we never see th
  8. Identd is the least of our worries. by Tom7 · · Score: 3, Insightful

    There are loads of obsolete, insecure protocols that we still insist on using. Identd is the least of our worries. Let's take some examples:

    SMTP! Mailbox filled with spam? Well, that's because we use a mail transfer protocol that makes it trivial to forge the from: address and to create thousands of messages from one!

    FTP! Password in the cleartext? Carriage returns dropped? 3rd-party interceptible/forgeable downloads? That's FTP...

    Identd is simple enough to fake, so it shouldn't really trouble anyone. But it's pretty hard to get by day-to-day without using SMTP.

  9. Why we require Ident by Isomer · · Score: 4, Informative
    I'm one of the coders for Undernet (one of the larger IRC networks), and while ident is basically useless for a large portion of the userbase it does have some use.

    A lot of people on IRC (for whatever reason) like to IRC from (brought) shell accounts. It's in these shell account owners best interest to run Ident, otherwise the only way to ban an abusive user is to ban the entire netblock of the shell provider, basically killing off their entire customer base. If we see that there are multiple people from the same IP with different Ident and only one of them is abusing we'll ban by ident. If they change ident and come back, we ban the entire IP (or netblock).

    Many servers have different "connection classes" or different levels of service to different people. You can say for instance that you will allow 5,000 people from your country to connect, 2,000 other people from around the world that are on helpful and cooperative ISP's, and 1,000 people from elsewhere. Thus, if you're outside an IRC servers catchment area, they start placing harsh rules on you, like requiring ident. eg: If your server is in the US, and it's a lot easier to track down abusers within the US than outside it, so you require people outside the US to make a "better effort" to use your server.

    Kinda going back to the previous point, a lot of boxes that are used on IRC are hacked, or people aren't supposed to be IRCing from (eg company machines). Running an ident server is trivial if you (legitmately) have root on the machine, if you don't then it starts making it more obvious that the machine is hacked ("Hmm, I don't remember that machine having ident enabled...")