Re: [fw-wiz] identd, revisited

ArkanoiD wrote:
So if you
do trust host users separation (and if it is compromised at root level no
method is good enough anyways), ident info can be used as well. And it is
up to you what to do with it.

Marcus J. Ranum responded:
That's the standard argument in favor of identd. And, if you shuffle
the words around and preserve meaning it boils down to "on the
occasions that it's useful, it'll be useful." The problem is that it's
not - and never has been - useful enough to be useful.

It occurs to me that this discussion seems to be side-stepping the actual
utility of the identd service. Don't focus on the tragically flawed
projected uses (for example, a remote host being able to draw _any_
conclusion from the information passed back from identd). Instead think
of identd as a service for distributing log data from the server machine.
The ident information should be viewed as a blob that can only be assigned
meaning by the issuing server.

In the event that something odd happens (a local-to-the-identd-server
user account is compromised, and attacks are launched from that account),
the ident information can be provided back to the host that generated it,
at which point some possibly useful conclusion can be supported.

So, to restate: ident information is useful only to the server
that generated it in the first place, and any attempt at external
interpretation of this information is of this information is misguided.

Good identd servers are those that enforce this model, by giving out
encrypted / timestamped / authenticated blobs that can only be verified
and interpreted by the generating machine.

Josh
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: identd needed ?
    ... >> When my mail server sends to another host, ... Are there real threats that ident helps control? ... It's not as though you're returning real user-names to ident queries, ... My identd server replies with what ...
    (comp.os.linux.security)
  • Re: identd needed ?
    ... > When my mail server sends to another host, ... > the other host often queries my ident. ...
    (comp.os.linux.security)
  • Re: identd needed ?
    ... > the other host often queries my ident. ... > the user name of my qmail-remote process. ... > process with an open port just to tell them "qmailr"? ...
    (comp.os.linux.security)
  • identd needed ?
    ... When my mail server sends to another host, ... the other host often queries my ident. ... the user name of my qmail-remote process. ... Are there real threats that ident helps control? ...
    (comp.os.linux.security)