Re: TCP Wrappers not reporting username in syslog
- From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
- Date: 7 Dec 2005 21:11:32 GMT
Menno Duursma <menno@xxxxxxxxxxx> writes:
>On Wed, 07 Dec 2005 18:14:39 +0000, Nick Maclaren wrote:
>[ Snip: tcpwrapper setup to query ident. ]
>> The original poster's mistake is to think that running identd
>> on the box that is running tcp_wrappers is relevant. What identd
>> does when run on box B is to allow tcp_wrappers run on box A to
>> log the user (on box B) that is attempting to connect to box A.
>Indeed. However such a reply may well be bogus if thier initial login
>doesn't match the account their now connecting from (say they used "su".)
Of course. It is a completely useless security feature. But the OP has it
in his head how tcpwrapper should work, and that is it.
ssh already has the ability to reject users based on identity, password,
rsa public key, etc. But he wants tcpwrapper to do it.
>Another problem maybe: provided they have privileages (on the "client"
>machine (i.e.: the one running an identd) or any hop in the route) they
>can reply whatever they want ...
>And one might not like sending valid usernames over the wire anyhow.
>What i _do_ see this feature could be usefull for is when server (the one
>checking via tcpwrapper) and clients or NAT routers (the ones running
>- a fake - identd) share knowledge of some string before continuing to
>autentication stage, or not.