Ident - Usefulness of Ident

Usefulness of Ident

Dialup hosts or shared shell servers often provide ident to enable abuse to be tracked back to specific users. In the case that abuse is handled on this host the concern about trusting the ident daemon is mostly irrelevant. Spoofing of the service and privacy concerns can be avoided by providing varying cryptographically strong tokens instead of real usernames.

If abuse is to be handled by the administrators of the service users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.

The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when:

• The user connecting is not the administrator of the machine. This is only likely for hosts providing Unix shell access, shared servers using a suEXEC-like construction and the like.
• One trusts the administrators of the machine and knows their user policy. This is most likely for hosts in a common security domain such as within a single organization.
• One trusts that the machine is the machine it claims to be and knows that machine. This is only easily arranged for hosts on a local area network or virtual network where all hosts on the network are trusted and new hosts cannot easily be added due to physical protection. On remote and normal local networks false ident replies can be accomplished by ip spoofing and, if DNS is used, by all kinds of DNS trickery. The ident daemon may provide cryptographically signed replies which, if they can be confirmed, solves these last, but not the first, concerns.