Ident
|
- This article is about the Internet protocol. For the jargon contraction used in the broadcasting world, see station identification.
The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.
When a user or program at computer A makes an ident request of computer B, it may only ask for the identity of users of connections between A and B. The ident server on B listens for connections on TCP port 113. The client at A establishes a connection, then specifies which connection it wants identification for by sending the numbers of the ports on A and B that the connection is using. The server at B determines what user is using that connection, and replies to A with a string that names that user.
Ident is useful where there are multiple users on a system and there is a need to identify which one is initiating a connection for abuse control and/or reporting purposes. It is obviously of no help for single user systems of for situations where the sysadmin is the source of the abuse. To some extent the trustworthiness of the ident can be determined by seeing if the reverse dns hostname is a typical isp host (e.g. user12345.dsl.myisp.com) or a hostname more likely to be of a server.
Filtering the ident port will often cause timeout delays when connecting to servers. Unless you are determined to leave your system totally invisible to the internet it is best to either run an identd or to leave the port cleanly rejecting connections. It is possible to set up your system to filter ident connections from all systems you haven't made a connection to recently but this can be tricky to set up and few people bother.
Some seem to think ident is dangerous although the only real danger is people getting lulled into a false sense of security by dodgy ident data. There are also possible privacy issues in revealing usernames. One solution to this would be to pass a generated identifier rather than the users actual username.
Ident is important on IRC as a large number of people connect to IRC servers via bouncers which either serve multiple users or are hosted on shared servers. Without ident there would be no way to ban a single user of a bouncer from a channel or network without banning the entire bouncer. Its also needed when complaining to the bouncer operator so they can identify which user is causing trouble. When an irc server fails to get an identd response it has to fall back on the username given by the client. Ircds usually prefix usernames obtained directly from the client software with ~ to indicate that they are not ident usernames and may be faked by the user. Some irc servers even go as far as blocking clients without an ident response, the main reason for doing this is it makes it much harder to connect via an open proxy or a system where you have compremised a single account of some form but do not have root.
Special identds are used by those running large numbers of bouncers or a single bouncer that supports multiple users to allow bouncer usernames to be returned rather than simply the name of the user account on the system the bouncer is running under. The best known of theese is probablly oidentd.
External links
- "IDENT is pointless and potentially dangerous" (http://www.clock.org/~fair/opinion/identd.html), Erik Fair
- "IDENT is not of use to servers" (http://russnelson.com/ident.html), Russell Nelson