Ident
From Wikipedia, the free encyclopedia
The five-layer TCP/IP model |
---|
5. Application layer |
DHCP · DNS · FTP · Gopher · HTTP · IMAP4 · IRC · NNTP · XMPP · POP3 · RTP · SIP · SMTP · SNMP · SSH · TELNET · RPC · RTCP · RTSP · TLS (and SSL) · SDP · SOAP · GTP · STUN · NTP · (more) |
4. Transport layer |
TCP · UDP · DCCP · SCTP · RSVP · ECN · (more) |
3. Network/internet layer |
IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · IPsec · ARP · RARP · RIP · ICMP · ICMPv6 · IGMP · (more) |
2. Data link layer |
802.11 (WLAN) · 802.16 · Wi-Fi · WiMAX · ATM · DTM · Token ring · Ethernet · FDDI · Frame Relay · GPRS · EVDO · HSPA · HDLC · PPP · PPTP · L2TP · ISDN · ARCnet · LLTD · (more) |
1. Physical layer |
Ethernet physical layer · RS-232 · SONET/SDH · G.709 · Optical fiber · Coaxial cable · Twisted pair · (more) |
The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.
Contents |
[edit] How Ident Works
The Ident Protocol is designed to work as a server daemon, on a user's computer, where it receives requests to a specified port, generally 113. The server will then send a specially designed response that identifies the username of the current user.
[edit] Usefulness of Ident
Ident is considered useful due to the fact that it is able to distinguish the name of the person most likely to make a connection to the requesting server, which can then be used as identification for abuse control and/or general reporting purposes. This is useful because on most operating systems more than one user can be logged in at a time. The protocol is of no help for users where the source of abuse is the computer administrator. The trustworthiness of the ident response can be determined to some extent by seeing if the reverse DNS hostname is a typical dynamic IP address assigned by an ISP or a hostname more likely to be of a server.
[edit] Security
The ident protocol is considered dangerous because it allows hackers to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node/hop IDs or Kerberos tickets, rather than usernames.
[edit] Uses
Ident is important on IRC as a large number of people connect to IRC servers via bouncers which either serve multiple users or are hosted on shared servers. Some users also use clients on Unix shells. Without ident there would be no way to ban a single user of a bouncer from a channel or network without banning the entire host running the bouncer. The bouncer operator may also need this information to identify the abusive user. When an IRC server fails to get an identd response it has to fall back on the username given by the client. Ircds usually prefix usernames obtained directly from the client software with a tilde to indicate that they are not ident usernames and may be faked by the user (although with modern single-user home computers, the ident username itself may be set to whatever the user wants and is often returned by the same IRC client as the rest of the client information). Some IRC servers even go as far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "open proxy" or a system where you have compromised a single account of some form but do not have root.
Special identds are used by those running large numbers of bouncers or a single bouncer that supports multiple users to allow bouncer usernames to be returned rather than simply the name of the user account on the system the bouncer is running under. The best known of these is probably oidentd and Windows Ident Server.
[edit] See also
- Internet Relay Chat (IRC)
- File Transfer Protocol (FTP)
- Simple Mail Transfer Protocol (SMTP)
- Network News Transfer Protocol (NNTP)
- Secure Shell (SSH)
[edit] References
- RFC 912 - Authentication Service
- RFC 931 - Authentication Server
- Daniel J. Bernstein: TAP - INTERNET DRAFT 1992
- Daniel J. Bernstein: Why TAP? A White Paper, draft 3 920820
- RFC 1413 - Identification Protocol
- RFC 1414 - Identification MIB
- Peter Eriksson: TAPvsIDENT 3 Nov 1993
- Damien Doligez: Why encrypt ident/TAP replies? 1994.02.22