Ident
Encyclopedia
The Ident Protocol, specified in RFC 1413, is an Internet
protocol that helps identify the user of a particular TCP
connection. One popular daemon program
for providing the ident service is identd.
, on a user
's computer, where it receives requests to a specified port
, generally 113. In a query, a client specifies a pair of port
s (a local and a remote port). The server will then send a specially designed response that identifies the username of the user who runs the program that uses the specified pair of ports.
If abuse is to be handled by the administrators of the service users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.
The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when:
to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node
information or even gibberish
(from the requesters point of view) rather than usernames. This gibberish may be turned into real usernames by the ident administrator, when he is contacted about possible abuse, which means the usefulness for tracking abuse is preserved.
as a large number of people connect to IRC from a server shared by multiple users, often using a bouncer
. Without Ident there would be no way to ban a single user without banning the entire host. The server administrator may also use this information to identify the abusive user.
On most IRC networks, when the server fails to get an Ident response it falls back to the username given by client, but marks it as "not verified", usually by prefixing with a tilde; e.g. ~josh. Some IRC servers even go as far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "open proxy
" or a system where you have compromised a single account of some form but do not have root
(on Unix-like systems, only root can listen for network connections on ports below 1024).
However, Ident is next to ineffective when used with personal computers, on which the user often has enough privileges to make the Ident daemon reply whatever the user wants. In fact, most Ident servers for Windows don't even bother checking the owner of a connection and just reply with a preconfigured username.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
protocol that helps identify the user of a particular TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection. One popular daemon program
Daemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
for providing the ident service is identd.
How ident works
The Ident Protocol is designed to work as a server daemonDaemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
, on a user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
's computer, where it receives requests to a specified port
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
, generally 113. In a query, a client specifies a pair of port
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
s (a local and a remote port). The server will then send a specially designed response that identifies the username of the user who runs the program that uses the specified pair of ports.
Usefulness of ident
Dialup hosts or shared shell servers often provide ident to enable abuse to be tracked back to specific users. In the case that abuse is handled on this host the concern about trusting the ident daemon is mostly irrelevant. Spoofing of the service and privacy concerns can be avoided by providing varying cryptographically strong tokens instead of real usernames.If abuse is to be handled by the administrators of the service users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.
The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when:
- The user connecting is not the administrator of the machine. This is only likely for hosts providing Unix shellUnix shellA Unix shell is a command-line interpreter or shell that provides a traditional user interface for the Unix operating system and for Unix-like systems...
access, shared servers using a suEXECSuEXECApache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user...
-like construction and the like. - One trusts the administrators of the machine and knows their user policy. This is most likely for hosts in a common security domain such as within a single organization.
- One trusts that the machine is the machine it claims to be and knows that machine. This is only easily arranged for hosts on a local area network or virtual network where all hosts on the network are trusted and new hosts cannot easily be added due to physical protection. On remote and normal local networks false ident replies can be accomplished by ip spoofing and, if DNS is used, by all kinds of DNS trickery. The ident daemon may provide cryptographically signed replies, which in case they can be confirmed solves these last, but not the first, concerns.
Security
The ident protocol is considered dangerous because it allows crackersBlack hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node
Node (networking)
In communication networks, a node is a connection point, either a redistribution point or a communication endpoint . The definition of a node depends on the network and protocol layer referred to...
information or even gibberish
Gibberish
Gibberish is a generic term in English for talking that sounds like speech, but carries no actual meaning. This meaning has also been extended to meaningless text or gobbledygook. The common theme in gibberish statements is a lack of literal sense, which can be described as a presence of nonsense...
(from the requesters point of view) rather than usernames. This gibberish may be turned into real usernames by the ident administrator, when he is contacted about possible abuse, which means the usefulness for tracking abuse is preserved.
Uses
Ident is important on IRCInternet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
as a large number of people connect to IRC from a server shared by multiple users, often using a bouncer
Bounce (network)
A BNC is a piece of software that is used to relay traffic and connections in computer networks, much like a proxy. Using a BNC allows a user to hide the original source of the user's connection, providing privacy as well as the ability to route traffic through a specific location...
. Without Ident there would be no way to ban a single user without banning the entire host. The server administrator may also use this information to identify the abusive user.
On most IRC networks, when the server fails to get an Ident response it falls back to the username given by client, but marks it as "not verified", usually by prefixing with a tilde; e.g. ~josh. Some IRC servers even go as far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "open proxy
Open proxy
An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server allows users within a network group to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group...
" or a system where you have compromised a single account of some form but do not have root
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
(on Unix-like systems, only root can listen for network connections on ports below 1024).
However, Ident is next to ineffective when used with personal computers, on which the user often has enough privileges to make the Ident daemon reply whatever the user wants. In fact, most Ident servers for Windows don't even bother checking the owner of a connection and just reply with a preconfigured username.
Software
- oidentdOidentdoidentd is an RFC 1413 compliant ident daemon which runs on Linux, FreeBSD, NetBSD, Darwin, OpenBSD, and Solaris. It can handle IP masqueraded/NAT connections and it has a flexible mechanism for specifying ident responses. Users can be granted permission to specify their own ident responses....
(for Unix-like systems) - Retina Scan Identd (for Windows; supports multiple users in a way similar to Unix identd)
- Windows Ident Server.
See also
- Internet Relay Chat (IRCInternet Relay ChatInternet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
) - File Transfer Protocol (FTPFile Transfer ProtocolFile Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
) - Simple Mail Transfer Protocol (SMTPSimple Mail Transfer ProtocolSimple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
) - Network News Transfer Protocol (NNTPNetwork News Transfer ProtocolThe Network News Transfer Protocol is an Internet application protocol used for transporting Usenet news articles between news servers and for reading and posting articles by end user client applications...
) - Secure Shell (SSHSecure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
)