How does IDENTD daemon work?

book

Article ID: 165928

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

IDENTD implements the TCP/IP IDENT user identification protocol. IDENTD operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection.The Ident Protocol is designed to work as a server daemon on a user's computer where it receives requests to a specified port, generally 113. In a query, a client specifies a pair of ports (a local and a remote port). The server will then send a specially designed response that identifies the username of the user who runs the program that uses the specified pair of ports.
 
The usefulness of IDENT for proving of a known identity to a remote host is limited to circumstances where:
  • The user connecting is not the administrator of the machine. This is only likely for hosts providing Unix shell access, shared servers using a suEXEC-like construction and the like.
  • The administrators of the machine and knows their user policy. This is most likely for hosts in a common security domain such as within a single organization.
  • The machine is the machine it claims to be, and the remote host knows that machine. This is only easily arranged for hosts on a local area network or virtual network where all hosts on the network are trusted and new hosts cannot easily be added due to physical protection. On remote and normal local networks, false IDENT replies can be accomplished by IP spoofing and, if DNS is used, by all kinds of DNS trickery. The IDENT daemon may provide cryptographically signed replies, which in case they can be confirmed solves these last, but not the first, concerns.
Syntax
#(config) identd
 
This changes the prompt to:
#(config identd)
 
Some Subcommands that can be used on proxy.
  • #(config identd) client server-query-port port
    Specifies the port to query on the client machines. The default is 113.
  • #(config identd) client timeout seconds
    Specifies the timeout in seconds for IDENTD queries. The default is 30 seconds.
  • #(config identd) trim-whitespace {enable | disable}
    Specify whether to trim leading and trailing whitespace in the username portion of the IDENTD query response. By default this is disabled. If client IDENTD servers are adding insignificant whitespace to the username field you might need to enable this option to trim the username as expected.
  • #(config identd) exit 
    Exits configure IDENTD mode and returns to configure mode.
  • #(config identd) server {enable | disable} 
    Enables or disables IDENTD services.
  • #(config identd) view 
    Displays current IDENTD settings.