iPedia Free Information Center

Information about Ident

This article is about the Internet protocol. For the jargon contraction used in the broadcasting world, see station identification or Television ident. For the use of the term ident in aviation, see Transponder (aviation)#Ident.


The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

How Ident Works

The Ident Protocol is designed to work as a server daemon, on a user's computer, where it receives requests to a specified port, generally 113. The server will then send a specially designed response that identifies the username of the current user.

Usefulness of Ident

Ident is considered useful due to the fact that it is able to distinguish the name of the person most likely to make a connection to the requesting server, which can then be used as identification for abuse control and/or general reporting purposes. This is useful because on most operating systems more than one user can be logged in at a time. The protocol is of no help for users where the source of abuse is the computer administrator. To some extent the trustworthiness of the ident can be determined by seeing if the reverse DNS hostname is a typical ISP host (e.g. user12345.dsl.myisp.com) or a hostname more likely to be of a server.

Security

Filtering the ident port will often cause timeout delays when connecting to servers. Unless you are determined to leave your system totally invisible to the Internet it is best to either run an ident server or to leave the port cleanly rejecting connections using a firewall. It is possible to set up your system to filter ident connections from all systems you haven't made a connection to recently but this can be tricky to set up and few people bother.

The ident protocol is considered dangerous because it allows hackers to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node/hop IDs or Kerberos tickets, rather than usernames.

On Unix-like systems the identd service is generally either started from a super-server or itself linked against libwrap, allowing TCP Wrapper filter rules to be set on some hosts (or entire subnets):

/etc/hosts.allow

identd, authd: .intranet.lan, mail.isp.tld, ssh.isp.tld, irc.isp.tld, ftp.isp.tld


On denied requests the default timeout is 5 seconds. However since it is the 'protected' machine waiting to become a client to some other service, most probably, one wants to disable this timeout. Using something similar to the following:

/etc/hosts.deny

identd, authd: ALL: twist( /bin/true & )

Uses

Ident is important on IRC as a large number of people connect to IRC servers via bouncers which either serve multiple users or are hosted on shared servers. Some users also use clients on Unix shells. Without ident there would be no way to ban a single user of a bouncer from a channel or network without banning the entire bouncer. It's also needed when complaining to the bouncer operator so they can identify which user is causing trouble. When an IRC server fails to get an identd response it has to fall back on the username given by the client. Ircds usually prefix usernames obtained directly from the client software with ~ (tilde) to indicate that they are not ident usernames and may be faked by the user (although with modern single-user home computers, the ident username itself may be set to whatever the user wants and is often returned by the same IRC client as the rest of the client information). Some IRC servers even go so far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "open proxy" or a system where you have compromised a single account of some form but do not have root.

Special identds are used by those running large numbers of bouncers or a single bouncer that supports multiple users to allow bouncer usernames to be returned rather than simply the name of the user account on the system the bouncer is running under. The best known of these is probably oidentd and Windows Ident Server.

See also

  • Internet Relay Chat (IRC)
  • File Transfer Protocol (FTP)
  • Simple Mail Transfer Protocol (SMTP)
  • Network News Transfer Protocol (NNTP)
  • Secure Shell (SSH)

References

External links

Internet is a worldwide, publicly accessible series of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP). It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government
..... Click the link for more information.
protocol is a convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication.
..... Click the link for more information.
worldwide view.
Station identification (sometimes called a sounder or stinger) is the practice of any type of radio or television station or network identifying itself, typically with a call sign or brand name.
..... Click the link for more information.
worldwide view.
Station identification (sometimes called a sounder or stinger) is the practice of any type of radio or television station or network identifying itself, typically with a call sign or brand name.
..... Click the link for more information.
Internet is a worldwide, publicly accessible series of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP). It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government
..... Click the link for more information.
protocol is a convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication.
..... Click the link for more information.
The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite. TCP provides reliable, in-order delivery of a stream of bytes, making it suitable for applications like file transfer and e-mail.
..... Click the link for more information.
A telecommunication circuit is defined as follows:
  1. The complete path between two terminals over which one-way or two-way communications may be provided. See communications protocol.
  2. An electronic path between two or more points, capable of providing a number of channels.

..... Click the link for more information.
daemon (IPA pronunciation: /'dimən/ or /'deɪmən/[1]
..... Click the link for more information.
daemon (IPA pronunciation: /'dimən/ or /'deɪmən/[1]
..... Click the link for more information.
User in a computing context refers to one who uses a computer system. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.
..... Click the link for more information.
port is a special number present in the header of a data packet. Ports are typically used to map data to a particular process running on a computer.

Ports can be readily explained with an analogy: think of IP addresses as the street address of an apartment building, and the
..... Click the link for more information.
An operating system (OS) is the software that manages the sharing of the resources of a computer. An operating system processes system data and user input, and responds by allocating and managing tasks and internal system resources as a service to users and programs of the
..... Click the link for more information.
On the Internet, the Domain Name System (DNS) associates various sorts of information with so-called domain names; most importantly, it serves as the "phone book" for the Internet by translating human-readable computer hostnames, e.g. en.wikipedia.
..... Click the link for more information.
Internet service provider (abbr. ISP, also called Internet access provider or IAP) is a business or organization that provides consumers or businesses access to the Internet and related services. In the past, most ISPs were run by the phone companies.
..... Click the link for more information.
firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.

Function


..... Click the link for more information.
Hacker has different meanings in several different fields, contexts, and is also the name of various media publications.

Culture

  • Hacker has multiple common meanings as relates to computing, unified only in that it refers to someone who is an avid computer

..... Click the link for more information.
User in a computing context refers to one who uses a computer system. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.
..... Click the link for more information.
computer is a machine which manipulates data according to a list of instructions.

Computers take numerous physical forms. The first devices that resemble modern computers date to the mid-20th century (around 1940 - 1941), although the computer concept and various machines
..... Click the link for more information.
A node is a device that is connected as part of a computer network. For example, a node may be a computer, personal digital assistant, cell phone, router, switch, or hub.
..... Click the link for more information.
In telecommunication, the term hop has the following meanings:
  1. The excursion of a radio wave from the Earth to the ionosphere and back to the Earth. The number of hops indicates the number of reflections from the ionosphere.

..... Click the link for more information.
This article or section is in need of attention from an expert on the subject.
Please help recruit one or [ improve this article] yourself. See the talk page for details.
..... Click the link for more information.
Kerberos is the name of a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner.
..... Click the link for more information.
Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification.
..... Click the link for more information.
A super-server or sometimes called a service dispatcher is a type of daemon run generally on Unix-like systems.

Usage

It starts other servers when needed, normally with access to them checked by 'tcpd'. It uses no (or very little) resources when in idle state.
..... Click the link for more information.
linker or link editor is a program that takes one or more objects generated by compilers and assembles them into a single executable program.

In IBM mainframe environments such as OS/360 this program is known as a linkage editor.
..... Click the link for more information.
libwrap is a free software program library that implements generic TCP Wrapper functionality for network service daemons to use (rather than, or in addition to, their own host access control schemes).
..... Click the link for more information.
TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter
..... Click the link for more information.
subnetwork or subnet is a range of logical addresses within the address space that is assigned to an organization. Subnetting is a hierarchical partitioning of the network address space of an organization (and of the network nodes of an autonomous system) into several
..... Click the link for more information.
An intranet is a private computer network that uses Internet protocols, network connectivity to securely share part of an organization's information or operations with its employees. Sometimes the term refers only to the most visible service, the internal website.
..... Click the link for more information.


This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.
Herod_Archelaus


page counter