Subject: Re: IDENT secure?
From: Brad Huntting (huntting@advtech.uswest.com)
Date: Tue, 16 Nov 1993 10:15:03 -0700

> You might want to put a generic IDENT daemon in place; it might only
> respond with "firewall," rather than a specific userid.

You mean like this?

#include <sys/types.h>
#include <sys/uio.h>

main(argc,argv)
int argc;
char *argv[];
{

static char buf[64], resp[] = " : USERID : OTHER : firewall-user\r\n";
static struct iovec iov[] = {
{ buf, sizeof(buf) },
{ resp, sizeof(resp)-1 }
};

if ((iov[0].iov_len = read(0,buf,sizeof(buf)-1) - 2) < 0) exit(1);
if (writev(1,iov,2) < 0) exit(1);

exit(0);
}

Subject: Re: IDENT secure?
From: Wes Morgan (morgan@engr.uky.edu)
Date: Tue, 16 Nov 93 09:28:00 EST

>I wouldnt run it, but I have seen some src posted in some usenet groups
>that make a fake ident that lets you have a similiar ident daemon, but
>doesn't reveal any information.

This isn't really a "fake" ident. During our discussions in the Ident working group, we decided that some provision should be made for sites/users that did not necessarily want to release the infor- mation. The Ident RFC (RFC 1413) allows a site to respond with "HIDDEN-USER," rather than a userid. I believe that the pidentd code from ftp.lysator.liu.se supports this capability.

HIDDEN-USER might be a good option for a firewall ident daemon. It would be nice if the "real" information was logged on the firewall as a response to the query, just in case the need arises...

--Wes