Title: Overview of Identd

KBTAG: kben10000124
URL: http://www.securityportal.com/lskb/10000100/kben10000124.html
Date created: 06/08/2000
Date modified: 10/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Overview of Identd
Keywords: Network/UserInfo

Summary:

The ident service is used to map users/processes to ports in use. For example most IRC servers attempt to find out who is connecting to them by doing an ident lookup, which basically consists of asking the ident server on the client computer what information it has about a port number, and the response can range from nothing (if no-one is using that particular port) to a username, groupname, process id, and other interesting information. The default setting in most distributions is that identd is on (it is polite to run it, IRC servers and newer versions of sendmail check identd responses), and will only hand out the username. The primary use of identd is to allow remote systems some means of tracking down users that are connecting to their servers, IRC, telnet, mail, or other, for authentication purposes (not a good idea since it is very easy to fake). The local university here in Edmonton requires you to run identd if you want to telnet into any of the main shell servers, primarily so they can track down compromised accounts quickly. 

Running identd on your machine will help other administrators when tracking down problems, as they can not only get the IP address and time of a problem, but using identd can look up the user name. In this way it is a two edged sword, while it gives out information useful for tracking down malicious users (definitely people you want to boot off of your servers) it can also be used to gain information about users on your system, leading to their accounts being compromised. Running identd on servers only makes sense if they are hosting shell accounts/etc.

Identd runs on port 113 using tcp, and typically you will only need if you want to IRC (many IRC networks require an identd response), or be nice to systems running daemons (such as tcp wrapped telnet, or sendmail) that do identd lookups on connections.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 113
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 113
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 113

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 113
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 113
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 113

More information:

Identd supports quite a few features, and can be easily set to run as a non-root user. Depending on your security policies you may not want to give out very much information, or you might want to give out as much as possible. Simply tack the option on in inetd.conf, after in.identd (the defaults are -l -e -o).

-p port
-a address
Can be used to specify which port and address it binds to (in the case of a machine with IP’s aliased, or multiple interfaces), this is generally only useful if you want internal machines to connect, since external machines will probably not be able to figure out what port you changed it to.

-u uid
-g gid
Are used to set the user and group that identd will drop its privileges to after connecting to the port, this will result in it being far less susceptible to compromising system security. As for handling the amount of information it gives out:

-o
Specifies that identd will not return the operating system type, and simply say "UNKNOWN", a very good option.

-n
Will have identd return user numbers (i.e. UID) and not the username, which still gives them enough information to tell you and allow you to track the user down easily, without giving valuable hints to would be attackers.

-N
Allows users to make a ~/.noident file, which will force identd to return "HIDDEN-USER" instead of information. This allows users the option of having a degree of privacy, but a malicious user will use this to evade identification.

-F format
Enables you to specify far more information than is standard, everything from user name and number to the actual PID, command name, and command name and arguments that were given! This I would recommend only for internal use, as it is a lot of information that attackers would find useful.

In general I would advise running identd on servers with user shell accounts, and otherwise disabling it, primarily due to the number of denial of service attacks it is susceptible to. Running identd will make life a lot easier for other administrators when tracking down attacks originating from your site, which will ultimately make your life easier. 

Downloads:

There are also other versions of identd available, some with security enhancements (I do not endorse these as I have yet to test them):

http://insecurity.net/ - Paul's secure identd written in Perl
http://www.tildeslash.org/nullidentd.html - null identd
http://www.ajk.tele.fi/~too/sw/ - fake identd
http://p8ur.op.het.net/midentd/ - midentd
http://www.nyct.net/~defile/programs/ident2/ - ident2
ftp://junker.org/pub/lidentd/ - lidentd