The Ident Protocol (Identification Protocol, Ident), specified i
RFC 1413
is an

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...

that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

Function

The Ident Protocol is designed to work as a server

daemon Daimon or Daemon (Ancient Greek: , "god", "godlike", "power", "fate") originally referred to a lesser deity or guiding spirit such as the daimons of ancient Greek religion and Greek mythology, mythology and of later Hellenistic religion and Hell ...

, on a user's computer, where it receives requests to a specified

TCP port In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...

, generally 113. In the query, a client specifies a pair of

s (a local and a remote port), encoded as

ASCII ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because ...

decimals and separated by a comma (,). The server then sends a response that identifies the username of the user who runs the program that uses the specified pair of TCP ports, or specifies an error. Suppose host A wants to know the name of the user who is connecting to its TCP port 23 (

Telnet Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet contr ...

) from the client's (host B) port 6191. Host A would then open a connection to the ident service on host B, and issue the following query: 6191, 23 As TCP connections generally use one unique local port (6191 in this case), host B can unambiguously identify the program that has initiated the specified connection to host A's port 23, should it exist. Host B would then issue a response, identifying the user ("stjohns" in this example) who owns the program that initiated this connection and the name of its local

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

: 6193, 23 : USERID : UNIX : stjohns But if it would turn out that no such connection exists on host B, it would instead issue an error response: 6195, 23 : ERROR : NO-USER All ident messages should be delimited by an end of line sequence consisting of the carriage return and linefeed characters (CR+LF).

Usefulness of ident

Dialup hosts or shared shell servers often provide ident to enable abuse to be tracked back to specific users. In the case that abuse is handled on this host the concern about trusting the ident daemon is mostly irrelevant. Spoofing of the service and privacy concerns can be avoided by providing varying

cryptographically strong Strong cryptography or cryptographically strong are general terms applied to cryptographic systems or components that are considered highly resistant to cryptanalysis. Demonstrating the resistance of any cryptographic scheme to attack is a com ...

tokens instead of real usernames. If abuse is to be handled by the administrators of the service that users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information. The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when: * The user connecting is not the administrator of the machine. This is only likely for hosts providing

Unix shell A Unix shell is a command-line interpreter or shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command language and a scripting language, and is used by the operating syste ...

access,

shared Shared may refer to: * Sharing * Shared ancestry or Common descent * Shared care * Shared-cost service * Shared decision-making in medicine * Shared delusion (disambiguation), Shared delusion, various meanings * Shared government * Shared intellig ...

servers using a

suEXEC Apache suEXEC is a feature of the Apache web server. It allows users to run Common Gateway Interface (CGI) and Server Side Includes (SSI) applications as a different user. Normally, all web server processes run as the default web server user (ofte ...

-like construction and the like. * One trusts the administrators of the machine and knows their user policy. This is most likely for hosts in a common security domain such as within a single organization. * One trusts that the machine is the machine it claims to be and knows that machine. This is only easily arranged for hosts on a local area network or virtual network where all hosts on the network are trusted and new hosts cannot easily be added due to physical protection. On remote and normal local networks false ident replies can be accomplished by ip spoofing and, if DNS is used, by all kinds of DNS trickery. The ident daemon may provide cryptographically signed replies which, if they can be confirmed, solves these last, but not the first, concerns. * There exist no intermediate obstacles to connecting to identd such as firewall, NAT, or proxy (such as if you were using ident with Apache httpd). These are common occurrences when going between security domains (as with public HTTP or FTP servers).

Security

The ident protocol is considered dangerous because it allows crackers to gain a list of

username A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), accoun ...

s on a

computer system A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations ( computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These prog ...

which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning

node In general, a node is a localized swelling (a "knot") or a point of intersection (a vertex). Node may refer to: In mathematics * Vertex (graph theory), a vertex in a mathematical graph *Vertex (geometry), a point where two or more curves, lines ...

information or even gibberish (from the requesters point of view) rather than usernames. This gibberish may be turned into real usernames by the ident administrator, when he or she is contacted about possible abuse, which means the usefulness for tracking abuse is preserved.

Uses

Ident is important on

IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called '' channels'', but also allows one-on-one communication via private messages as well as chat an ...

as a large number of people connect to IRC from a server shared by multiple users, often using a

bouncer A bouncer (also known as a doorman or door supervisor) is a type of security guard, employed at venues such as bars, nightclubs, cabaret clubs, stripclubs, casinos, hotels, billiard halls, restaurants, sporting events, schools, concerts, or ...

. Without Ident there would be no way to ban a single user without banning the entire host. The server administrator may also use this information to identify the abusive user. On most IRC networks, when the server fails to get an Ident response it falls back to the username given by client, but marks it as "not verified", usually by prefixing with a tilde; e.g., . Some IRC servers even go as far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "

open proxy An open proxy is a type of proxy server that is accessible by any Internet user. Generally, a proxy server only allows users ''within a network group'' (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to ...

" or a system where you have compromised a single account of some form but do not have

root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the su ...

(on Unix-like systems, only root can listen for network connections on ports below 1024). However, Ident provides no additional authentication when the user is connecting directly from their personal computer, on which they have enough privileges to control the Ident daemon as well.

Software

oidentd oidentd is an RFC 1413 compliant ident daemon which runs on Linux, FreeBSD, OpenBSD, NetBSD, DragonFly BSD, and some versions of Darwin and Solaris. It can handle IP masqueraded or NAT connections, and has a flexible mechanism for specifying ...

(for Unix-like systems)
Retina Scan Identd
(for Windows; supports multiple users in a way similar to Unix identd)

Function

Usefulness of ident

Security

Uses

Software

See also

References

Further reading