Ident Information & Ident Links at HealthHaven.com

The Internet Protocol Suite
Application Layer
	BGP · DHCP · DNS · FTP · GTP · HTTP · IMAP · IRC · Megaco · MGCP · NNTP · NTP · POP · RIP · RPC · RTP · RTSP · SDP · SIP · SMTP · SNMP · SOAP · SSH · Telnet · TLS/SSL · XMPP · (more)
Transport Layer
	TCP · UDP · DCCP · SCTP · RSVP · ECN · (more)
Internet Layer
	IP (IPv4, IPv6) · ICMP · ICMPv6 · IGMP · IPsec · (more)
Link Layer
	ARP/InARP · NDP · OSPF · Tunnels (L2TP) · PPP · Media Access Control (Ethernet, DSL, ISDN, FDDI) · (more)
	This box: view • talk • edit

This article is about the Internet protocol. For the jargon contraction used in the broadcasting world, see station identification. For the use of the term ident in aviation, see Transponder (aviation)#Ident.

The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

[edit] How Ident Works

The Ident Protocol is designed to work as a server daemon, on a user's computer, where it receives requests to a specified port, generally 113. The server will then send a specially designed response that identifies the username of the current user.

[edit] Usefulness of Ident

Dialup hosts or shared shell servers often provide ident to enable abuse to be tracked back to specific users. In the case that abuse is handled on this host the concern about trusting the ident daemon is mostly irrelevant. Spoofing of the service and privacy concerns can be avoided by providing varying cryptographically strong tokens instead of real usernames.

If abuse is to be handled by the administrators of the service users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.

The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when:

The user connecting is not the administrator of the machine. This is only likely for hosts providing Unix shell access, shared servers using a suEXEC-like construction and the like.
One trusts the administrators of the machine and knows their user policy. This is most likely for hosts in a common security domain such as within a single organization.
One trusts that the machine is the machine it claims to be and knows that machine. This is only easily arranged for hosts on a local area network or virtual network where all hosts on the network are trusted and new hosts cannot easily be added due to physical protection. On remote and normal local networks false ident replies can be accomplished by ip spoofing and, if DNS is used, by all kinds of DNS trickery. The ident daemon may provide cryptographically signed replies, which in case they can be confirmed solves these last, but not the first, concerns.

[edit] Security

The ident protocol is considered dangerous because it allows crackers to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node information or even gibberish (from the requesters point of view) rather than usernames. This gibberish may be turned into real usernames by the ident administrator, when he is contacted about possible abuse, which means the usefulness for tracking abuse is preserved.

[edit] Uses

Ident is important on IRC as a large number of people connect to IRC servers via bouncers which either serve multiple users or are hosted on shared servers. Some users also use clients on Unix shells. Without ident there would be no way to ban a single user of a bouncer from a channel or network without banning the entire host running the bouncer. The bouncer operator may also need this information to identify the abusive user. When an IRC server fails to get an identd response it has to fall back on the username given by the client. Ircds usually prefix usernames obtained directly from the client software with a tilde to indicate that they are not ident usernames and may be faked by the user (although with modern single-user home computers, the ident username itself may be set to whatever the user wants and is often returned by the same IRC client as the rest of the client information). Some IRC servers even go as far as blocking clients without an ident response, the main reason being that it makes it much harder to connect via an "open proxy" or a system where you have compromised a single account of some form but do not have root.

Special identds are used by those running large numbers of bouncers or a single bouncer that supports multiple users to allow bouncer usernames to be returned rather than simply the name of the user account on the system the bouncer is running under. The best known of these are probably oidentd and Windows Ident Server^[1].

[edit] See also

Internet Relay Chat (IRC)
File Transfer Protocol (FTP)
Simple Mail Transfer Protocol (SMTP)
Network News Transfer Protocol (NNTP)
Secure Shell (SSH)

[edit] References

^ http://www.rndware.info/content/Windows+Ident+Server

RFC 912 - Authentication Service
RFC 931 - Authentication Server
Daniel J. Bernstein: TAP - INTERNET DRAFT 1992
Daniel J. Bernstein: Why TAP? A White Paper, draft 3 920820
RFC 1413 - Identification Protocol
RFC 1414 - Identification MIB
Peter Eriksson: TAPvsIDENT 3 Nov 1993
Damien Doligez: Why encrypt ident/TAP replies? 1994.02.22

[0] ttp://www.rndware.info/content/Windows+Ident+Server

[1]