Re several comments about an identity server not returning reliable
A BSD environment identifies one end of a TCP/IP connection as a
triple: (host, protocol, port).
Adding an identity server changes this to a quadruple:
(host, protocol, port, username).
I don't see why the "username" is being considered to be unreliable.
Unless the identity server has some bug, the username it sends must
correspond to the actual userid known to the kernel as owning the
TCP/IP end point.
So, once a specific username is returned by the identity server, we know
one of two things:
-- either the connection end-point was under control of the username returned
-- or the connection end-point was under control of somebody with
root access (or equivalent) to the machine
This is MUCH more useful information that the original BSD triple gave
us, which simply told us:
-- the connection was owned by somebody, nobody knows who
Having an identity server's output available allows us to hold a
specific userid, or the machine owner, accountable for the TCP/IP
Rahul Dhesi <dhesi @
also: dhesi @