Great Circle Associates Firewalls
(February 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: bogus email
From: Rahul Dhesi <dhesi @ rahul . net>
Date: Wed, 10 Feb 93 12:14:11 -0800
To: firewalls @ GreatCircle . COM

Re several comments about an identity server not returning reliable
information:

A BSD environment identifies one end of a TCP/IP connection as a
triple:  (host, protocol, port).

Adding an identity server changes this to a quadruple:
(host, protocol, port, username).

I don't see why the "username" is being considered to be unreliable.
Unless the identity server has some bug, the username it sends must
correspond to the actual userid known to the kernel as owning the
TCP/IP end point.

So, once a specific username is returned by the identity server, we know
one of two things:

-- either the connection end-point was under control of the username returned
-- or the connection end-point was under control of somebody with
   root access (or equivalent) to the machine

This is MUCH more useful information that the original BSD triple gave
us, which simply told us:

-- the connection was owned by somebody, nobody knows who

Having an identity server's output available allows us to hold a
specific userid, or the machine owner, accountable for the TCP/IP
connection.

Rahul Dhesi <dhesi @
 rahul .
 net>
also:  dhesi @
 cirrus .
 com


Indexed By Date Previous: Re: bogus email
From: James M Galvin <galvin @ TIS . COM>
Next: proxy software? itelnet/iftp? packet screens? X?
From: Ian Dunkin <imd1707 @ ggr . co . uk>
Indexed By Thread Previous: Re: bogus email
From: James M Galvin <galvin @ TIS . COM>
Next: Re: bogus email
From: Marcus J Ranum <mjr @ TIS . COM>

Google
 
Search Internet Search www.greatcircle.com