| Communication protocol | |
| Purpose | Identification |
|---|---|
| Developer(s) | Michael C. St. Johns atUS Department of Defense |
| Introduction | February 1993; 32 years ago (1993-02) |
| Based on | RFC 931 |
| OSI layer | Application layer (Layer 7) |
| Port(s) | TCP/113 |
| RFC(s) | RFC 1413 |
| Internet protocol suite |
|---|
| Application layer |
| Transport layer |
| Internet layer |
| Link layer |
 | This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(May 2016) |
 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Ident protocol" – news ·newspapers ·books ·scholar ·JSTOR(January 2012) (Learn how and when to remove this message) |
TheIdent Protocol (Identification Protocol,Ident), specified inRFC 1413, is anInternetprotocol that helps identify the user of a particularTCP connection. One populardaemon program for providing the ident service isidentd.
The Ident Protocol is designed to work as a serverdaemon, on auser's computer, where it receives requests to a specifiedTCP port, generally 113. In the query, a client specifies a pair ofTCP ports (a local and a remote port), encoded asASCII decimals and separated by a comma (,). The server then sends a response that identifies the username of the user who runs the program that uses the specified pair of TCP ports, or specifies an error.
Suppose host A wants to know the name of the user who is connecting to its TCP port 23 (Telnet) from the client's (host B) port 6191. Host A would then open a connection to the ident service on host B, and issue the following query:
6191, 23
As TCP connections generally use one unique local port (6191 in this case), host B can unambiguously identify the program that has initiated the specified connection to host A's port 23, should it exist. Host B would then issue a response, identifying the user ("stjohns" in this example) who owns the program that initiated this connection and the name of its localoperating system:
6193, 23 : USERID : UNIX : stjohns
But if it would turn out that no such connection exists on host B, it would instead issue an error response:
6195, 23 : ERROR : NO-USER
All ident messages should be delimited by anend of line sequence consisting of the carriage return and linefeed characters (CR+LF).[1]
Dialup hosts or shared shell servers often provide ident to enable abuse to be tracked back to specific users. In the case that abuse is handled on this host, the concern about trusting the ident daemon is mostly irrelevant. Spoofing of the service and privacy concerns can be avoided by providing varyingcryptographically strong tokens instead of real usernames.
If abuse is to be handled by the administrators of the service that users connect to using the ident providing host, then the ident service must provide information identifying each user. Usually, it is impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.
The usefulness of Ident for proving of a known identity to a remote host is limited to circumstances when:
The ident protocol is considered dangerous because it allowscrackers to gain a list ofusernames on acomputer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returningnode information or evengibberish (from the requesters point of view) rather than usernames. This gibberish may be turned into real usernames by the ident administrator, when they are contacted about possible abuse, which means the usefulness for tracking abuse is preserved.
Ident is important onIRC as a large number of people connect to IRC from a server shared by multiple users, often using abouncer. Without Ident, there would be no way to ban a single user without banning the entire host. The server administrator may also use this information to identify the abusive user.
On most IRC networks, when the server fails to get an Ident response, it falls back to the username given by client, but marks it as "not verified", usually by prefixing with a tilde; e.g.,~josh. Some IRC servers even go as far as blocking clients without an ident response,[2] the main reason being that it makes it much harder to connect via an "open proxy" or a system where you have compromised a single account of some form but do not haveroot (on Unix-like systems, only root can listen for network connections on ports below 1024).
However, Ident provides no additional authentication when the user is connecting directly from their personal computer, on which they have enough privileges to control the Ident daemon as well.[1]