S/Ident

Warning

This package is obsolete. The S/Ident protocol has inherent security flaws, making it subject to man-in-the-middle attacks, which are increasingly easy to perform given the growth of wireless networks. Stanford has stopped using it. While it has some advantages for services requiring only very light authentication, the risks are not worth the benefit. No further releases of this software will be made.

Description

This is an implementation of the S/Ident protocol proposed by Robert Morgan. It is based on the RFC 1413 identification protocol, with the addition of strong authentication of the identity information using SASL. The only implemented SASL methods are Kerberos v4 and GSS-API-based Kerberos v5.

S/Ident is inherently vulnerable to an active man-in-the-middle attack because the authentication is too decoupled from the network connection being authenticated. There is, unfortunately, no way to fix this with an out-of-band authentication system. If an attacker can interpose themselves into a network connection initiated by a victim and both impersonate that victim and selectively control which of their packets reach a server using S/Ident, the attacker can make use of the victim's authentication credentials. The attacker cannot initiate the session, only hijack an existing authenticated session.

Because of this, while we used to use S/Ident widely at Stanford University as a way of getting single sign-on authentication even for protocols where it's difficult to do Kerberos authentication over the normal protocol, Stanford has now phased out use of it entirely. It may still be useful for situations requiring only light authentication (such as verifying community membership to return slightly more restricted directory information), but significant caveats apply.

This package is frozen; there will be no further releases.

This package contains query libraries for servers and the UNIX responder daemon. We had Windows and Mac OS responders available as well, but I don't know where the source is nor do I have the binaries. Note that the Mac and PC responders had even more serious security holes since they didn't do the verification that the Unix responder does.

The S/Ident code was originally written by Booker Bense, based on the pidentd/libident code from Peter Eriksson and the SASL code from Cyrus imapd 1.4. I added support for GSS-API-based Kerberos v5 authentication (the original code only supported Kerberos v4), worked on the build system and distribution, and did various other bug fixes and maintenance tasks.

Requirements

S/Ident requires GSS-API libraries to compile. It has primarily been tested with MIT Kerberos v5, but it should also work with the Heimdal libraries. By default, it also requires Kerberos v4 libraries to compile, but it may optionally be built without Kerberos v4 support. The Kerberos v4 support has primarily been tested with the MIT Kerberos v4 compatibility libraries, but should also work with KTH Kerberos.

The responder daemon component has to search through the kernel to find which process owns an open network file descriptor, which means that the S/Ident responder generally must be compiled separately on every revision of an operating system. The kernel modules from pidentd are used, so the system must be one of the systems that pidentd supports.

As S/Ident is written in C, it obviously requires a C compiler. Since it reads the kernel, it requires a C compiler capable of building kernel code (on Solaris, this may mean that you need either the Sun commercial compiler or a fairly recent version of GCC with 64-bit support).

See README for more requirements, testing, and portability information.

Download

The distribution:

sident 3.6 2006-02-08 Download PGP signature

An archive of older releases is also available.

Debian packages were available from Debian in the Debian 3.1 (sarge) and Debian 4.0 (etch) releases, but have been removed from Debian 5.0 (lenny) and later due to their very limited audience. sidentd is the responder, libsident0 and libsident0-dev are the requester library, and libnet-sident-perl contains the Perl bindings for the library.

S/Ident is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/sident.git

You can also browse the current development source.

Documentation

License

Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 The Board of Trustees of the Leland Stanford Junior University. This software is distributed under a BSD-style license. Please see the section LICENSE in README for the complete terms of use and redistribution.

Portions based on source from Peter Eriksson contained in the libident library, released into the public domain.

Portions based on code copyright (c) 1994-2000 Carnegie Mellon University. This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/).

Last modified and spun 2014-08-10