Identification vs. Authentication

The ident protocol was designed for identification, not authentication. Please don’t use it for access control.

The primary purpose of the ident protocol is to serve as an auditing and abuse prevention mechanism. For example, many IRC servers act as ident clients, querying and publicly displaying users’ ident replies. This allows providers of IRC bouncers, shell accounts and other services to identify users abusing their systems, and it allows channel operators and network staff to remove certain users without excluding an entire remote host or network.

Ident queries and replies are sent unencrypted, without any security, and can easily be intercepted and modified by an attacker. Compromised and malicious hosts can also spoof arbitrary ident replies. For these reasons, the ident protocol is not suitable for authentication or access control.

In summary, you may want to use ident to:

  • help identify the user responsible for a particular connection
  • prevent certain users from using or accessing a service

However, please do not use ident to:

  • authenticate users, like as a replacement for password or certificate authentication
  • control users’ access or grant permissions based on ident replies