topic Re: Identd Daemon Issue in Operating System - HP-UX

Identd Daemon Issue

shameemsoft — Wed, 16 Dec 2009 08:17:05 GMT

Dear Gents,

Identd daemon needs to be disabled in our environment.

We have metro cluster in our environment. As per my understanding, identd daemon used by service guard.

Is there any alternative solution available instead of using identd daemon?

Thanks in Advance

Re: Identd Daemon Issue

Johnson Punniyalingam — Wed, 16 Dec 2009 08:31:30 GMT

Serviceguard requires the identd daemon to be
running for authentication purposes.

Re: Identd Daemon Issue

shameemsoft — Wed, 16 Dec 2009 08:33:23 GMT

Thanks Johnson.

Is there any alternate solution available?

Re: Identd Daemon Issue

Johnson Punniyalingam — Wed, 16 Dec 2009 08:34:37 GMT

The "Securing Serviceguard" document at http://docs.hp.com/en/5874/securingserviceguard_nov2005.pdf
states this on page 7:

4.4. Is identd a security threat?
Security experts sometimes recommend that identd be disabled, because it gives out information about users on that computer. The information given out is "login name" (as recorded in /etc/passwd, or whatever local technology is replacing /etc/passwd). If two login names share the same UID, the name reported is usually, but not always the first one in /etc/passwd. Given the nature of the trust required inside the firewall, the Serviceguard development team sees no compromise to security by enabling identd to identify users who hold TCP connections to other computers.

Serviceguard does not require the external firewall to pass any identd traffic, either incoming or outgoing. For sites which do not wish to expose to the external internet the limited information which identd provides, we recommend blocking, at the external firewall, all incoming packets destined for auth on any protected node (port 113).

4.5. Stronger alternatives to identd
Stronger authentication mechanisms than identd exist, based on credentials
which must be configured and, depending on the level of security required,
themselves certified by contact with a trusted third party. Such measures
require significant administrative load at configuration and maintenance time.
Serviceguard has selected the use of identd as more appropriate for our
customers. Serviceguard is evaluating the future potential to supply an
option to use stronger security for those customers who seek to use
Serviceguard in a more hostile context.

--- end quote ---

So, the threat level is related to the safety of the network on which the cluster is placed. HP does not recommend disabling Serviceguards' dependency on identd. However the administator has the choice

Re: Identd Daemon Issue

Sameer_Nirmal — Wed, 16 Dec 2009 08:45:52 GMT

Per the guide http://docs.hp.com/en/B3936-90143/B3936-90143.pdf on page 252

Disabling identd :
Ignore this section unless you have a particular need to disable identd.
You can configure Serviceguard not to use identd.
CAUTION: This is not recommended. Disabling identd removes an important security
layer from Serviceguard. See the white paper Securing Serviceguard at
http://docs.hp.com -> High Availability -> Serviceguard -> White
Papers for more information.
If you must disable identd, you can do so by adding the -i option to the tcp
hacl-cfg and hacl-probe commands in /etc/inetd.conf.
For example:
1. Change the cmclconfd entry in /etc/inetd.conf to:
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd cmclconfd -c -i
2. Change the cmomd entry in /etc/inetd.conf to (all on one line):

hacl-probe stream tcp nowait root /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f
/var/opt/cmom/cmomd.log -r /var/opt/cmom
3. Restart inetd:
/etc/init.d/inetd restart

Re: Identd Daemon Issue

shameemsoft — Wed, 16 Dec 2009 11:44:03 GMT

Thanks a lot for your response.