HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Identd Daemon Issue
Operating System - HP-UX
1831642
Members
1814
Online
110027
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 12:17 AM
12-16-2009 12:17 AM
Dear Gents,
Identd daemon needs to be disabled in our environment.
We have metro cluster in our environment. As per my understanding, identd daemon used by service guard.
Is there any alternative solution available instead of using identd daemon?
Thanks in Advance
Identd daemon needs to be disabled in our environment.
We have metro cluster in our environment. As per my understanding, identd daemon used by service guard.
Is there any alternative solution available instead of using identd daemon?
Thanks in Advance
Solved! Go to Solution.
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 12:31 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 12:33 AM
12-16-2009 12:33 AM
Re: Identd Daemon Issue
Thanks Johnson.
Is there any alternate solution available?
Is there any alternate solution available?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 12:34 AM
12-16-2009 12:34 AM
Re: Identd Daemon Issue
The "Securing Serviceguard" document at http://docs.hp.com/en/5874/securingserviceguard_nov2005.pdf
states this on page 7:
4.4. Is identd a security threat?
Security experts sometimes recommend that identd be disabled, because it gives out information about users on that computer. The information given out is "login name" (as recorded in /etc/passwd, or whatever local technology is replacing /etc/passwd). If two login names share the same UID, the name reported is usually, but not always the first one in /etc/passwd. Given the nature of the trust required inside the firewall, the Serviceguard development team sees no compromise to security by enabling identd to identify users who hold TCP connections to other computers.
Serviceguard does not require the external firewall to pass any identd traffic, either incoming or outgoing. For sites which do not wish to expose to the external internet the limited information which identd provides, we recommend blocking, at the external firewall, all incoming packets destined for auth on any protected node (port 113).
4.5. Stronger alternatives to identd
Stronger authentication mechanisms than identd exist, based on credentials
which must be configured and, depending on the level of security required,
themselves certified by contact with a trusted third party. Such measures
require significant administrative load at configuration and maintenance time.
Serviceguard has selected the use of identd as more appropriate for our
customers. Serviceguard is evaluating the future potential to supply an
option to use stronger security for those customers who seek to use
Serviceguard in a more hostile context.
--- end quote ---
So, the threat level is related to the safety of the network on which the cluster is placed. HP does not recommend disabling Serviceguards' dependency on identd. However the administator has the choice
states this on page 7:
4.4. Is identd a security threat?
Security experts sometimes recommend that identd be disabled, because it gives out information about users on that computer. The information given out is "login name" (as recorded in /etc/passwd, or whatever local technology is replacing /etc/passwd). If two login names share the same UID, the name reported is usually, but not always the first one in /etc/passwd. Given the nature of the trust required inside the firewall, the Serviceguard development team sees no compromise to security by enabling identd to identify users who hold TCP connections to other computers.
Serviceguard does not require the external firewall to pass any identd traffic, either incoming or outgoing. For sites which do not wish to expose to the external internet the limited information which identd provides, we recommend blocking, at the external firewall, all incoming packets destined for auth on any protected node (port 113).
4.5. Stronger alternatives to identd
Stronger authentication mechanisms than identd exist, based on credentials
which must be configured and, depending on the level of security required,
themselves certified by contact with a trusted third party. Such measures
require significant administrative load at configuration and maintenance time.
Serviceguard has selected the use of identd as more appropriate for our
customers. Serviceguard is evaluating the future potential to supply an
option to use stronger security for those customers who seek to use
Serviceguard in a more hostile context.
--- end quote ---
So, the threat level is related to the safety of the network on which the cluster is placed. HP does not recommend disabling Serviceguards' dependency on identd. However the administator has the choice
Problems are common to all, but attitude makes the difference
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 12:45 AM
12-16-2009 12:45 AM
Re: Identd Daemon Issue
Per the guide http://docs.hp.com/en/B3936-90143/B3936-90143.pdf on page 252
Disabling identd :
Ignore this section unless you have a particular need to disable identd.
You can configure Serviceguard not to use identd.
CAUTION: This is not recommended. Disabling identd removes an important security
layer from Serviceguard. See the white paper Securing Serviceguard at
http://docs.hp.com -> High Availability -> Serviceguard -> White
Papers for more information.
If you must disable identd, you can do so by adding the -i option to the tcp
hacl-cfg and hacl-probe commands in /etc/inetd.conf.
For example:
1. Change the cmclconfd entry in /etc/inetd.conf to:
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd cmclconfd -c -i
2. Change the cmomd entry in /etc/inetd.conf to (all on one line):
hacl-probe stream tcp nowait root /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f
/var/opt/cmom/cmomd.log -r /var/opt/cmom
3. Restart inetd:
/etc/init.d/inetd restart
Disabling identd :
Ignore this section unless you have a particular need to disable identd.
You can configure Serviceguard not to use identd.
CAUTION: This is not recommended. Disabling identd removes an important security
layer from Serviceguard. See the white paper Securing Serviceguard at
http://docs.hp.com -> High Availability -> Serviceguard -> White
Papers for more information.
If you must disable identd, you can do so by adding the -i option to the tcp
hacl-cfg and hacl-probe commands in /etc/inetd.conf.
For example:
1. Change the cmclconfd entry in /etc/inetd.conf to:
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd cmclconfd -c -i
2. Change the cmomd entry in /etc/inetd.conf to (all on one line):
hacl-probe stream tcp nowait root /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f
/var/opt/cmom/cmomd.log -r /var/opt/cmom
3. Restart inetd:
/etc/init.d/inetd restart
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2009 03:44 AM
12-16-2009 03:44 AM
Re: Identd Daemon Issue
Thanks a lot for your response.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP