The ident protocol was designed for identification, not authentication. Please don’t use it for access control.
The primary purpose of the ident protocol is to serve as an auditing and abuse prevention mechanism. For example, many IRC servers act as ident clients, querying and publicly displaying users’ ident replies. This allows providers of IRC bouncers, shell accounts and other services to identify users abusing their systems, and channel operators and network staff to remove individual users without excluding their entire host or network.
Ident queries and replies are sent as plain text, with no encryption or authentication, and can easily be intercepted or modified by an attacker. Compromised or malicious hosts can send arbitrary ident replies. For these reasons, the ident protocol is not suitable for authentication or access control.
You may want to use ident to:
- help identify the user responsible for a particular connection
- prevent certain users from using or accessing a service
However, please do not use ident to:
- authenticate users over the Internet, like as a replacement for password, certificate, or two-factor authentication
- control users’ access or grant permissions based on ident replies