NAME¶
identd - TCP/IP IDENT protocol server
SYNOPSIS¶
identd [options]
DESCRIPTION¶
Identd is a server which implements the
TCP/IP proposed
standard
IDENT user identification protocol as specified in the
RFC 1413 document.
identd operates by looking up specific
TCP/IP connections
and returning the user name of the process owning the connection. It can
optionally return other information instead of a user name.
OPTIONS¶
- -h
- Display the available command line options.
- -V
- Displays the version and OS version it was compiled for, and then
exit.
- -d
- Enables extra debugging messages.
- -C<file>
- Directs identd to parse additional configuration options from the
file specified.
- -i
- May be used when starting the daemon by inetd with the
"nowait" option (see below).
- -w
- May be used when starting the daemon by inetd with the
"wait" option (see below).
- -I
- May be used when the daemon is started by init (see below).
- -b
- flag may be used to make the daemon run in standalone mode (see
below).
- -u<user>
- Used to specify a user number or name to which the server should switch to
after binding itself to the TCP/IP port and opening the
kernel devices.
- -g<group>
- Used to specify a group number or name which the server should switch to
after binding itself to the TCP/IP port and opening the
kernel devices.
- -p<port>
- Used to specify an alternative TCP port to bind to, if running as a
standalone daemon or started by init Can be specified by name or by
number. Defaults to the IDENT port (113).
- -t<limit>
- Used to specify the request timeout limit. This is the maximum number of
seconds a server will allow a client connection to be active before
terminating it. It defaults to 120 seconds.
- -P<pidfile>
- Specify the location of a file to store the process number of the Identd
daemon.
- -K<nthreads>
- Control the number of threads to use for kernel lookups
- -L<facility>
- Set the syslog facility to use instead of 'daemon'.
- -o
- Directs identd to return OTHER instead of UNIX as the
"operating system".
- -E
- Enables DES encryption of the returned data (see below for more
information).
- -n
- Directs identd to always return user numbers instead of user names
(for example if you wish to keep the user names a secret).
- -N
- Directs identd to check for a file ".noident" in each
home directory for the user which the daemon is about to return the user
name for. If that file exists then the daemon will give the error
HIDDEN-USER instead of the normal USERID response.
- -e
- Enables certain non-standard protocol extensions. Currently defined
extensions include the requests VERSION to return the Ident daemon
version and QUIT to terminate a session (useful in conjunction with
the -m option).
- -m
- Enables identd to use a mode of operation that will allow multiple
requests to be processed per session. Each request is specified one per
line and the responses will be returned one per line. The connection will
not be closed until the connecting part closes it's end of the line.
INSTALLATION¶
The preferred way to start
identd depends on how it was built.
If it was built with support for multithreading then it should be started either
from
init , as a standalone daemon or from
inetd using the
"wait" mode (if your
inetd supports it!)
If it was built without support for multithreading then it should be started
from
inetd using the normal "nowait" mode for "stream
tcp" services. (The main reason being that it will be single-threaded, so
it will only serve
one client connection at a time).
identd normally will autodetect how it was invoked so there normally is
no need to use the four command line switches (-i, -w, -I, -b).
ENCRYPTION¶
DES encryption is only available if the daemon was built with support for it
enabled.
An encryption key (1024 bytes long) should be stored in the key file (
/etc/identd.key ) and it should be generated using a cryptographically
safe random generator in order to be really safe. It should not contain any
NUL (0x00) characters since this is used as a string to generate the real
binary DES key.
This file may contain multiple 1024 byte long keys, and the server will use the
last key stored in that file.
The returned token will contain the local and remote IP addresses and TCP port
numbers, the local user's uid number, a timestamp, a random number, and a
checksum - all encrypted using DES. The encrypted binary information is then
encoded in a BASE64 string (32 characters long) and enclosed in square
brackets to produce a token that is transmitted to the remote client.
The encrypted token can later be decrypted by the
idecrypt command. This
program will attempt to decrypt a token with all the keys stored in the key
file until it succeeds (or have tried all the keys).
CONFIGURATION FILE¶
The configuration file contains a list of
option=value pairs.
- syslog:facility = FACILITY
- Set which facility to use when sending syslog messages. See
syslog.conf(5) for more information.
- server:user = USER
- Set what user (and group, from the passwd database) the daemon should run
as after it has opened all the kernel handles. (Default: nobody)
- server:group = GROUP
- Override the group id (as set by the server:user option).
- server:port = PORT
- Set what TCP/IP port the daemon should listen to. (Default: 113)
- server:backlog = LIMIT
- Set the size of the server listen() backlog limit.
- server:pid-file = PATH
- Set the path to the file where the server will store it's process id.
- server:max-request = LIMIT
- Max number of concurrent requests allowed. Default is 0 (zero) which means
"no limit".
- protocol:extensions = ON/OFF
- Enable/disable the nonstandard protocol extensions ( VERSION and
QUIT currently). Default: off
- protocol:multiquery = ON/OFF
- Enable/disable the multiple queries per connection feature. Default:
off
- protocol:timeout = SECONDS
- Max number of seconds since connection or last request. If set to 0
(zero), no timeout will be used. Default: 120 seconds.
- kernel:threads = LIMIT
- Max number of threads doing kernel lookups concurrently. Default: 8
- kernel:buffers = LIMIT
- Max number of queued kernel lookup requests. Default: 32
- kernel:attempts = LIMIT
- Max number of times to retry a kernel lookup in case of failure. Default:
5
- result:uid-only = YES/NO
- Disable uid->username lookups (only return uid numbers). Default:
no
- result:noident = ON/OFF
- Enable/disable checking for the ".noident" file in users home
directories.
- result:charset = CHARSET
- Define the character set returned in replies. Default:
"US-ASCII"
- result:opsys = OPSYS
- Define the operating system returned in replies. Default:
"UNIX"
- result:syslog-level = LEVEL
- If set to anything other than "none", all requested replies will
be sent to the syslog service with the specified severity level. See
syslog.conf(5) for more information. Default: none
- result:encrypt = YES/NO
- Enable encryption of replies. Only available if Identd was built with a
DES encryption library.
- encrypt:key-file = PATH
- Path to the file containing the encryption keys.
- include = PATH
- Include (and parse) the contents of another configuration file.
NOTES¶
The username (or UID) returned ought to be the login name. However it (probably,
for most architecture implementations) is the "real user ID" as
stored with the process. Thus the UID returned may be different from the login
name for setuid programs (or those running as root) which has done a
setuid(3) call and their children. For example, it may (should?) be
wrong for an incoming
ftpd ; and we are probably interested in the
running shell, not the
telnetd for an incoming telnet session. (But of
course
identd returns info for outgoing connections, not incoming
ones.)
FILES¶
- /etc/identd.conf
- Contains the default configuration options for identd.
- /etc/identd.key
- If compiled with DES encryption enabled, the 1024 first bytes of
this file is used to specify the secret key for encrypting replies.
- /var/run/identd/identd.pid
- Contains (if enabled) the process number of the identd daemon.
AVAILABILITY¶
The daemon is free software. You can redistribute it and/or modify it as you
wish - as long as you don't claim that you wrote it.
The source code for the latest version of the daemon can always be FTP'd from
one of the following addresses:
- Main site:
- ftp://ftp.lysator.liu.se/pub/ident/servers/
- Mirror:
- ftp://ftp.uu.net/networking/ident/servers/
The author can be contacted at:
- Email:
- Peter Eriksson <pen@lysator.liu.se>
SEE ALSO¶
idecrypt(8) ,
ikeygen(8) ,
inetd.conf(5) ,