NAME¶
oidentd.conf - The oidentd configuration file.
DESCRIPTION¶
The
oidentd configuration file is used to specify the amount of control
users have over the responses
oidentd returns upon successful lookups
for connections owned by them.
The
$HOME/.oidentd.conf file allows a user to specify what ident response
will be returned for specific connections.
/etc/oidentd.conf SYNTAX¶
- USER DIRECTIVE
- The oidentd.conf file consists of 0 or more
user directives. The user directive is used to grant
capabilities on a per-user basis.
The user directive has the following syntax:
default {
< range directive>
}
OR
user <username> {
< range directive>
}
The default directive matches all users for whom rules are not
defined. There should only be one default directive, and it should
be the first statement in the file. All entries for users defined after
the default definition will inherit the capabilities of the default user.
Capabilities can then be allowed, denied, or forced on a per-user basis by
way of the user statement followed by the username of the user to
whom the properties that follow will apply.
- RANGE DIRECTIVE
- The body of a user directive consists of 1 or more
range directives.
The range directive is used to specify a host/port range for which a
set of capabilities is binding. A range directive consists of 1 or more
statements of the following form:
default {
<capability directive>
}
OR
to <host> lport <lport> from <host> fport <fport> {
<capability directive>
}
The default directive matches all host/port pairs for which rules are
not defined. There should only be one default directive, and it
should be the first statement in the block.
Anywhere from 1 to all 4 of the to, lport, from, and
fport parameters may be specified.
The to parameter is used to specify the address to which a connection
is made.
The from parameter is used to specify the address from which a
connection originates. It may be useful to specify this address when a
system has more than 1 IP address.
The to and from parameters take either an IP address or a
hostname argument.
The lport parameter is used to specify the local port from which a
connection originates.
The fport parameter is used to specify the destination port of a
connection.
The lport and fport parameters take either a port or a port
range. Ports can be specified numerically (e.g. 113) or by giving a
service name (e.g. "auth"). Ranges of ports take the form
<starting port>:<ending port>. The ending port is optional. If
the ending port is omitted, the range is taken to be any port greater than
or equal to the starting port.
The omission of any of the to, lport, from and
fport parameters acts like a wildcard for that parameter. For
example, the statement "from localhost" matches all connections
from localhost on any port to any host on any port.
- CAPABILITY DIRECTIVE
- The body of a range directive consists of one or
more capability directives.
Capabilities are used to assign or deny privileges to specific users. Valid
capabilities inside user directives are allow, deny,
andforce.
The capability directive consists of one or more statements of the form:
allow OR deny OR force <capability>.
The capability argument must be one of the capabilities described in the
capability section below.
The force action takes a third argument when the capability is reply.
For example, force reply "randomuser".
$HOME/.oidentd.conf SYNTAX¶
A user's .oidentd.conf configuration file may contain 0 or more of the following
statements:
global {
<capability>
}
OR
<range directive> {
<capability>
}
The
global directive acts as a wildcard, matching all connections, so if
used at all, the global directive should be the first entry in the file and
should be used only once. Use is permitted anywhere in the file and infinitely
many times, however it doesn't make much sense to use it in this manner.
The range directive has the same syntax and semantics as the range directive in
the
/etc/oidentd.conf file. See above for a description.
Valid capabilities are
reply,
random,
numeric,
random_numeric, and
hide. Descriptions can be found below.
CAPABILITIES¶
- spoof
- Allow spoofed ident responses; allow the user to specify a
string of her choosing as the ident reply. The only restriction on the
spoofed response is that it must not be the username of another user. When
a user spoofs her ident reply, the login name of the user is recorded
along with the forged reply.
This capability does not apply to the force action.
- spoof_all
- Allow the usernames of other users to be used as ident
responses.
This capability does not apply to the force action.
- spoof_privport
- Allow ident replies to be spoofed on privileged ports
(ports lower than 1024).
This capability does not apply to the force action.
- reply <string> [<string1> ...
<stringN>]
- Reply to successful ident lookups with the ident response
specified in <string>. If more than one string parameter is given,
one of the strings will be selected randomly.
In a user's $HOME/.oidentd.conf file, up to 20 strings may be
specified for a reply statement.
In the /etc/oidentd.conf file, there is no limitation on the number
of strings that may be specified.
The strings must be quoted strings (e.g. "string"). Strings may
contain the following escape characters:
- \n
- new line
- \t
- tab
- \r
- carriage return
- \b
- backspace
- \v
- vertical tab
- \f
- form feed
- \a
- alert (bell)
- \e
- escape
- \\
- backslash
- \NNN
- The character with the ASCII code NNN in the octal
base system.
- \xNNN
- The character with the ASCII code NNN in the
hexadecimal base system.
This capability only applies to the
force action.
- hide
- Hide the user; report a "HIDDEN-USER" error when
an ident lookup succeeds.
- random
- Reply to successful ident lookups with a randomly generated
ident response of consisting of alphanumeric characters.
- numeric
- Reply to successful ident lookups with the UID of the user
that was looked up.
- random_numeric
- Reply to successful with a randomly generated ident
response of the form userN, where N is a random number between 0 and
100000.
EXAMPLE /etc/oidentd.conf FILE¶
default {
default {
deny spoof
deny spoof_all
deny spoof_privport
allow random_numeric
allow numeric
allow hide
}
}
Grant all users the ability to generate random numeric ident replies, the
ability to generate numeric ident replies and the ability to hide their
identities on all ident queries. Explicitly deny the ability to spoof ident
responses.
user root {
default {
force reply "UNKNOWN"
}
}
Reply with "UNKNOWN" for all successful ident queries for root.
user ryan {
default {
allow spoof
allow spoof_all
allow random
allow hide
}
from 127.0.0.1 {
allow spoof_privport
}
}
Grant the user "ryan" the capability to spoof ident replies, including
the ability to use other usernames as ident replies, generate random replies
and hide his ident for all connections, and grant the user "ryan"
the capability to spoof ident replies to privileged ports (< 1024) on
connections originating from the host 127.0.0.1.
EXAMPLE $HOME/.oidentd.conf FILE¶
global {
reply "unknown"
}
Reply with "unknown" to all successful ident lookups.
to irc.example.org {
reply "example"
}
Reply with "example" to ident lookups for connections to
irc.example.org.
AUTHOR¶
Ryan McCabe <ryan@numb.org>
http://dev.ojnk.net
SEE ALSO¶
oidentd(8) oidentd_masq.conf(5)