448 lines
11 KiB
Groff
448 lines
11 KiB
Groff
.\" $NetBSD: identd.8,v 1.16 2003/03/15 23:48:30 wiz Exp $
|
|
.\"
|
|
.\" @(#)identd.8 1.9 92/02/11 Lysator
|
|
.\" Copyright (c) 1992 Peter Eriksson, Lysator, Linkoping University.
|
|
.\" This software has been released into the public domain.
|
|
.\"
|
|
.TH IDENTD 8 "27 May 1992"
|
|
.SH NAME
|
|
identd \- TCP/IP IDENT protocol server
|
|
.SH SYNOPSIS
|
|
.B identd
|
|
.RB [ \-i | \-w | \-b ]
|
|
.RB [ \-t\*[Lt]seconds\*[Gt] ]
|
|
.RB [ \-u\*[Lt]uid\*[Gt] ]
|
|
.RB [ \-g\*[Lt]gid\*[Gt] ]
|
|
.RB [ \-p\*[Lt]port\*[Gt] ]
|
|
.RB [ \-a\*[Lt]address\*[Gt] ]
|
|
.RB [ \-c\*[Lt]charset\*[Gt] ]
|
|
.\".RB [ \-C [ \*[Lt]keyfile\*[Gt] ]]
|
|
.RB [ \-o ]
|
|
.RB [ \-e ]
|
|
.RB [ \-l ]
|
|
.RB [ \-V ]
|
|
.RB [ \-m ]
|
|
.RB [ \-N ]
|
|
.RB [ \-d ]
|
|
.RB [ \-F\*[Lt]format\*[Gt] ]
|
|
.RB [ \-L\*[Lt]user name\*[Gt] ]
|
|
.RB [ "kernelfile" [ "kmemfile" ] ]
|
|
.SH DESCRIPTION
|
|
.IX "identd daemon" "" \fLidentd\fP daemon"
|
|
.B identd
|
|
is a server which implements the ill-conceived
|
|
.SM IDENT
|
|
protocol specified in
|
|
.SM RFC\s0 1413.
|
|
.PP
|
|
.B identd
|
|
operates by looking up specific
|
|
.SM TCP/IP
|
|
connections and returning information which may or may not be
|
|
associated with the process owning the connection.
|
|
.PP
|
|
The
|
|
.B identd
|
|
server provides little other than a false sense of security; however,
|
|
some legacy services require their clients to run ident servers.
|
|
.SH ARGUMENTS
|
|
The highly-recommended
|
|
.B \-L\*[Lt]user name\*[Gt]
|
|
option instructs
|
|
.B identd
|
|
to always return a fixed user identity in response to all requests,
|
|
resulting in both improved efficiency and increased user privacy (you didn't
|
|
.I really
|
|
intend to trust my assertion about who I was anyway, right?)
|
|
.PP
|
|
This flag provides a way for a site to support services requiring the ident
|
|
protocol while providing a standard answer to all ident queries.
|
|
All queries to identd will respond with a host type
|
|
of `OTHER' and a username of
|
|
.B \*[Lt]user name\*[Gt].
|
|
.PP
|
|
The
|
|
.B \-i
|
|
flag, enabled by default, should be used when starting the daemon from
|
|
.B inetd
|
|
with the "nowait" option in the
|
|
.B /etc/inetd.conf
|
|
file.
|
|
Use of this mode will make
|
|
.B inetd
|
|
start one
|
|
.B identd
|
|
daemon for each connection request.
|
|
.PP
|
|
The
|
|
.B \-w
|
|
flag should be used when starting the daemon from
|
|
.B inetd
|
|
with the "wait" option in the
|
|
.B /etc/inetd.conf
|
|
file.
|
|
This is the preferred mode of operation since that will start a copy of
|
|
.B identd
|
|
at the first connection request and then
|
|
.B identd
|
|
will handle subsequent requests without having to do the
|
|
nlist lookup in the kernel file for every request as in the
|
|
.B \-i
|
|
mode above.
|
|
The
|
|
.B identd
|
|
daemon will run either forever, until a bug
|
|
makes it crash or a timeout, as specified by the
|
|
.B \-t
|
|
flag, occurs.
|
|
.PP
|
|
The
|
|
.B \-b
|
|
flag can be used to make the daemon run in standalone
|
|
mode without the assistance from
|
|
.BR inetd.
|
|
This mode is the least preferred mode since
|
|
a bug or any other fatal condition in the server will make it terminate
|
|
and it will then have to be restarted manually.
|
|
Other than that it has the same advantage as the
|
|
.B \-w
|
|
mode in that it parses the nlist only once.
|
|
.PP
|
|
The
|
|
.B \-t\*[Lt]seconds\*[Gt]
|
|
option is used to specify the timeout limit.
|
|
This is the number of seconds a server started with the
|
|
.B \-w
|
|
flag will wait for new connections before terminating.
|
|
The server is automatically restarted by
|
|
.B inetd
|
|
whenever a new connection is requested if it has terminated.
|
|
A suitable value for this is 120 (2 minutes), if used.
|
|
It defaults to no timeout (i.e. will wait forever, or until a
|
|
fatal condition occurs in the server).
|
|
.PP
|
|
The
|
|
.B \-u\*[Lt]uid\*[Gt]
|
|
option is used to specify a user id number which the
|
|
.BR ident
|
|
server should switch to after binding itself to the
|
|
.SM TCP/IP
|
|
port if using the
|
|
.B \-b
|
|
mode of operation.
|
|
.PP
|
|
The
|
|
.B \-g\*[Lt]gid\*[Gt]
|
|
option is used to specify a group id number which the
|
|
.BR ident
|
|
server should switch to after binding itself to the
|
|
.SM TCP/IP
|
|
port if using the
|
|
.B \-b
|
|
mode of operation.
|
|
.PP
|
|
The
|
|
.B \-p\*[Lt]port\*[Gt]
|
|
option is used to specify an alternative port number
|
|
to bind to if using the
|
|
.B \-b
|
|
mode of operation.
|
|
It can be specified by name or by number.
|
|
Defaults to the
|
|
.SM IDENT
|
|
port (113).
|
|
.PP
|
|
The
|
|
.B \-a\*[Lt]address\*[Gt]
|
|
option is used to specify the local address to bind
|
|
the socket to if using the
|
|
.B \-b
|
|
mode of operation.
|
|
Can only be specified by IP address and not by domain name.
|
|
Defaults to the
|
|
.SM INADDR_ANY
|
|
address which normally means all local addresses.
|
|
.PP
|
|
The
|
|
.B \-V
|
|
flag makes
|
|
.B identd
|
|
display the version number and then exit.
|
|
.PP
|
|
The
|
|
.B \-l
|
|
flag tells
|
|
.B identd
|
|
to use the System logging daemon
|
|
.B syslogd
|
|
for logging purposes.
|
|
.PP
|
|
The
|
|
.B \-o
|
|
flag tells
|
|
.B identd
|
|
to not reveal the operating system type it is run on and to instead
|
|
always return "OTHER".
|
|
.PP
|
|
The
|
|
.B \-e
|
|
flag tells
|
|
.B identd
|
|
to always return "UNKNOWN-ERROR" instead of the "NO-USER" or
|
|
"INVALID-PORT" errors.
|
|
.PP
|
|
The
|
|
.B \-c\*[Lt]charset\*[Gt]
|
|
flags tells
|
|
.B identd
|
|
to add the optional (according to the IDENT protocol) character set
|
|
designator to the reply generated.
|
|
.I charset
|
|
should be a valid character set as described in the MIME RFC in upper
|
|
case characters.
|
|
.\".PP
|
|
.\"The
|
|
.\".BR \-C [ \*[Lt]keyfile\*[Gt] ]
|
|
.\"option tells
|
|
.\".B identd
|
|
.\"to return encrypted tokens instead of user names.
|
|
.\"The local and remote IP
|
|
.\"addresses and TCP port numbers, the local user's uid number, a timestamp,
|
|
.\"a random number, and a checksum, are all encrypted using DES
|
|
.\"with a secret key derived from the first line of the
|
|
.\".I keyfile
|
|
.\"(using
|
|
.\".BR des_string_to_key (3)).
|
|
.\"The encrypted binary information is then encoded in a base64 string
|
|
.\"(32 characters in length) and enclosed in square brackets to produce
|
|
.\"a token that is transmitted to the remote client.
|
|
.\"The encrypted token can later be decrypted by
|
|
.\".BR idecrypt (8).
|
|
.\"There may not be a space between the
|
|
.\".B \-C
|
|
.\"and the name of the
|
|
.\".IR keyfile .
|
|
.\"If the
|
|
.\".I keyfile
|
|
.\"is not specified, it defaults to
|
|
.\".BR /etc/identd.key .
|
|
.PP
|
|
The
|
|
.B \-n
|
|
flag tells
|
|
.B identd
|
|
to always return user numbers instead of user names if you wish to
|
|
keep the user names a secret.
|
|
The
|
|
.B \-N
|
|
flag makes
|
|
.B identd
|
|
check for a file ".noident" in each home directory for a user which the
|
|
daemon is about to return the user name for.
|
|
It that file exists then the daemon will give the error
|
|
.B HIDDEN-USER
|
|
instead of the normal USERID response.
|
|
.PP
|
|
.B \-m
|
|
flag makes
|
|
.B identd
|
|
use a mode of operation that will allow multiple requests to be
|
|
processed per session.
|
|
Each request is specified one per line and
|
|
the responses will be returned one per line.
|
|
The connection will not be closed until the connecting
|
|
part closes its end of the line.
|
|
PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL SPECIFICATION AS
|
|
IT CURRENTLY STANDS.
|
|
.PP
|
|
The
|
|
.B \-d
|
|
flag enables some debugging code that normally should NOT
|
|
be enabled since that breaks the protocol and may reveal information
|
|
that should not be available to outsiders.
|
|
.PP
|
|
The
|
|
.B \-F\*[Lt]format\*[Gt]
|
|
option makes
|
|
.B identd
|
|
use the specified format to display info.
|
|
The allowed format specifiers are:
|
|
.in +.5i
|
|
.nf
|
|
%u print user name
|
|
%U print user number
|
|
%g print (primary) group name
|
|
%G print (primary) group number
|
|
%l print list of all groups by name
|
|
%L print list of all groups by number
|
|
%p print process ID of running process
|
|
%c print command name
|
|
%C print command and arguments
|
|
.in -.5i
|
|
.fi
|
|
The lists of groups (%l, %L) are comma-separated, and start with the primary
|
|
group which is not repeated.
|
|
The %p and the %c and %C formats are not supported on all architecture
|
|
implementations (printing 0 or empty string instead).
|
|
.br
|
|
Any other characters (preceded by %, and those not preceded by it)
|
|
are printed literally.
|
|
The "default" format is %u, and you should not use
|
|
anything else without the
|
|
.B \-o
|
|
flag.
|
|
.br
|
|
Not implemented yet, but on my wish-list are the following:
|
|
.in +.5i
|
|
.nf
|
|
%w print working (current) directory
|
|
%h print home (login, naming) directory
|
|
%e print the environment
|
|
.in -.5i
|
|
.fi
|
|
.PP
|
|
.B kernelfile
|
|
defaults to the normally running kernel file.
|
|
.PP
|
|
.B kmemfile
|
|
defaults to the memory space of the normally running kernel.
|
|
.SH UNDERDOCUMENTED FLAGS
|
|
The
|
|
.B \-v
|
|
flag enables more verbose output or messages.
|
|
(Further occurrences of the
|
|
.B -v
|
|
flag make things even more verbose.)
|
|
Currently not used: ignored.
|
|
.PP
|
|
The
|
|
.B \-f\*[Lt]config-file\*[Gt]
|
|
option causes
|
|
.B identd
|
|
to use the named config file (instead of the default /etc/identd.conf ?).
|
|
Currently not used: ignored, no config files are used.
|
|
.PP
|
|
The
|
|
.B \-r\*[Lt]indirect_host\*[Gt]
|
|
option is used in some way (for proxy queries?).
|
|
.PP
|
|
The
|
|
.B \-C\*[Lt]keyfile\*[Gt]
|
|
option is used in some way for DES encryption.
|
|
.SH INSTALLATION
|
|
.B identd
|
|
is invoked either by the internet server (see
|
|
.BR inetd (8C)
|
|
) for requests to connect to the
|
|
.SM IDENT
|
|
port as indicated by the
|
|
.B /etc/services
|
|
file (see
|
|
.BR services (5)
|
|
) when using the
|
|
.B \-w
|
|
or
|
|
.B \-i
|
|
modes of operation or started manually by using the
|
|
.B \-b
|
|
mode of operation.
|
|
.SH EXAMPLES
|
|
Assuming the server is located in
|
|
.B /usr/libexec/identd
|
|
one can put either:
|
|
.PP
|
|
ident stream tcp wait sys /usr/libexec/identd identd -w -t120
|
|
.PP
|
|
or:
|
|
.PP
|
|
ident stream tcp nowait sys /usr/libexec/identd identd -i
|
|
.PP
|
|
into the
|
|
.B /etc/inetd.conf
|
|
file.
|
|
User "sys" should have enough rights to READ the kernel
|
|
but NOT to write to it.
|
|
.PP
|
|
To start it using the
|
|
.B \-b
|
|
mode of operation one can put a line like this into the
|
|
.B /etc/rc.local
|
|
file:
|
|
.PP
|
|
/usr/libexec/identd -b -u2 -g2
|
|
.PP
|
|
This will make it run in the background as user 2, group 2
|
|
(user "sys", group "kmem" on SunOS 4.1.1).
|
|
.SH NOTES
|
|
There should be no need to ever use this;
|
|
if you think you need this, you really need protocols
|
|
which do strong host and/or user authentication such as ssh and IPsec
|
|
in conjunction with audit trails.
|
|
.Pp
|
|
The username (or UID) returned ought to be the login name.
|
|
However it (probably, for most architecture implementations)
|
|
is the "real user ID" as stored with the process;
|
|
there is no provision for returning the "effective user ID".
|
|
Thus the UID returned may be different from the login name for
|
|
setuid programs (or those running as root) which done a
|
|
.BR setuid (2)
|
|
call and their children.
|
|
For example, it may (should?) be wrong for an incoming
|
|
.B ftpd
|
|
; and we are probably interested in the running shell, not the
|
|
.B telnetd
|
|
for an incoming telnet session.
|
|
(But of course
|
|
.B identd
|
|
returns info for outgoing connections, not incoming ones.)
|
|
.PP
|
|
The group or list of groups returned (with the
|
|
.B \-F
|
|
option) are as looked up in the
|
|
.B /etc/passwd
|
|
and
|
|
.B /etc/group
|
|
files, based on the UID returned.
|
|
Thus these may not relate well to the group(s) of the running
|
|
process for setuid or setgid programs or their children.
|
|
.PP
|
|
The command names returned with formats %c and %C may be different,
|
|
use one or the other or both.
|
|
.SH FILES
|
|
.TP
|
|
.B /etc/identd.conf
|
|
This file is as yet un-used, but will eventually contain configuration
|
|
options for
|
|
.B identd
|
|
.TP
|
|
.B /etc/identd.key
|
|
If compiled with
|
|
.I \-ldes
|
|
this file can be used to specify a secret key for encrypting replies.
|
|
.SH SECURITY CONSIDERATIONS
|
|
May leak information generally considered "private" unless the
|
|
.B \-e
|
|
flag or
|
|
.\"either the
|
|
.B \-L
|
|
.\"or
|
|
.\".B \-C
|
|
flags are used.
|
|
.PP
|
|
The protocol is unprotected and is vulnerable to man-in-the-middle
|
|
attacks.
|
|
.SH "SEE ALSO"
|
|
.BR inetd.conf (5)
|
|
.SH BUGS
|
|
The
|
|
.B \-e
|
|
and
|
|
.B \-L
|
|
flags should be enabled by default.
|
|
.PP
|
|
The whole concept of this service is a bug; cryptographic
|
|
authentication should be integrated into services which think they
|
|
need this.
|
|
.PP
|
|
The handling of fatal errors could be better.
|