NetBSD/libexec/identd/identd.8

448 lines
11 KiB
Groff

.\" $NetBSD: identd.8,v 1.16 2003/03/15 23:48:30 wiz Exp $
.\"
.\" @(#)identd.8 1.9 92/02/11 Lysator
.\" Copyright (c) 1992 Peter Eriksson, Lysator, Linkoping University.
.\" This software has been released into the public domain.
.\"
.TH IDENTD 8 "27 May 1992"
.SH NAME
identd \- TCP/IP IDENT protocol server
.SH SYNOPSIS
.B identd
.RB [ \-i | \-w | \-b ]
.RB [ \-t\*[Lt]seconds\*[Gt] ]
.RB [ \-u\*[Lt]uid\*[Gt] ]
.RB [ \-g\*[Lt]gid\*[Gt] ]
.RB [ \-p\*[Lt]port\*[Gt] ]
.RB [ \-a\*[Lt]address\*[Gt] ]
.RB [ \-c\*[Lt]charset\*[Gt] ]
.\".RB [ \-C [ \*[Lt]keyfile\*[Gt] ]]
.RB [ \-o ]
.RB [ \-e ]
.RB [ \-l ]
.RB [ \-V ]
.RB [ \-m ]
.RB [ \-N ]
.RB [ \-d ]
.RB [ \-F\*[Lt]format\*[Gt] ]
.RB [ \-L\*[Lt]user name\*[Gt] ]
.RB [ "kernelfile" [ "kmemfile" ] ]
.SH DESCRIPTION
.IX "identd daemon" "" \fLidentd\fP daemon"
.B identd
is a server which implements the ill-conceived
.SM IDENT
protocol specified in
.SM RFC\s0 1413.
.PP
.B identd
operates by looking up specific
.SM TCP/IP
connections and returning information which may or may not be
associated with the process owning the connection.
.PP
The
.B identd
server provides little other than a false sense of security; however,
some legacy services require their clients to run ident servers.
.SH ARGUMENTS
The highly-recommended
.B \-L\*[Lt]user name\*[Gt]
option instructs
.B identd
to always return a fixed user identity in response to all requests,
resulting in both improved efficiency and increased user privacy (you didn't
.I really
intend to trust my assertion about who I was anyway, right?)
.PP
This flag provides a way for a site to support services requiring the ident
protocol while providing a standard answer to all ident queries.
All queries to identd will respond with a host type
of `OTHER' and a username of
.B \*[Lt]user name\*[Gt].
.PP
The
.B \-i
flag, enabled by default, should be used when starting the daemon from
.B inetd
with the "nowait" option in the
.B /etc/inetd.conf
file.
Use of this mode will make
.B inetd
start one
.B identd
daemon for each connection request.
.PP
The
.B \-w
flag should be used when starting the daemon from
.B inetd
with the "wait" option in the
.B /etc/inetd.conf
file.
This is the preferred mode of operation since that will start a copy of
.B identd
at the first connection request and then
.B identd
will handle subsequent requests without having to do the
nlist lookup in the kernel file for every request as in the
.B \-i
mode above.
The
.B identd
daemon will run either forever, until a bug
makes it crash or a timeout, as specified by the
.B \-t
flag, occurs.
.PP
The
.B \-b
flag can be used to make the daemon run in standalone
mode without the assistance from
.BR inetd.
This mode is the least preferred mode since
a bug or any other fatal condition in the server will make it terminate
and it will then have to be restarted manually.
Other than that it has the same advantage as the
.B \-w
mode in that it parses the nlist only once.
.PP
The
.B \-t\*[Lt]seconds\*[Gt]
option is used to specify the timeout limit.
This is the number of seconds a server started with the
.B \-w
flag will wait for new connections before terminating.
The server is automatically restarted by
.B inetd
whenever a new connection is requested if it has terminated.
A suitable value for this is 120 (2 minutes), if used.
It defaults to no timeout (i.e. will wait forever, or until a
fatal condition occurs in the server).
.PP
The
.B \-u\*[Lt]uid\*[Gt]
option is used to specify a user id number which the
.BR ident
server should switch to after binding itself to the
.SM TCP/IP
port if using the
.B \-b
mode of operation.
.PP
The
.B \-g\*[Lt]gid\*[Gt]
option is used to specify a group id number which the
.BR ident
server should switch to after binding itself to the
.SM TCP/IP
port if using the
.B \-b
mode of operation.
.PP
The
.B \-p\*[Lt]port\*[Gt]
option is used to specify an alternative port number
to bind to if using the
.B \-b
mode of operation.
It can be specified by name or by number.
Defaults to the
.SM IDENT
port (113).
.PP
The
.B \-a\*[Lt]address\*[Gt]
option is used to specify the local address to bind
the socket to if using the
.B \-b
mode of operation.
Can only be specified by IP address and not by domain name.
Defaults to the
.SM INADDR_ANY
address which normally means all local addresses.
.PP
The
.B \-V
flag makes
.B identd
display the version number and then exit.
.PP
The
.B \-l
flag tells
.B identd
to use the System logging daemon
.B syslogd
for logging purposes.
.PP
The
.B \-o
flag tells
.B identd
to not reveal the operating system type it is run on and to instead
always return "OTHER".
.PP
The
.B \-e
flag tells
.B identd
to always return "UNKNOWN-ERROR" instead of the "NO-USER" or
"INVALID-PORT" errors.
.PP
The
.B \-c\*[Lt]charset\*[Gt]
flags tells
.B identd
to add the optional (according to the IDENT protocol) character set
designator to the reply generated.
.I charset
should be a valid character set as described in the MIME RFC in upper
case characters.
.\".PP
.\"The
.\".BR \-C [ \*[Lt]keyfile\*[Gt] ]
.\"option tells
.\".B identd
.\"to return encrypted tokens instead of user names.
.\"The local and remote IP
.\"addresses and TCP port numbers, the local user's uid number, a timestamp,
.\"a random number, and a checksum, are all encrypted using DES
.\"with a secret key derived from the first line of the
.\".I keyfile
.\"(using
.\".BR des_string_to_key (3)).
.\"The encrypted binary information is then encoded in a base64 string
.\"(32 characters in length) and enclosed in square brackets to produce
.\"a token that is transmitted to the remote client.
.\"The encrypted token can later be decrypted by
.\".BR idecrypt (8).
.\"There may not be a space between the
.\".B \-C
.\"and the name of the
.\".IR keyfile .
.\"If the
.\".I keyfile
.\"is not specified, it defaults to
.\".BR /etc/identd.key .
.PP
The
.B \-n
flag tells
.B identd
to always return user numbers instead of user names if you wish to
keep the user names a secret.
The
.B \-N
flag makes
.B identd
check for a file ".noident" in each home directory for a user which the
daemon is about to return the user name for.
It that file exists then the daemon will give the error
.B HIDDEN-USER
instead of the normal USERID response.
.PP
.B \-m
flag makes
.B identd
use a mode of operation that will allow multiple requests to be
processed per session.
Each request is specified one per line and
the responses will be returned one per line.
The connection will not be closed until the connecting
part closes its end of the line.
PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL SPECIFICATION AS
IT CURRENTLY STANDS.
.PP
The
.B \-d
flag enables some debugging code that normally should NOT
be enabled since that breaks the protocol and may reveal information
that should not be available to outsiders.
.PP
The
.B \-F\*[Lt]format\*[Gt]
option makes
.B identd
use the specified format to display info.
The allowed format specifiers are:
.in +.5i
.nf
%u print user name
%U print user number
%g print (primary) group name
%G print (primary) group number
%l print list of all groups by name
%L print list of all groups by number
%p print process ID of running process
%c print command name
%C print command and arguments
.in -.5i
.fi
The lists of groups (%l, %L) are comma-separated, and start with the primary
group which is not repeated.
The %p and the %c and %C formats are not supported on all architecture
implementations (printing 0 or empty string instead).
.br
Any other characters (preceded by %, and those not preceded by it)
are printed literally.
The "default" format is %u, and you should not use
anything else without the
.B \-o
flag.
.br
Not implemented yet, but on my wish-list are the following:
.in +.5i
.nf
%w print working (current) directory
%h print home (login, naming) directory
%e print the environment
.in -.5i
.fi
.PP
.B kernelfile
defaults to the normally running kernel file.
.PP
.B kmemfile
defaults to the memory space of the normally running kernel.
.SH UNDERDOCUMENTED FLAGS
The
.B \-v
flag enables more verbose output or messages.
(Further occurrences of the
.B -v
flag make things even more verbose.)
Currently not used: ignored.
.PP
The
.B \-f\*[Lt]config-file\*[Gt]
option causes
.B identd
to use the named config file (instead of the default /etc/identd.conf ?).
Currently not used: ignored, no config files are used.
.PP
The
.B \-r\*[Lt]indirect_host\*[Gt]
option is used in some way (for proxy queries?).
.PP
The
.B \-C\*[Lt]keyfile\*[Gt]
option is used in some way for DES encryption.
.SH INSTALLATION
.B identd
is invoked either by the internet server (see
.BR inetd (8C)
) for requests to connect to the
.SM IDENT
port as indicated by the
.B /etc/services
file (see
.BR services (5)
) when using the
.B \-w
or
.B \-i
modes of operation or started manually by using the
.B \-b
mode of operation.
.SH EXAMPLES
Assuming the server is located in
.B /usr/libexec/identd
one can put either:
.PP
ident stream tcp wait sys /usr/libexec/identd identd -w -t120
.PP
or:
.PP
ident stream tcp nowait sys /usr/libexec/identd identd -i
.PP
into the
.B /etc/inetd.conf
file.
User "sys" should have enough rights to READ the kernel
but NOT to write to it.
.PP
To start it using the
.B \-b
mode of operation one can put a line like this into the
.B /etc/rc.local
file:
.PP
/usr/libexec/identd -b -u2 -g2
.PP
This will make it run in the background as user 2, group 2
(user "sys", group "kmem" on SunOS 4.1.1).
.SH NOTES
There should be no need to ever use this;
if you think you need this, you really need protocols
which do strong host and/or user authentication such as ssh and IPsec
in conjunction with audit trails.
.Pp
The username (or UID) returned ought to be the login name.
However it (probably, for most architecture implementations)
is the "real user ID" as stored with the process;
there is no provision for returning the "effective user ID".
Thus the UID returned may be different from the login name for
setuid programs (or those running as root) which done a
.BR setuid (2)
call and their children.
For example, it may (should?) be wrong for an incoming
.B ftpd
; and we are probably interested in the running shell, not the
.B telnetd
for an incoming telnet session.
(But of course
.B identd
returns info for outgoing connections, not incoming ones.)
.PP
The group or list of groups returned (with the
.B \-F
option) are as looked up in the
.B /etc/passwd
and
.B /etc/group
files, based on the UID returned.
Thus these may not relate well to the group(s) of the running
process for setuid or setgid programs or their children.
.PP
The command names returned with formats %c and %C may be different,
use one or the other or both.
.SH FILES
.TP
.B /etc/identd.conf
This file is as yet un-used, but will eventually contain configuration
options for
.B identd
.TP
.B /etc/identd.key
If compiled with
.I \-ldes
this file can be used to specify a secret key for encrypting replies.
.SH SECURITY CONSIDERATIONS
May leak information generally considered "private" unless the
.B \-e
flag or
.\"either the
.B \-L
.\"or
.\".B \-C
flags are used.
.PP
The protocol is unprotected and is vulnerable to man-in-the-middle
attacks.
.SH "SEE ALSO"
.BR inetd.conf (5)
.SH BUGS
The
.B \-e
and
.B \-L
flags should be enabled by default.
.PP
The whole concept of this service is a bug; cryptographic
authentication should be integrated into services which think they
need this.
.PP
The handling of fatal errors could be better.