411 lines
10 KiB
Groff
411 lines
10 KiB
Groff
.\" $NetBSD: identd.8,v 1.11 2002/02/08 01:30:07 ross Exp $
|
|
.\"
|
|
.\" @(#)identd.8 1.9 92/02/11 Lysator
|
|
.\" Copyright (c) 1992 Peter Eriksson, Lysator, Linkoping University.
|
|
.\" This software has been released into the public domain.
|
|
.\"
|
|
.TH IDENTD 8 "27 May 1992"
|
|
.SH NAME
|
|
identd \- TCP/IP IDENT protocol server
|
|
.SH SYNOPSIS
|
|
.B identd
|
|
.RB [ \-i | \-w | \-b ]
|
|
.RB [ \-t\*[Lt]seconds\*[Gt] ]
|
|
.RB [ \-u\*[Lt]uid\*[Gt] ]
|
|
.RB [ \-g\*[Lt]gid\*[Gt] ]
|
|
.RB [ \-p\*[Lt]port\*[Gt] ]
|
|
.RB [ \-a\*[Lt]address\*[Gt] ]
|
|
.RB [ \-c\*[Lt]charset\*[Gt] ]
|
|
.RB [ \-C [ \*[Lt]keyfile\*[Gt] ]]
|
|
.RB [ \-o ]
|
|
.RB [ \-e ]
|
|
.RB [ \-l ]
|
|
.RB [ \-V ]
|
|
.RB [ \-m ]
|
|
.RB [ \-N ]
|
|
.RB [ \-d ]
|
|
.RB [ \-F\*[Lt]format\*[Gt] ]
|
|
.RB [ \-L\*[Lt]user name\*[Gt] ]
|
|
.RB [ "kernelfile" [ "kmemfile" ] ]
|
|
.SH DESCRIPTION
|
|
.IX "identd daemon" "" \fLidentd\fP daemon"
|
|
.B identd
|
|
is a server which implements the
|
|
.SM TCP/IP
|
|
proposed standard
|
|
.SM IDENT
|
|
user identification protocol as specified in the
|
|
.SM RFC\s0 1413
|
|
document.
|
|
.PP
|
|
.B identd
|
|
operates by looking up specific
|
|
.SM TCP/IP
|
|
connections and returning the user name of the
|
|
process owning the connection. It can optionally
|
|
return other information instead of a user name.
|
|
.SH ARGUMENTS
|
|
The
|
|
.B \-i
|
|
flag, which is the default mode, should be used when starting the
|
|
daemon from
|
|
.B inetd
|
|
with the "nowait" option in the
|
|
.B /etc/inetd.conf
|
|
file. Use of this mode will make
|
|
.B inetd
|
|
start one
|
|
.B identd
|
|
daemon for each connection request.
|
|
.PP
|
|
The
|
|
.B \-w
|
|
flag should be used when starting the daemon from
|
|
.B inetd
|
|
with the "wait" option in the
|
|
.B /etc/inetd.conf
|
|
file . This is the prefered mode of
|
|
operation since that will start a copy of
|
|
.B identd
|
|
at the first connection request and then
|
|
.B identd
|
|
will handle subsequent requests
|
|
without having to do the nlist lookup in the kernel file for
|
|
every request as in the
|
|
.B \-i
|
|
mode above. The
|
|
.B identd
|
|
daemon will run either forever, until a bug
|
|
makes it crash or a timeout, as specified by the
|
|
.B \-t
|
|
flag, occurs.
|
|
.PP
|
|
The
|
|
.B \-b
|
|
flag can be used to make the daemon run in standalone mode without
|
|
the assistance from
|
|
.BR inetd.
|
|
This mode is the least prefered mode since
|
|
a bug or any other fatal condition in the server will make it terminate
|
|
and it will then have to be restarted manually. Other than that it has the
|
|
same advantage as the
|
|
.B \-w
|
|
mode in that it parses the nlist only once.
|
|
.PP
|
|
The
|
|
.B \-t\*[Lt]seconds\*[Gt]
|
|
option is used to specify the timeout limit. This is the number
|
|
of seconds a server started with the
|
|
.B \-w
|
|
flag will wait for new connections before terminating. The server is
|
|
automatically restarted by
|
|
.B inetd
|
|
whenever a new connection is requested
|
|
if it has terminated. A suitable value for this is 120 (2 minutes), if
|
|
used. It defaults to no timeout (i.e. will wait forever, or until a
|
|
fatal condition occurs in the server).
|
|
.PP
|
|
The
|
|
.B \-u\*[Lt]uid\*[Gt]
|
|
option is used to specify a user id number which the
|
|
.BR ident
|
|
server should
|
|
switch to after binding itself to the
|
|
.SM TCP/IP
|
|
port if using the
|
|
.B \-b
|
|
mode of operation.
|
|
.PP
|
|
The
|
|
.B \-g\*[Lt]gid\*[Gt]
|
|
option is used to specify a group id number which the
|
|
.BR ident
|
|
server should
|
|
switch to after binding itself to the
|
|
.SM TCP/IP
|
|
port if using the
|
|
.B \-b
|
|
mode of operation.
|
|
.PP
|
|
The
|
|
.B \-p\*[Lt]port\*[Gt]
|
|
option is used to specify an alternative port number to bind to if using
|
|
the
|
|
.B \-b
|
|
mode of operation. It can be specified by name or by number. Defaults to the
|
|
.SM IDENT
|
|
port (113).
|
|
.PP
|
|
The
|
|
.B \-a\*[Lt]address\*[Gt]
|
|
option is used to specify the local address to bind the socket to if using
|
|
the
|
|
.B \-b
|
|
mode of operation. Can only be specified by IP address and not by domain
|
|
name. Defaults to the
|
|
.SM INADDR_ANY
|
|
address which normally means all local addresses.
|
|
.PP
|
|
The
|
|
.B \-V
|
|
flag makes
|
|
.B identd
|
|
display the version number and then exit.
|
|
.PP
|
|
The
|
|
.B \-l
|
|
flag tells
|
|
.B identd
|
|
to use the System logging daemon
|
|
.B syslogd
|
|
for logging purposes.
|
|
.PP
|
|
The
|
|
.B \-o
|
|
flag tells
|
|
.B identd
|
|
to not reveal the operating system type it is run on and to instead
|
|
always return "OTHER".
|
|
.PP
|
|
The
|
|
.B \-e
|
|
flag tells
|
|
.B identd
|
|
to always return "UNKNOWN-ERROR" instead of the "NO-USER" or
|
|
"INVALID-PORT" errors.
|
|
.PP
|
|
The
|
|
.B \-c\*[Lt]charset\*[Gt]
|
|
flags tells
|
|
.B identd
|
|
to add the optional (according to the IDENT protocol) character set
|
|
designator to the reply generated.
|
|
.I charset
|
|
should be a valid character set as described in the MIME RFC in upper
|
|
case characters.
|
|
.PP
|
|
The
|
|
.BR \-C [ \*[Lt]keyfile\*[Gt] ]
|
|
option tells
|
|
.B identd
|
|
to return encrypted tokens instead of user names.
|
|
The local and remote IP
|
|
addresses and TCP port numbers, the local user's uid number, a timestamp,
|
|
a random number, and a checksum, are all encrypted using DES
|
|
with a secret key derived from the first line of the
|
|
.I keyfile
|
|
(using
|
|
.BR des_string_to_key (3)).
|
|
The encrypted binary information is then encoded in a base64 string
|
|
(32 characters in length) and enclosed in square brackets to produce
|
|
a token that is transmitted to the remote client.
|
|
The encrypted token can later be decrypted by
|
|
.BR idecrypt (8).
|
|
There may not be a space between the
|
|
.B \-C
|
|
and the name of the
|
|
.IR keyfile .
|
|
If the
|
|
.I keyfile
|
|
is not specified, it defaults to
|
|
.BR /etc/identd.key .
|
|
.PP
|
|
The
|
|
.B \-n
|
|
flag tells
|
|
.B identd
|
|
to always return user numbers instead of user names if you wish to
|
|
keep the user names a secret.
|
|
The
|
|
.B \-N
|
|
flag makes
|
|
.B identd
|
|
check for a file ".noident" in each homedirectory for a user which the
|
|
daemon is about to return the user name for. It that file exists then the
|
|
daemon will give the error
|
|
.B HIDDEN-USER
|
|
instead of the normal USERID response.
|
|
.PP
|
|
.B \-m
|
|
flag makes
|
|
.B identd
|
|
use a mode of operation that will allow multiple requests to be
|
|
processed per session. Each request is specified one per line and
|
|
the responses will be returned one per line. The connection will not
|
|
be closed until the connecting part closes it's end of the line.
|
|
PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL SPECIFICATION AS
|
|
IT CURRENTLY STANDS.
|
|
.PP
|
|
The
|
|
.B \-d
|
|
flag enables some debugging code that normally should NOT
|
|
be enabled since that breaks the protocol and may reveal information
|
|
that should not be available to outsiders.
|
|
.PP
|
|
The
|
|
.B \-F\*[Lt]format\*[Gt]
|
|
option makes
|
|
.B identd
|
|
use the specified format to display info. The allowed format specifiers are:
|
|
.in +.5i
|
|
.nf
|
|
%u print user name
|
|
%U print user number
|
|
%g print (primary) group name
|
|
%G print (primary) group number
|
|
%l print list of all groups by name
|
|
%L print list of all groups by number
|
|
%p print process ID of running process
|
|
%c print command name
|
|
%C print command and arguments
|
|
.in -.5i
|
|
.fi
|
|
The lists of groups (%l, %L) are comma-separated, and start with the primary
|
|
group which is not repeated. The %p and the %c and %C formats are not
|
|
supported on all architecture implementations (printing 0 or empty string
|
|
instead).
|
|
.br
|
|
Any other characters (preceded by %, and those not preceded by it) are
|
|
printed literally. The "default" format is %u, and you should not use
|
|
anything else without the
|
|
.B \-o
|
|
flag.
|
|
.br
|
|
Not implemented yet, but on my wish-list are the following:
|
|
.in +.5i
|
|
.nf
|
|
%w print working (current) directory
|
|
%h print home (login, naming) directory
|
|
%e print the environment
|
|
.in -.5i
|
|
.fi
|
|
.PP
|
|
The
|
|
.B \-L\*[Lt]user name\*[Gt]
|
|
option instructs
|
|
.B identd
|
|
to lie brazenly about the identity of the user in question. You didn't
|
|
.I really
|
|
intend to trust my assertion about who I was anyway, right?
|
|
.br
|
|
This flag provides a way for a site to support services requiring the ident
|
|
protocol while providing a standard answer to all ident queries. All queries
|
|
to identd will respond with a host type of `OTHER' and a username of \*[Lt]user name\*[Gt].
|
|
.PP
|
|
.B kernelfile
|
|
defaults to the normally running kernel file.
|
|
.PP
|
|
.B kmemfile
|
|
defaults to the memory space of the normally running kernel.
|
|
.SH UNDOCUMENTED FLAGS
|
|
The
|
|
.B \-v
|
|
flag enables more verbose output or messages. (Further occurences of the
|
|
.B -v
|
|
flag make things even more verbose.) Currently not used: ignored.
|
|
.PP
|
|
The
|
|
.B \-f\*[Lt]config-file\*[Gt]
|
|
option causes
|
|
.B identd
|
|
to use the named config file (instead of the default /etc/identd.conf ?).
|
|
Currently not used: ignored, no config files are used.
|
|
.PP
|
|
The
|
|
.B \-r\*[Lt]indirect_host\*[Gt]
|
|
option is used in some way (for proxy queries?).
|
|
.PP
|
|
The
|
|
.B \-C\*[Lt]keyfile\*[Gt]
|
|
option is used in some way for DES encryption.
|
|
.SH INSTALLATION
|
|
.B identd
|
|
is invoked either by the internet server (see
|
|
.BR inetd (8C)
|
|
) for requests to connect to the
|
|
.SM IDENT
|
|
port as indicated by the
|
|
.B /etc/services
|
|
file (see
|
|
.BR services (5)
|
|
) when using the
|
|
.B \-w
|
|
or
|
|
.B \-i
|
|
modes of operation or started manually by using the
|
|
.B \-b
|
|
mode of operation.
|
|
.SH EXAMPLES
|
|
Assuming the server is located in
|
|
.B /usr/libexec/identd
|
|
one can put either:
|
|
.PP
|
|
ident stream tcp wait sys /usr/libexec/identd identd -w -t120
|
|
.PP
|
|
or:
|
|
.PP
|
|
ident stream tcp nowait sys /usr/libexec/identd identd -i
|
|
.PP
|
|
into the
|
|
.B /etc/inetd.conf
|
|
file. User "sys" should have enough rights to READ the kernel
|
|
but NOT to write to it.
|
|
.PP
|
|
To start it using the
|
|
.B \-b
|
|
mode of operation one can put a line like this into the
|
|
.B /etc/rc.local
|
|
file:
|
|
.PP
|
|
/usr/libexec/identd -b -u2 -g2
|
|
.PP
|
|
This will make it run in the background as user 2, group 2 (user "sys",
|
|
group "kmem" on SunOS 4.1.1).
|
|
.SH NOTES
|
|
The username (or UID) returned ought to be the login name. However it
|
|
(probably, for most architecture implementations) is the "real user ID" as
|
|
stored with the process; there is no provision for returning the "effective
|
|
user ID". Thus the UID returned may be different from the login name for
|
|
setuid programs (or those running as root) which done a
|
|
.BR setuid (2)
|
|
call and their children. For example, it may (should?) be wrong for an
|
|
incoming
|
|
.B ftpd
|
|
; and we are probably interested in the running shell, not the
|
|
.B telnetd
|
|
for an incoming telnet session. (But of course
|
|
.B identd
|
|
returns info for outgoing connections, not incoming ones.)
|
|
.PP
|
|
The group or list of groups returned (with the
|
|
.B \-F
|
|
option) are as looked up in the
|
|
.B /etc/passwd
|
|
and
|
|
.B /etc/group
|
|
files, based on the UID returned. Thus these may not relate well to the
|
|
group(s) of the running process for setuid or setgid programs or their
|
|
children.
|
|
.PP
|
|
The command names returned with formats %c and %C may be different, use
|
|
one or the other or both.
|
|
.SH FILES
|
|
.TP
|
|
.B /etc/identd.conf
|
|
This file is as yet un-used, but will eventually contain configuration
|
|
options for
|
|
.B identd
|
|
.TP
|
|
.B /etc/identd.key
|
|
If compiled with
|
|
.I \-ldes
|
|
this file can be used to specify a secret key for encrypting replies.
|
|
.SH "SEE ALSO"
|
|
.\".BR authuser (3)
|
|
.\",
|
|
.BR inetd.conf (5)
|
|
.\",
|
|
.\".BR idecrypt (8)
|
|
.SH BUGS
|
|
The handling of fatal errors could be better.
|