identd



identd(1)                                                            identd(1)




NAME

       identd, in.identd - TCP/IP IDENT protocol server


SYNOPSIS

       [in.]identd [options]


DESCRIPTION

       Identd  is a server which implements the TCP/IP proposed standard IDENT
       user identification protocol as specified in the RFC 1413 document.

       identd operates by looking up specific TCP/IP connections and returning
       the  user name of the process owning the connection.  It can optionally
       return other information instead of a user name.


OPTIONS

       -h        Display the available command line options.

       -V        Displays the version and OS version it was compiled for,  and
                 then exit.

       -d        Enables extra debugging messages.

       -C<file>  Directs identd to parse additional configuration options from
                 the file specified.

       -i        May be used when  starting  the  daemon  by  inetd  with  the
                 "nowait" option (see below).

       -w        May be used when starting the daemon by inetd with the "wait"
                 option (see below).

       -I        May be used when the daemon is started by init (see below).

       -b        flag may be used to make the daemon run  in  standalone  mode
                 (see below).

       -u<user>  Used  to  specify  a  user number or name to which the server
                 should switch to after binding itself to the TCP/IP port  and
                 opening the kernel devices.

       -g<group> Used  to  specify  a  group  number  or name which the server
                 should switch to after binding itself to the TCP/IP port  and
                 opening the kernel devices.

       -p<port>  Used  to  specify an alternative TCP port to bind to, if run-
                 ning as a standalone daemon or started by init Can be  speci-
                 fied  by name or by number. Defaults to the IDENT port (113).

       -t<limit> Used to specify the request timeout limit. This is the  maxi-
                 mum number of seconds a server will allow a client connection
                 to be active before terminating it. It defaults to  120  sec-
                 onds.

       -P<pidfile>
                 Specify the location of a file to store the process number of
                 the Identd daemon.

       -K<nthreads>
                 Control the number of threads to use for kernel lookups

       -L<facility>
                 Set the syslog facility to use instead of ’daemon’.

       -o        Directs identd to return OTHER instead of UNIX as the  "oper-
                 ating system".

       -E        Enables  DES  encryption  of the returned data (see below for
                 more information).

       -n        Directs identd to always return user numbers instead of  user
                 names  (for  example  if  you  wish  to keep the user names a
                 secret).

       -N        Directs identd to check for a file ".noident"  in  each  home
                 directory  for  the  user which the daemon is about to return
                 the user name for. It that file exists then the  daemon  will
                 give  the  error  HIDDEN-USER  instead  of  the normal USERID
                 response.

       -e        Enables certain non-standard protocol  extensions.  Currently
                 defined extensions include the requests VERSION to return the
                 Ident daemon version and QUIT to terminate a session  (useful
                 in conjunction with the -m option).

       -m        Enables  identd  to  use  a mode of operation that will allow
                 multiple requests to be processed per session.  Each  request
                 is  specified one per line and the responses will be returned
                 one per line. The connection will not  be  closed  until  the
                 connecting part closes it’s end of the line.


INSTALLATION

       The prefered way to start identd depends on how it was built.

       If  it  was  built  with  support  for multithreading then it should be
       started either from init , as a standalone daemon or from  inetd  using
       the "wait" mode (if your inetd supports it!)

       If  it  was  built without support for multithreading then it should be
       started from inetd using the normal "nowait" mode for "stream tcp" ser-
       vices.  (The  main  reason being that it will be single-threaded, so it
       will only serve one client connection at a time).

       identd normally will autodetect how it was invoked so there normally is
       no need to use the four command line switches (-i, -w, -I, -b).


ENCRYPTION

       DES  encryption  is only available if the daemon was built with support
       for it enabled.

       An encryption key (1024 bytes long) should be stored in the key file  (
       /etc/identd.key  ) and it should be generated using a cryptographically
       safe random generator in order to be really safe. It should not contain
       any  NUL  (0x00)  characters since this is used as a string to generate
       the real binary DES key.

       This file may contain multiple 1024 byte long keys, and the server will
       use the last key stored in that file.

       The  returned  token will contain the local and remote IP addresses and
       TCP port numbers, the local user’s uid number, a  timestamp,  a  random
       number,  and a checksum - all encrypted using DES. The encrypted binary
       information is then encoded in a BASE64 string (32 characters long) and
       enclosed  in  square brackets to produce a token that is transmitted to
       the remote client.

       The encrypted token can later be decrypted  by  the  idecrypt  command.
       This  program  will attempt to decrypt a token with all the keys stored
       in the key file until it succeeds (or have tried all the keys).


CONFIGURATION FILE

       The configuration file contains a list of option=value pairs.

       syslog:facility = FACILITY
                 Set which facility to use when sending syslog messages.

       server:user = USER
                 Set what user (and group, from the passwd database) the  dae-
                 mon should run as after it has opened all the kernel handles.
                 (Default: nobody)

       server:group = GROUP
                 Override the group id (as set by the server:user option).

       server:port = PORT
                 Set what TCP/IP port the daemon should listen  to.  (Default:
                 113)

       server:backlog = LIMIT
                 Set the size of the server listen() backlog limit.

       server:pid-file = PATH
                 Set  the  path  to  the file where the server will store it’s
                 process id.

       server:max-request = LIMIT
                 Max number of  concurrent  requests  allowed.  Default  is  0
                 (zero) which means "no limit".

       protocol:extensions = ON/OFF
                 Enable/disable  the nonstandard protocol extensions ( VERSION
                 and QUIT currently). Default: off

       protocol:multiquery = ON/OFF
                 Enable/disable the multiple queries per  connection  feature.
                 Default: off

       protocol:timeout = SECONDS
                 Max  number  of  seconds since connection or last request. If
                 set to 0 (zero), no timeout will be used. Default:  120  sec-
                 onds.

       kernel:threads = LIMIT
                 Max  number  of  threads  doing  kernel lookups concurrently.
                 Default: 8

       kernel:buffers = LIMIT
                 Max number of queued kernel lookup requests. Default: 32

       kernel:attempts = LIMIT
                 Max number of times to retry a kernel lookup in case of fail-
                 ure.  Default: 5

       result:uid-only = YES/NO
                 Disable  uid->username  lookups  (only  return  uid numbers).
                 Default: no

       result:noident = ON/OFF
                 Enable/disable checking for the   ".noident"  file  in  users
                 home directories.

       result:charset = CHARSET
                 Define  the  character set returned in replies. Default: "US-
                 ASCII"

       result:opsys = OPSYS
                 Define the operating system  returned  in  replies.  Default:
                 "UNIX"

       result:syslog-level = LEVEL
                 If  set  to  anything  other than "none", all request replies
                 till be sent  to  the  syslog  service  with  the  specificed
                 severity level.  Default: none

       result:encrypt = YES/NO
                 Enable  encryption  of  replies. Only available if Identd was
                 built with a DES encryption library.

       encrypt:key-file = PATH
                 Path to the file containing the encryption keys.

       include = PATH
                 Include (and parse) the  contents  of  another  configuration
                 file.


NOTES

       The  username  (or UID) returned ought to be the login name. However it
       (probably, for most architecture implementations) is the "real user ID"
       as stored with the process. Thus the UID returned may be different from
       the login name for setuid programs (or those running as root) which has
       done a setuid(3) call and their children. For example, it may (should?)
       be wrong for an incoming ftpd ; and we are probably interested  in  the
       running  shell, not the telnetd for an incoming telnet session. (But of
       course identd returns  info  for  outgoing  connections,  not  incoming
       ones.)


FILES

       /etc/identd.conf
              Contains the default configuration options for identd.

       /etc/identd.pid
              Contains (if enabled) the process number of the identd daemon.

       /etc/identd.key
              If compiled with DES encryption enabled, the 1024 first bytes of
              this file is used to  specify  the  secret  key  for  encrypting
              replies.


AVAILABILITY

       The  daemon  is free software. You can redistribute it and/or modify it
       as you wish - as long as you don’t claim that you wrote it.

       The source code for the latest version of  the  daemon  can  always  be
       FTP’d from one of the following addresses:

       Main site:  ftp://ftp.lysator.liu.se/pub/ident/servers/

       Mirror:     ftp://ftp.uu.net/networking/ident/servers/

       The author can be contacted at:

       Email:      Peter Eriksson <pen@lysator.liu.se>


SEE ALSO

       idecrypt(8) , ikeygen(8) , authuser(3) , inetd.conf(5) ,



                                  8 Jan 1999                         identd(1)

Man(1) output converted with man2html