identd(8)
- NetBSD Manual Pages
IDENTD(8) IDENTD(8)
NAME
identd - TCP/IP IDENT protocol server
SYNOPSIS
identd [-i|-w|-b] [-t<seconds>] [-u<uid>] [-g<gid>]
[-p<port>] [-a<address>] [-c<charset>] [-o] [-e] [-l] [-V]
[-m] [-N] [-d] [-F<format>] [-L<username>] [ker-
nelfile[kmemfile]]
DESCRIPTION
identd is a server which implements the ill-conceived
IDENT protocol specified in RFC 1413.
identd operates by looking up specific TCP/IP connections
and returning information which may or may not be associ-
ated with the process owning the connection.
The identd server provides little other than a false sense
of security; however, some legacy services require their
clients to run ident servers.
ARGUMENTS
The highly-recommended -L<user name> option instructs
identd to always return a fixed user identity in response
to all requests, resulting in both improved efficiency and
increased user privacy (you didn't really intend to trust
my assertion about who I was anyway, right?)
This flag provides a way for a site to support services
requiring the ident protocol while providing a standard
answer to all ident queries. All queries to identd will
respond with a host type of `OTHER' and a username of
<user name>.
The -i flag, enabled by default, should be used when
starting the daemon from inetd with the "nowait" option in
the /etc/inetd.conf file. Use of this mode will make inetd
start one identd daemon for each connection request.
The -w flag should be used when starting the daemon from
inetd with the "wait" option in the /etc/inetd.conf file .
This is the prefered mode of operation since that will
start a copy of identd at the first connection request and
then identd will handle subsequent requests without having
to do the nlist lookup in the kernel file for every
request as in the -i mode above. The identd daemon will
run either forever, until a bug makes it crash or a time-
out, as specified by the -t flag, occurs.
The -b flag can be used to make the daemon run in stan-
dalone mode without the assistance from inetd. This mode
is the least prefered mode since a bug or any other fatal
condition in the server will make it terminate and it will
then have to be restarted manually. Other than that it has
27 May 1992 1
IDENTD(8) IDENTD(8)
the same advantage as the -w mode in that it parses the
nlist only once.
The -t<seconds> option is used to specify the timeout
limit. This is the number of seconds a server started with
the -w flag will wait for new connections before terminat-
ing. The server is automatically restarted by inetd when-
ever a new connection is requested if it has terminated. A
suitable value for this is 120 (2 minutes), if used. It
defaults to no timeout (i.e. will wait forever, or until a
fatal condition occurs in the server).
The -u<uid> option is used to specify a user id number
which the ident server should switch to after binding
itself to the TCP/IP port if using the -b mode of opera-
tion.
The -g<gid> option is used to specify a group id number
which the ident server should switch to after binding
itself to the TCP/IP port if using the -b mode of opera-
tion.
The -p<port> option is used to specify an alternative port
number to bind to if using the -b mode of operation. It
can be specified by name or by number. Defaults to the
IDENT port (113).
The -a<address> option is used to specify the local
address to bind the socket to if using the -b mode of
operation. Can only be specified by IP address and not by
domain name. Defaults to the INADDR_ANY address which nor-
mally means all local addresses.
The -V flag makes identd display the version number and
then exit.
The -l flag tells identd to use the System logging daemon
syslogd for logging purposes.
The -o flag tells identd to not reveal the operating sys-
tem type it is run on and to instead always return
"OTHER".
The -e flag tells identd to always return "UNKNOWN-ERROR"
instead of the "NO-USER" or "INVALID-PORT" errors.
The -c<charset> flags tells identd to add the optional
(according to the IDENT protocol) character set designator
to the reply generated. charset should be a valid charac-
ter set as described in the MIME RFC in upper case charac-
ters.
The -n flag tells identd to always return user numbers
instead of user names if you wish to keep the user names a
27 May 1992 2
IDENTD(8) IDENTD(8)
secret. The -N flag makes identd check for a file
".noident" in each homedirectory for a user which the dae-
mon is about to return the user name for. It that file
exists then the daemon will give the error HIDDEN-USER
instead of the normal USERID response.
-m flag makes identd use a mode of operation that will
allow multiple requests to be processed per session. Each
request is specified one per line and the responses will
be returned one per line. The connection will not be
closed until the connecting part closes it's end of the
line. PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL
SPECIFICATION AS IT CURRENTLY STANDS.
The -d flag enables some debugging code that normally
should NOT be enabled since that breaks the protocol and
may reveal information that should not be available to
outsiders.
The -F<format> option makes identd use the specified for-
mat to display info. The allowed format specifiers are:
%u print user name
%U print user number
%g print (primary) group name
%G print (primary) group number
%l print list of all groups by name
%L print list of all groups by number
%p print process ID of running process
%c print command name
%C print command and arguments
The lists of groups (%l, %L) are comma-separated, and
start with the primary group which is not repeated. The %p
and the %c and %C formats are not supported on all archi-
tecture implementations (printing 0 or empty string
instead).
Any other characters (preceded by %, and those not pre-
ceded by it) are printed literally. The "default" format
is %u, and you should not use anything else without the -o
flag.
Not implemented yet, but on my wish-list are the follow-
ing:
%w print working (current) directory
%h print home (login, naming) directory
%e print the environment
kernelfile defaults to the normally running kernel file.
kmemfile defaults to the memory space of the normally run-
ning kernel.
UNDERDOCUMENTED FLAGS
The -v flag enables more verbose output or messages. (Fur-
ther occurences of the -v flag make things even more ver-
bose.) Currently not used: ignored.
27 May 1992 3
IDENTD(8) IDENTD(8)
The -f<config-file> option causes identd to use the named
config file (instead of the default /etc/identd.conf ?).
Currently not used: ignored, no config files are used.
The -r<indirect_host> option is used in some way (for
proxy queries?).
The -C<keyfile> option is used in some way for DES encryp-
tion.
INSTALLATION
identd is invoked either by the internet server (see
inetd(8C) ) for requests to connect to the IDENT port as
indicated by the /etc/services file (see services(5) )
when using the -w or -i modes of operation or started man-
ually by using the -b mode of operation.
EXAMPLES
Assuming the server is located in /usr/libexec/identd one
can put either:
ident stream tcp wait sys /usr/libexec/identd identd -w
-t120
or:
ident stream tcp nowait sys /usr/libexec/identd identd -i
into the /etc/inetd.conf file. User "sys" should have
enough rights to READ the kernel but NOT to write to it.
To start it using the -b mode of operation one can put a
line like this into the /etc/rc.local file:
/usr/libexec/identd -b -u2 -g2
This will make it run in the background as user 2, group 2
(user "sys", group "kmem" on SunOS 4.1.1).
NOTES
There should be no need to ever use this; if you think you
need this, you really need protocols which do strong host
and/or user authentication such as ssh and IPsec in con-
junction with audit trails. The username (or UID)
returned ought to be the login name. However it (probably,
for most architecture implementations) is the "real user
ID" as stored with the process; there is no provision for
returning the "effective user ID". Thus the UID returned
may be different from the login name for setuid programs
(or those running as root) which done a setuid(2) call and
their children. For example, it may (should?) be wrong for
an incoming ftpd ; and we are probably interested in the
running shell, not the telnetd for an incoming telnet ses-
sion. (But of course identd returns info for outgoing
27 May 1992 4
IDENTD(8) IDENTD(8)
connections, not incoming ones.)
The group or list of groups returned (with the -F option)
are as looked up in the /etc/passwd and /etc/group files,
based on the UID returned. Thus these may not relate well
to the group(s) of the running process for setuid or set-
gid programs or their children.
The command names returned with formats %c and %C may be
different, use one or the other or both.
FILES
/etc/identd.conf
This file is as yet un-used, but will eventually
contain configuration options for identd
/etc/identd.key
If compiled with -ldes this file can be used to
specify a secret key for encrypting replies.
SECURITY CONSIDERATIONS
May leak information generally considered "private" unless
the -e flag or -L flags are used.
The protocol is unprotected and is vulnerable to man-in-
the-middle attacks.
SEE ALSO
inetd.conf(5)
BUGS
The -e and -L flags should be enabled by default.
The whole concept of this service is a bug; cryptographic
authentication should be integrated into services which
think they need this.
The handling of fatal errors could be better.
27 May 1992 5
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.