identd(1)identd(1)NAME
identd, in.identd - TCP/IP IDENT protocol server
SYNOPSIS
[in.]identd [options]
DESCRIPTION
Identd is a server which implements the TCP/IP proposed
standard IDENT user identification protocol as specified
in the RFC 1413 document.
identd operates by looking up specific TCP/IP connections
and returning the user name of the process owning the con
nection. It can optionally return other information
instead of a user name.
OPTIONS-h Display the available command line options.
-V Displays the version and OS version it was com
piled for, and then exit.
-d Enables extra debugging messages.
-C<file> Directs identd to parse additional configuration
options from the file specified.
-i May be used when starting the daemon by inetd
with the "nowait" option (see below).
-w May be used when starting the daemon by inetd
with the "wait" option (see below).
-I May be used when the daemon is started by init
(see below).
-b flag may be used to make the daemon run in stan
dalone mode (see below).
-u<user> Used to specify a user number or name to which
the server should switch to after binding itself
to the TCP/IP port and opening the kernel
devices.
-g<group> Used to specify a group number or name which the
server should switch to after binding itself to
the TCP/IP port and opening the kernel devices.
-p<port> Used to specify an alternative TCP port to bind
to, if running as a standalone daemon or started
by init Can be specified by name or by number.
Defaults to the IDENT port (113).
-t<limit> Used to specify the request timeout limit. This
is the maximum number of seconds a server will
allow a client connection to be active before
terminating it. It defaults to 120 seconds.
-P<pidfile>
Specify the location of a file to store the pro
cess number of the Identd daemon.
-K<nthreads>
Control the number of threads to use for kernel
lookups
-L<facility>
Set the syslog facility to use instead of 'dae
mon'.
-o Directs identd to return OTHER instead of UNIX
as the "operating system".
-E Enables DES encryption of the returned data (see
below for more information).
-n Directs identd to always return user numbers
instead of user names (for example if you wish
to keep the user names a secret).
-N Directs identd to check for a file ".noident" in
each home directory for the user which the dae
mon is about to return the user name for. It
that file exists then the daemon will give the
error HIDDEN-USER instead of the normal USERID
response.
-e Enables certain non-standard protocol exten
sions. Currently defined extensions include the
requests VERSION to return the Ident daemon ver
sion and QUIT to terminate a session (useful in
conjunction with the -m option).
-m Enables identd to use a mode of operation that
will allow multiple requests to be processed per
session. Each request is specified one per line
and the responses will be returned one per line.
The connection will not be closed until the con
necting part closes it's end of the line.
INSTALLATION
The prefered way to start identd depends on how it was
built.
If it was built with support for multithreading then it
should be started either from init , as a standalone dae
mon or from inetd using the "wait" mode (if your inetd
supports it!)
If it was built without support for multithreading then it
should be started from inetd using the normal "nowait"
mode for "stream tcp" services. (The main reason being
that it will be single-threaded, so it will only serve one
client connection at a time).
identd normally will autodetect how it was invoked so
there normally is no need to use the four command line
switches (-i, -w, -I, -b).
ENCRYPTION
DES encryption is only available if the daemon was built
with support for it enabled.
An encryption key (1024 bytes long) should be stored in
the key file ( /etc/identd.key ) and it should be gener
ated using a cryptographically safe random generator in
order to be really safe. It should not contain any NUL
(0x00) characters since this is used as a string to
generate the real binary DES key.
This file may contain multiple 1024 byte long keys, and
the server will use the last key stored in that file.
The returned token will contain the local and remote IP
addresses and TCP port numbers, the local user's uid num
ber, a timestamp, a random number, and a checksum - all
encrypted using DES. The encrypted binary information is
then encoded in a BASE64 string (32 characters long) and
enclosed in square brackets to produce a token that is
transmitted to the remote client.
The encrypted token can later be decrypted by the idecrypt
command. This program will attempt to decrypt a token with
all the keys stored in the key file until it succeeds (or
have tried all the keys).
CONFIGURATION FILE
The configuration file contains a list of option=value
pairs.
syslog:facility = FACILITY
Set which facility to use when sending syslog
messages.
server:user = USER
Set what user (and group, from the passwd
database) the daemon should run as after it has
opened all the kernel handles. (Default: nobody)
server:group = GROUP
Override the group id (as set by the server:user
option).
server:port = PORT
Set what TCP/IP port the daemon should listen
to. (Default: 113)
server:backlog = LIMIT
Set the size of the server listen() backlog
limit.
server:pid-file = PATH
Set the path to the file where the server will
store it's process id.
server:max-request = LIMIT
Max number of concurrent requests allowed.
Default is 0 (zero) which means "no limit".
protocol:extensions = ON/OFF
Enable/disable the nonstandard protocol exten
sions ( VERSION and QUIT currently). Default:
off
protocol:multiquery = ON/OFF
Enable/disable the multiple queries per connec
tion feature. Default: off
protocol:timeout = SECONDS
Max number of seconds since connection or last
request. If set to 0 (zero), no timeout will be
used. Default: 120 seconds.
kernel:threads = LIMIT
Max number of threads doing kernel lookups con
currently. Default: 8
kernel:buffers = LIMIT
Max number of queued kernel lookup requests.
Default: 32
kernel:attempts = LIMIT
Max number of times to retry a kernel lookup in
case of failure. Default: 5
result:uid-only = YES/NO
Disable uid->username lookups (only return uid
numbers). Default: no
result:noident = ON/OFF
Enable/disable checking for the ".noident" file
in users home directories.
result:charset = CHARSET
Define the character set returned in replies.
Default: "US-ASCII"
result:opsys = OPSYS
Define the operating system returned in replies.
Default: "UNIX"
result:syslog-level = LEVEL
If set to anything other than "none", all
request replies till be sent to the syslog ser
vice with the specificed severity level.
Default: none
result:encrypt = YES/NO
Enable encryption of replies. Only available if
Identd was built with a DES encryption library.
encrypt:key-file = PATH
Path to the file containing the encryption keys.
include = PATH
Include (and parse) the contents of another con
figuration file.
NOTES
The username (or UID) returned ought to be the login name.
However it (probably, for most architecture implementa
tions) is the "real user ID" as stored with the process.
Thus the UID returned may be different from the login name
for setuid programs (or those running as root) which has
done a setuid(3) call and their children. For example, it
may (should?) be wrong for an incoming ftpd ; and we are
probably interested in the running shell, not the telnetd
for an incoming telnet session. (But of course identd
returns info for outgoing connections, not incoming ones.)
FILES
/etc/identd.conf
Contains the default configuration options for
identd.
/etc/identd.pid
Contains (if enabled) the process number of the
identd daemon.
/etc/identd.key
If compiled with DES encryption enabled, the 1024
first bytes of this file is used to specify the
secret key for encrypting replies.
AVAILABILITY
The daemon is free software. You can redistribute it
and/or modify it as you wish - as long as you don't claim
that you wrote it.
The source code for the latest version of the daemon can
always be FTP'd from one of the following addresses:
Main site: ftp://ftp.lysator.liu.se/pub/ident/servers/
Mirror: ftp://ftp.uu.net/networking/ident/servers/
The author can be contacted at:
Email: Peter Eriksson <pen@lysator.liu.se>
SEE ALSOidecrypt(8) , ikeygen(8) , authuser(3) , inetd.conf(5) ,
8 Jan 1999 identd(1)
