File: INSTALL

package info (click to toggle)
oidentd 1.6.4-2
  • links: PTS
  • area: main
  • in suites: potato
  • size: 408 kB
  • ctags: 138
  • sloc: sh: 2,008; ansic: 1,728; makefile: 52
file content (151 lines) | stat: -rw-r--r-- 6,613 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
$Id: INSTALL,v 1.4 2000/01/01 02:11:33 odin Exp $


INSTALL file for oidentd version 1.6.4

-------------------
INSTALLING OIDENTD
-------------------

Issuing the commands "./configure", then "make", then "make install" will
(respectively) configure, compile and install the oidentd daemon and its
manual page.  By default, the daemon is installed to /usr/local/sbin/oidentd,
and the uncompressed manual page is installed to /usr/local/man/man8.

A number of compile time values can be manipulated via the configure
script.  For a summary, put "./configure --help".

After oidentd has been installed, an entry for it must be added in the 
/etc/inetd.conf file, if you are running inetd.  A generic example for
Linux is:

auth     stream   tcp   nowait  nobody  /usr/local/sbin/oidentd oidentd -i

If you prefer not to use inetd, oidentd can be run as a stand-alone
daemon.  For more information and complete a description of all options,
refer to the manual page.

Oidentd does not require superuser privileges and should not be run as
root.  On OpenBSD 2.3 and earlier, and on FreeBSD, oidentd should be run
with group kmem.  An example inetd line is:

auth  stream  tcp  wait  nobody:kmem  /usr/local/sbin/oidentd oidentd -wi

----------------
IP-MASQUERADING
----------------

If you are using IP masquerading, oidentd can optionally return a
username for all masqueraded connections from other machines.  Support for
this is specified by calling oidentd with the -m flag and by creating an
/etc/oidentd.users file.  This file must be readable by the oidentd daemon
user and has the following format:

IP-ADDRESS[/<mask>]            USER-NAME   SYSTEM-TYPE

Example:
192.168.1.1                    someone     UNIX
192.168.1.2                    noone       WINDOWS
192.168.1.1/32                 user1       UNIX
192.168.1.0/24                 user3       UNIX
192.168.0.0/16                 user4       UNIX
somehost                       user5       UNIX
10.0.0.0/8                     user6       UNIX
192.168.1.0/255.255.255.0      user7       UNIX

(You get the point)

As of version 1.4 (1.6.0, successfully!), oidentd can forward requests
for an IP masqueraded connection to the machine from which connection
originates by way of the -f option.  This will only work if the host to
which the connection is forwarded is running oidentd (with -P <proxy>)
or if the host's ident daemon will return a valid reply regardless of the
input supplied by and address of the host requesting the info (some ident
daemons for windows do this, maybe others).

You cannot run oidentd with the -P option on an OpenBSD host.  As far as I
can tell, kernel modifications would be required to make it work.

---------------
IDENT SPOOFING
---------------

Oidentd can optionally return an ident other than the default (your
username or UID, depending on how oidentd is run).  To enable identd
spoofing, observe the following procedure:

1. Add -s or -S to the flags with which oidentd is called.  Consult the
   manual page for a description of these options.

2. If the file /etc/identd.spoof does not exist, create it and
   give the user as which oidentd runs read permission for it.

  - In order for local users to spoof identd replies, their usernames must
    be contained in the /etc/identd.spoof file.  If oidentd was called with
    -S instead of -s, their usernames must *not* be contained in this file
    if they are to be able to spoof identd replies; with -S all users
    except those users listed in /etc/identd.spoof may spoof identd
    replies.

    - The format of the /etc/identd.spoof file is one
      entry per line.  Lines beginning with '#' are considered
      comments.  An entry has the form user[:identd reply].  The
      the "ident reply parameter is optional.  For example:

user
#user2
nobody:UNKNOWN

3. When ident spoofing is enabled, oidentd first checks the /etc/identd.spoof
   file to ensure the user owning the connection has permission to spoof
   identd replies.  If the username is found in the /etc/identd.spoof file,
   if an identd reply is specified in that file, this reply is returned
   immediately.  If no reply is specified, oidentd looks for the string it
   should return in an .ispoof file, which must be located in the home
   directory of users.  This file should only contain the reply that oidentd
   will return upon a successful request for the user.  The .ispoof file
   must be owned by the user for which the request is made.  Be sure this
   file is readable by the daemon user (ie, be sure the user as which oidentd
   runs has at least search permission for the home directory and read
   permission for .ispoof).  For example:

$ id
uid=500(user) gid=100(users)
$ echo response > ~/.ispoof && chmod o+x ~ && chmod o+r ~/.ispoof

------------------------------
OPTIONS (output of oidentd -h)
------------------------------

Usage: oidentd  [options]
  -a <address>  Bind to <address>. (Defaults to INADDR_ANY)
  -A            When spoofing is enabled, enable users to spoof
                ident on connections to privileged ports.
  -c <charset>  Specify an alternate charset. (Defaults to "US-ASCII")
  -d            Enable debugging.
  -e            Return "UNKNOWN-ERROR" for all errors.
  -f <port>     Forward requests for masqueraded hosts to the host on <port>
  -F            Same as -f, but always use the default port (113) by default
  -g <gid>      Run with specified gid.
  -i            Run from inetd.
  -m            Enable support for IP masquerading.
  -n            Return UIDs instead of usernames
  -N            Allow identd hiding via ".noident"
  -o            Return "OTHER" instead of the operating system.
  -p <port>     Listen for connections on specified port. (Defaults to auth)
  -q            Suppress normal logging.
  -P <host>     host acts as a proxy, forwarding connections to us.
  -r            Randomize identd replies.
                    Note: The -n and -r options are incompatible.
  -s            Allow identd spoofing.
  -S            Same as -s but allow all users but those listed in
                /etc/identd.spoof to spoof replies.
  -t <seconds>  Wait for <seconds> before closing connection. (Defaults to 15)
  -T <seconds>  oidentd will remain accepting connections when run
                with -w for <seconds>.
  -u <uid>      Run with specified uid.
  -v/-V         Display version information and exit.
  -w            Wait mode.
  -x <string>   If a query fails, pretend it succeeded, returning <string>
  -W            oidentd is wrapped. (tcp wrappers)
  -h            This help message.