1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
S/Ident Installation Instructions
Written by Booker Bense <bbense@stanford.edu>
Currently maintained by Russ Allbery <rra@stanford.edu>
BASIC INSTALLATION
1. Run "configure":
$ ./configure
You can specify an alternate destination to override the default with
the --prefix option:
$ ./configure --prefix=/usr/local/gnu
or some path that is more appropriate for your site. The default
prefix value is /usr/local, with binaries in subdirectory sbin,
manual pages in subdirectory man, libraries in subdirectory lib, and
include files in subdirectory include.
To specify the location of the Kerberos header files and libraries,
use the --with-kerberos=DIR option. DIR should be a directory with
subdirectories include and lib, holding the Kerberos include files
and libraries respectively.
Try "./configure --help" for further information on its usage and see
the CONFIGURE INFORMATION section below.
The configure script attempts to identify your system and use the
correct source code to interogate the kernel. If it cannot match up
a kernel file to your OS (you will see warning message from the
configure script), look in the directory
responder/kernel
There are many more files in there than I have access to machines
to test and configure. If you find one that looks right for your
system link it to
responder/kernel.c
If this works for you please email me the name of the file you chose
and the config.status file generated by your system.
If you wish to only build the requester library and not the sidentd
responder, give the --disable-responder argument to configure.
2. Look at the macro SERVER_PORT in responder/identd.h.
This macro defines the set of ports on which your system provides
services to other machines. This macro defines the ports that are
automatically rejected when you run the responder with the -C flag
(i.e. only respond to S/Ident requests that look like "client"
ports). You may wish to use this to restrict the ability of "random"
machines on the network to gain information about servers running on
your machine. The default macro rejects anything with a port number
in the reserved port range or equal to the standard X Window server
port.
To get the most complete converage possible you should run
netstat -a -f inet
on the machine and block any tcp ports on which you run servers.
Lines like
tcp 0 0 *.6000 *.* LISTEN
signify that you are running a tcp based server on port 6000.
3. Try to build it:
$ make
This will (hopefully) make the needed S/Ident binaries within the
responder directory and the S/Ident library in the requester
directory. There are also some simple test programs in each of these
directories.
sident-test.c: A simple server to test the requester library. You
can install it in inetd.conf as
lookup stream tcp nowait root /usr/local/sbin/sident-test
where "lookup" is some service port configured in /etc/services. It
takes the srvtab and keytab paths on the command line and attempts to
do an S/Ident callback for any incoming connection.
itest.c: A simple test program in the responder source to test the
kernel reading code for your system.
If something fails for your system, and you want to submit a bug
report, you may wish to include your "config.status" file, your host
type, operating system and compiler information, make output, and
anything else you think will be helpful.
4. Install the binaries/documentation. You can do this by running:
$ make install
but you will also need to configure every system that should be
running a responder. I suggest that you read
doc/draft-morgan-ident-ext-01.txt
before installing anything. The man page for sidentd documents how
to correctly install it.
CONFIGURE INFORMATION
Here are the most commonly used options to the configure script. For a
full list of options, run ./configure --help. For more detailed
documentation about configure, please refer to the GNU Autoconf
documentation.
--prefix=DIR
The root of where to install the various pieces of S/Ident. The
default is /usr/local. You can also use --includedir, --libdir,
--mandir, and --sbindir to separately set the paths for each portion
of the install.
--with-kerberos=DIR
Specifies the location of your Kerberos installation if it's not in
the paths searched by default by your compiler. S/Ident will expect
libraries in DIR/lib and include files in DIR/include.
--disable-krb4
Disable Kerberos v4 authentication support in both the responder and
the requester library, only supporting GSSAPI authentication (and
regular ident).
--enable-static-daemon
Statically link the S/Ident responder against the Kerberos
libraries. This will allow the responder to run on systems that
don't have the Kerberos libraries installed.
--disable-responder
Only build (and install) the requester library. Don't build or
install the sidentd responder daemon.
--disable-shared
--disable-static
By default, both shared and static versions of the libsident
requester library will be built. If you want to disable one or the
other of those, use these flags.
--enable-reduced-depends
Try to minimize the shared library dependencies encoded in the
binaries. This omits from the link line all the libraries included
solely because the Kerberos libraries depend on them and instead
links the programs only against libraries whose APIs are called
directly. This will only work with shared Kerberos libraries and
will only work on platforms where shared libraries properly encode
their own dependencies (such as Linux). It is intended primarily
for building packages for Linux distributions to avoid encoding
unnecessary shared library dependencies that make shared library
migrations more difficult. If none of the above made any sense to
you, don't bother with this flag.
The following environment variables override configure's default
behaviour:
CC
The compiler to use. If not set, tries to use gcc first, then cc.
Note that the appropriate argument for 64-bit compiles will be
automatically added if you are building the responder on Solaris and
isalist indicates that you have a 64-bit kernel (-xarch=v9 for cc
and -m64 for gcc).
CFLAGS
The options to use when compiling. By default, configure tries to
use "-g -O" as options, backing down to -g alone if that doesn't
work.
KRB5_CONFIG
The path to a krb5-config program to use to determine the link flags
for Kerberos. By default, S/Ident looks for bin/krb5-config under
the path given to --with-kerberos or krb5-config on the user's path
if --with-kerberos is not given. This environment variable can be
set to a specific path to force the use of that krb5-config script.
|
