identd man page on BSDi

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDi logo
[printable version]



IDENTD(8)						IDENTD(8)

NAME
       identd - TCP/IP IDENT protocol server

SYNOPSIS
       /usr/libexec/identd   [-i|-w|-b]	 [-t<seconds>]	[-u<uid>]
       [-g<gid>] [-p<port>] [-a<address>] [-c<charset>] [-C[<key-
       file>]]	[-o]  [-e]  [-l] [-V] [-m] [-N] [-d] [-F<format>]
       [kernelfile[kmemfile]]

DESCRIPTION
       identd is a server which implements  the	 TCP/IP	 proposed
       standard	 IDENT	user identification protocol as specified
       in the RFC 1413 document.

       identd operates by looking up specific TCP/IP  connections
       and returning the user name of the process owning the con-
       nection.	  It  can  optionally  return  other  information
       instead of a user name.

ARGUMENTS
       The  -i	flag,  which  is the default mode, should be used
       when starting the daemon	 from  inetd  with  the	 "nowait"
       option  in the /etc/inetd.conf file. Use of this mode will
       make inetd start one identd  daemon  for	 each  connection
       request.

       The  -w	flag should be used when starting the daemon from
       inetd with the "wait" option in the /etc/inetd.conf file .
       This  is	 the  preferred mode of operation since that will
       start a copy of identd at the first connection request and
       then identd will handle subsequent requests without having
       to do the nlist	lookup	in  the	 kernel	 file  for  every
       request	as  in	the -i mode above. The identd daemon will
       run either forever, until a bug makes it crash or a  time-
       out, as specified by the -t flag, occurs.

       The  -b	flag  can be used to make the daemon run in stan-
       dalone mode without the assistance from inetd.  This  mode
       is the least preferred mode since a bug or any other fatal
       condition in the server will make it terminate and it will
       then have to be restarted manually. Other than that it has
       the same advantage as the -w mode in that  it  parses  the
       nlist only once.

       The  -t<seconds>	 option	 is  used  to specify the timeout
       limit. This is the number of seconds a server started with
       the -w flag will wait for new connections before terminat-
       ing. The server is automatically restarted by inetd  when-
       ever a new connection is requested if it has terminated. A
       suitable value for this is 120 (2 minutes),  if	used.  It
       defaults to no timeout (i.e. will wait forever, or until a
       fatal condition occurs in the server).

       The -u<uid> option is used to specify  a	 user  id  number

			   27 May 1992				1

IDENTD(8)						IDENTD(8)

       which  the  ident  server  should  switch to after binding
       itself to the TCP/IP port if using the -b mode  of  opera-
       tion.

       The  -g<gid>  option  is used to specify a group id number
       which the ident server  should  switch  to  after  binding
       itself  to  the TCP/IP port if using the -b mode of opera-
       tion.

       The -p<port> option is used to specify an alternative port
       number  to  bind	 to if using the -b mode of operation. It
       can be specified by name or by  number.	Defaults  to  the
       IDENT port (113).

       The  -a<address>	 option	 is  used  to  specify	the local
       address to bind the socket to if	 using	the  -b	 mode  of
       operation.  Can only be specified by IP address and not by
       domain name. Defaults to the INADDR_ANY address which nor-
       mally means all local addresses.

       The  -V	flag  makes identd display the version number and
       then exit.

       The -l flag tells identd to use the System logging  daemon
       syslogd for logging purposes.

       The  -o flag tells identd to not reveal the operating sys-
       tem type it  is	run  on	 and  to  instead  always  return
       "OTHER".

       The  -e flag tells identd to always return "UNKNOWN-ERROR"
       instead of the "NO-USER" or "INVALID-PORT" errors.

       The -c<charset> flags tells identd  to  add  the	 optional
       (according to the IDENT protocol) character set designator
       to the reply generated.	charset should be a valid charac-
       ter set as described in the MIME RFC in upper case charac-
       ters.

       The -C[<keyfile>] option tells identd to return	encrypted
       tokens  instead	of  user  names.  The local and remote IP
       addresses and TCP port numbers, the local user's uid  num-
       ber, a timestamp, a random number, and a checksum, are all
       encrypted using DES with a secret  key  derived	from  the
       first  line  of	the keyfile (using des_string_to_key(3)).
       The encrypted binary information	 is  then  encoded  in	a
       base64  string  (32  characters in length) and enclosed in
       square brackets to produce a token that is transmitted  to
       the  remote  client.   The  encrypted  token  can later be
       decrypted by  idecrypt(8).   There  may	not  be	 a  space
       between	the  -C and the name of the keyfile.  If the key-
       file is not specified, it defaults to /etc/identd.key.

       The -n flag tells identd to  always  return  user  numbers

			   27 May 1992				2

IDENTD(8)						IDENTD(8)

       instead of user names if you wish to keep the user names a
       secret.	The  -N	 flag  makes  identd  check  for  a  file
       ".noident" in each homedirectory for a user which the dae-
       mon is about to return the user name  for.  It  that  file
       exists  then  the  daemon  will give the error HIDDEN-USER
       instead of the normal USERID response.

       -m flag makes identd use a mode	of  operation  that  will
       allow  multiple requests to be processed per session. Each
       request is specified one per line and the  responses  will
       be  returned  one  per  line.  The  connection will not be
       closed until the connecting part closes it's  end  of  the
       line.   PLEASE  NOTE  THAT THIS MODE VIOLATES THE PROTOCOL
       SPECIFICATION AS IT CURRENTLY STANDS.

       The -d flag enables  some  debugging  code  that	 normally
       should  NOT  be enabled since that breaks the protocol and
       may reveal information that should  not	be  available  to
       outsiders.

       The  -F<format> option makes identd use the specified for-
       mat to display info. The allowed format specifiers are:
	    %u	 print user name
	    %U	 print user number
	    %g	 print (primary) group name
	    %G	 print (primary) group number
	    %l	 print list of all groups by name
	    %L	 print list of all groups by number
	    %p	 print process ID of running process
	    %c	 print command name
	    %C	 print command and arguments
       The lists of groups  (%l,  %L)  are  comma-separated,  and
       start with the primary group which is not repeated. The %p
       and the %c and %C formats are not supported on all  archi-
       tecture	 implementations  (printing  0	or  empty  string
       instead).
       Any other characters (preceded by %, and	 those	not  pre-
       ceded  by  it) are printed literally. The "default" format
       is %u, and you should not use anything else without the -o
       flag.
       Not  implemented	 yet, but on my wish-list are the follow-
       ing:
	    %w	 print working (current) directory
	    %h	 print home (login, naming) directory
	    %e	 print the environment

       kernelfile defaults to the normally running kernel file.

       kmemfile defaults to the memory space of the normally run-
       ning kernel.

UNDOCUMENTED FLAGS
       The -v flag enables more verbose output or messages. (Fur-
       ther occurrences of the -v  flag	 make  things  even  more

			   27 May 1992				3

IDENTD(8)						IDENTD(8)

       verbose.) Currently not used: ignored.

       The  -f<config-file> option causes identd to use the named
       config file (instead of the default  /etc/identd.conf  ?).
       Currently not used: ignored, no config files are used.

       The  -r<indirect_host>  option  is  used	 in some way (for
       proxy queries?).

       The -C<keyfile> option is used in some way for DES encryp-
       tion.

INSTALLATION
       identd  is  invoked  either  by	the  internet server (see
       inetd(8C) ) for requests to connect to the IDENT	 port  as
       indicated  by  the  /etc/services  file (see services(5) )
       when using the -w or -i modes of operation or started man-
       ually by using the -b mode of operation.

EXAMPLES
       Assuming	 the server is located in /usr/libexec/identd one
       can put either:

       ident stream tcp wait sys /usr/libexec/identd in.identd -w
       -t120

       or:

       ident  stream tcp nowait sys /usr/libexec/identd in.identd
       -i

       into the /etc/inetd.conf	 file.	User  "sys"  should  have
       enough rights to READ the kernel but NOT to write to it.

       To  start  it using the -b mode of operation one can put a
       line like this into the /etc/rc.local file:

       /usr/libexec/identd -b -u2 -g2

       This will make it run in the background as user 2, group 2
       (user "sys", group "kmem" on SunOS 4.1.1).

NOTES
       The username (or UID) returned ought to be the login name.
       However it (probably, for  most	architecture  implementa-
       tions)  is  the "real user ID" as stored with the process;
       there is no provision for returning  the	 "effective  user
       ID". Thus the UID returned may be different from the login
       name for setuid programs (or those running as root)  which
       done  a setuid(3) call and their children. For example, it
       may (should?) be wrong for an incoming ftpd ; and  we  are
       probably	 interested in the running shell, not the telnetd
       for an incoming telnet  session.	 (But  of  course  identd
       returns info for outgoing connections, not incoming ones.)

			   27 May 1992				4

IDENTD(8)						IDENTD(8)

       The group or list of groups returned (with the -F  option)
       are  as looked up in the /etc/passwd and /etc/group files,
       based on the UID returned. Thus these may not relate  well
       to  the group(s) of the running process for setuid or set-
       gid programs or their children.

       The command names returned with formats %c and %C  may  be
       different, use one or the other or both.

FILES
       /etc/identd.conf
	      This  file  is  as yet un-used, but will eventually
	      contain configuration options for identd

       /etc/identd.key
	      If compiled with -ldes this file	can  be	 used  to
	      specify a secret key for encrypting replies.

SEE ALSO
       authuser(3) , inetd.conf(5) , idecrypt(8)

BUGS
       The handling of fatal errors could be better.

			   27 May 1992				5

[top]

List of man pages available for BSDi

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net