1.\" $NetBSD: identd.8,v 1.22 2016/12/12 10:07:48 wiz Exp $ 2.\" 3.\" This software is in the public domain. 4.\" Written by Peter Postma <peter@NetBSD.org> 5.\" 6.Dd December 9, 2016 7.Dt IDENTD 8 8.Os 9.Sh NAME 10.Nm identd 11.Nd TCP/IP Ident protocol server 12.Sh SYNOPSIS 13.Nm 14.Op Fl 46beIilNnr 15.Op Fl a Ar address 16.Op Fl c Ar charset 17.Op Fl F Ar format 18.Op Fl f Ar username 19.Op Fl g Ar uid 20.Op Fl L Ar username 21.Op Fl m Ar filter 22.Op Fl o Ar osname 23.Op Fl P Ar address 24.Op Fl p Ar portno 25.Op Fl t Ar seconds 26.Op Fl u Ar uid 27.Sh DESCRIPTION 28.Nm 29is a TCP/IP server which implements the user identification protocol 30as specified in RFC 1413. 31.Pp 32.Nm 33operates by looking up specific TCP/IP connections and returning 34information which may or may not be associated with the process owning 35the connection. 36.Pp 37The following options are available: 38.Bl -tag -width XXusernameXX 39.It Fl 4 40Bind to IPv4 addresses only 41(valid with flag 42.Fl b ) . 43.It Fl 6 44Bind to IPv6 addresses only 45(valid with flag 46.Fl b ) . 47.It Fl a Ar address 48Bind to the specified 49.Ar address . 50This may be an IPv4 or IPv6 address or even a hostname. 51If a hostname is specified then 52.Nm 53will resolve it to an address (or addresses) and will bind this address 54(valid with flag 55.Fl b ) . 56.It Fl b 57Run in the background (as daemon). 58.It Fl c Ar charset 59Specify an optional character set designator to be included in replies. 60.Ar charset 61should be a valid charset set as described in the 62.Tn MIME RFC 63in upper case characters. 64.It Fl e 65Return 66.Dq UNKNOWN-ERROR 67instead of the usual 68.Dq NO-USER 69or 70.Dq INVALID-PORT 71error replies. 72.It Fl F Ar format 73Specify the format to display info. 74The allowed format specifiers are: 75.Bd -literal 76%u print user name 77%U print user number 78%g print (primary) group name 79%G print (primary) group number 80%l print list of all groups by name 81%L print list of all groups by number 82.Ed 83.Pp 84The lists of groups (%l, %L) are comma-separated, and start with the primary 85group which is not repeated. 86Any other characters (preceded by %, and those not preceded by it) 87are printed literally. 88.It Fl f Ar username 89Specify a fall back 90.Ar username . 91If the lookup fails then this username will be returned. 92This can be useful for when running this service on a NAT host and 93not using the forward/proxy functionality. 94.It Fl g Ar gid 95Specify the group id number or name which the server should switch to after 96binding itself to the TCP/IP port. 97.It Fl I 98Same as 99.Fl i 100but without the restriction that the username in 101.Pa .ident 102must not match an existing user. 103.It Fl i 104If the 105.Pa .ident 106file exists in the home directory of the identified user, return the username 107found in that file instead of the real username. 108If the username found in 109.Pa .ident 110is that of an existing user, then the real username will be returned. 111.It Fl L Ar username 112Specify a 113.Dq lie 114.Ar username . 115.Nm 116will return this name for all valid ident requests. 117.It Fl l 118Use 119.Xr syslogd 8 120for logging purposes. 121.It Fl m Ar filter 122Enables forwarding of ident queries. 123The 124.Ar filter 125argument specifies which packet filter should be used to lookup the 126connections, currently 127.Sq ipfilter , 128.Sq npf , 129and 130.Sq pf 131are supported packet filters. 132Note that 133.Nm 134changes the ident queries to use the local port on the NAT host instead of 135the local port on the forwarding host. 136This is needed because otherwise we can't do a lookup on the proxy host. 137On the proxy host, 138.Dq proxy mode 139should be enabled with the 140.Fl P 141flag or 142.Dq lying mode 143with the 144.Fl L 145flag. 146.It Fl N 147Enable 148.Pa .noident 149files. 150If this file exists in the home directory of the identified user then return 151.Dq HIDDEN-USER 152instead of the normal USERID response. 153.It Fl n 154Return numeric user IDs instead of usernames. 155.It Fl o Ar osname 156Return 157.Ar osname 158instead of the default 159.Dq UNIX . 160.It Fl P Ar address 161Specify a proxy server which will be used to receive proxied ident 162queries from. 163See also the 164.Fl m 165flag how this operates. 166.It Fl p Ar portno 167Specify an alternative port number under which the server should run. 168The default is port 113 169(valid with flag 170.Fl b ) . 171.It Fl r 172Return a random name of alphanumeric characters. 173If the 174.Fl n 175flag is also enabled then a random number will be returned. 176.It Fl t Ar seconds 177Specify a timeout for the service. 178The default timeout is 30 seconds. 179.It Fl u Ar uid 180Specify the user id number or name to which the server should switch after 181binding itself to the TCP/IP port. 182.El 183.Sh FILES 184.Pa /etc/inetd.conf 185.Sh EXAMPLES 186.Nm 187operates from 188.Xr inetd 8 189or as standalone daemon. 190Put the following lines into 191.Xr inetd.conf 5 192to enable 193.Nm 194as an IPv4 and IPv6 service via inetd: 195.Pp 196ident stream tcp nowait nobody /usr/libexec/identd identd -l 197.Pp 198ident stream tcp6 nowait nobody /usr/libexec/identd identd -l 199.Pp 200To run 201.Nm 202as standalone daemon, use the 203.Fl b 204flag. 205.Sh SEE ALSO 206.Xr inetd.conf 5 , 207.Xr inetd 8 208.Sh AUTHORS 209This implementation of 210.Nm 211is written by 212.An Peter Postma 213.Aq peter@NetBSD.org . 214.Sh CAVEATS 215Since 216.Nm 217should typically not be run as a privileged user or group, 218.Pa .ident 219files for use when running with the 220.Fl I 221or 222.Fl i 223flags will need to be world accessible. 224The same applies for 225.Pa .noident 226files when running with the 227.Fl N 228flag. 229.Pp 230When forwarding is enabled with the 231.Fl m 232flag then 233.Nm 234will need access to either 235.Pa /dev/ipnat 236(ipfilter), 237.Pa /dev/pf 238(pf), or 239.Pa /dev/npf . 240Since it's not a good idea to run 241.Nm 242under root, you'll need to adjust group owner/permissions to the device(s) 243and run 244.Nm 245under that group. 246