xref: /netbsd-src/libexec/identd/identd.8 (revision d8a6eb3c16706b2c641a4aaa461e8f112328c013)

.\" $NetBSD: identd.8,v 1.22 2016/12/12 10:07:48 wiz Exp $
.\"
.\" This software is in the public domain.
.\" Written by Peter Postma <peter@NetBSD.org>
.\"
.Dd December 9, 2016
.Dt IDENTD 8
.Os
.Sh NAME
.Nm identd
.Nd TCP/IP Ident protocol server
.Sh SYNOPSIS
.Nm
.Op Fl 46beIilNnr
.Op Fl a Ar address
.Op Fl c Ar charset
.Op Fl F Ar format
.Op Fl f Ar username
.Op Fl g Ar uid
.Op Fl L Ar username
.Op Fl m Ar filter
.Op Fl o Ar osname
.Op Fl P Ar address
.Op Fl p Ar portno
.Op Fl t Ar seconds
.Op Fl u Ar uid
.Sh DESCRIPTION
.Nm
is a TCP/IP server which implements the user identification protocol
as specified in RFC 1413.
.Pp
.Nm
operates by looking up specific TCP/IP connections and returning
information which may or may not be associated with the process owning
the connection.
.Pp
The following options are available:
.Bl -tag -width XXusernameXX
.It Fl 4
Bind to IPv4 addresses only
(valid with flag
.Fl b ) .
.It Fl 6
Bind to IPv6 addresses only
(valid with flag
.Fl b ) .
.It Fl a Ar address
Bind to the specified
.Ar address .
This may be an IPv4 or IPv6 address or even a hostname.
If a hostname is specified then
.Nm
will resolve it to an address (or addresses) and will bind this address
(valid with flag
.Fl b ) .
.It Fl b
Run in the background (as daemon).
.It Fl c Ar charset
Specify an optional character set designator to be included in replies.
.Ar charset
should be a valid charset set as described in the
.Tn MIME RFC
in upper case characters.
.It Fl e
Return
.Dq UNKNOWN-ERROR
instead of the usual
.Dq NO-USER
or
.Dq INVALID-PORT
error replies.
.It Fl F Ar format
Specify the format to display info.
The allowed format specifiers are:
.Bd -literal
%u	print user name
%U	print user number
%g	print (primary) group name
%G	print (primary) group number
%l	print list of all groups by name
%L	print list of all groups by number
.Ed
.Pp
The lists of groups (%l, %L) are comma-separated, and start with the primary
group which is not repeated.
Any other characters (preceded by %, and those not preceded by it)
are printed literally.
.It Fl f Ar username
Specify a fall back
.Ar username .
If the lookup fails then this username will be returned.
This can be useful for when running this service on a NAT host and
not using the forward/proxy functionality.
.It Fl g Ar gid
Specify the group id number or name which the server should switch to after
binding itself to the TCP/IP port.
.It Fl I
Same as
.Fl i
but without the restriction that the username in
.Pa .ident
must not match an existing user.
.It Fl i
If the
.Pa .ident
file exists in the home directory of the identified user, return the username
found in that file instead of the real username.
If the username found in
.Pa .ident
is that of an existing user, then the real username will be returned.
.It Fl L Ar username
Specify a
.Dq lie
.Ar username .
.Nm
will return this name for all valid ident requests.
.It Fl l
Use
.Xr syslogd 8
for logging purposes.
.It Fl m Ar filter
Enables forwarding of ident queries.
The
.Ar filter
argument specifies which packet filter should be used to lookup the
connections, currently
.Sq ipfilter ,
.Sq npf ,
and
.Sq pf
are supported packet filters.
Note that
.Nm
changes the ident queries to use the local port on the NAT host instead of
the local port on the forwarding host.
This is needed because otherwise we can't do a lookup on the proxy host.
On the proxy host,
.Dq proxy mode
should be enabled with the
.Fl P
flag or
.Dq lying mode
with the
.Fl L
flag.
.It Fl N
Enable
.Pa .noident
files.
If this file exists in the home directory of the identified user then return
.Dq HIDDEN-USER
instead of the normal USERID response.
.It Fl n
Return numeric user IDs instead of usernames.
.It Fl o Ar osname
Return
.Ar osname
instead of the default
.Dq UNIX .
.It Fl P Ar address
Specify a proxy server which will be used to receive proxied ident
queries from.
See also the
.Fl m
flag how this operates.
.It Fl p Ar portno
Specify an alternative port number under which the server should run.
The default is port 113
(valid with flag
.Fl b ) .
.It Fl r
Return a random name of alphanumeric characters.
If the
.Fl n
flag is also enabled then a random number will be returned.
.It Fl t Ar seconds
Specify a timeout for the service.
The default timeout is 30 seconds.
.It Fl u Ar uid
Specify the user id number or name to which the server should switch after
binding itself to the TCP/IP port.
.El
.Sh FILES
.Pa /etc/inetd.conf
.Sh EXAMPLES
.Nm
operates from
.Xr inetd 8
or as standalone daemon.
Put the following lines into
.Xr inetd.conf 5
to enable
.Nm
as an IPv4 and IPv6 service via inetd:
.Pp
ident stream tcp nowait nobody /usr/libexec/identd identd -l
.Pp
ident stream tcp6 nowait nobody /usr/libexec/identd identd -l
.Pp
To run
.Nm
as standalone daemon, use the
.Fl b
flag.
.Sh SEE ALSO
.Xr inetd.conf 5 ,
.Xr inetd 8
.Sh AUTHORS
This implementation of
.Nm
is written by
.An Peter Postma
.Aq peter@NetBSD.org .
.Sh CAVEATS
Since
.Nm
should typically not be run as a privileged user or group,
.Pa .ident
files for use when running with the
.Fl I
or
.Fl i
flags will need to be world accessible.
The same applies for
.Pa .noident
files when running with the
.Fl N
flag.
.Pp
When forwarding is enabled with the
.Fl m
flag then
.Nm
will need access to either
.Pa /dev/ipnat
(ipfilter),
.Pa /dev/pf
(pf), or
.Pa /dev/npf .
Since it's not a good idea to run
.Nm
under root, you'll need to adjust group owner/permissions to the device(s)
and run
.Nm
under that group.