1.\" $NetBSD: identd.8,v 1.20 2005/04/04 18:43:55 peter Exp $ 2.\" 3.\" This software is in the public domain. 4.\" Written by Peter Postma <peter@NetBSD.org> 5.\" 6.Dd April 4, 2005 7.Dt IDENTD 8 8.Os 9.Sh NAME 10.Nm identd 11.Nd TCP/IP Ident protocol server 12.Sh SYNOPSIS 13.Nm 14.Op Fl 46beIilNnr 15.Op Fl a Ar address 16.Op Fl c Ar charset 17.Op Fl F Ar format 18.Op Fl f Ar username 19.Op Fl g Ar uid 20.Op Fl L Ar username 21.Op Fl m Ar filter 22.Op Fl o Ar osname 23.Op Fl P Ar address 24.Op Fl p Ar portno 25.Op Fl t Ar seconds 26.Op Fl u Ar uid 27.Sh DESCRIPTION 28.Nm 29is a TCP/IP server which implements the user identification protocol 30as specified in RFC 1413. 31.Pp 32.Nm 33operates by looking up specific TCP/IP connections and returning 34information which may or may not be associated with the process owning 35the connection. 36.Pp 37The following options are available: 38.Bl -tag -width XXusernameXX 39.It Fl 4 40Bind to IPv4 addresses only 41(valid with flag 42.Fl b ) . 43.It Fl 6 44Bind to IPv6 addresses only 45(valid with flag 46.Fl b ) . 47.It Fl a Ar address 48Bind to the specified 49.Ar address . 50This may be an IPv4 or IPv6 address or even a hostname. 51If a hostname is specified then 52.Nm 53will resolve it to an address (or addresses) and will bind this address 54(valid with flag 55.Fl b ) . 56.It Fl b 57Run in the background (as daemon). 58.It Fl c Ar charset 59Specify an optional character set designator to be included in replies. 60.Ar charset 61should be a valid charset set as described in the 62.Tn MIME RFC 63in upper case characters. 64.It Fl e 65Return 66.Dq UNKNOWN-ERROR 67instead of the usual 68.Dq NO-USER 69or 70.Dq INVALID-PORT 71error replies. 72.It Fl F Ar format 73Specify the format to display info. 74The allowed format specifiers are: 75.Bd -literal 76%u print user name 77%U print user number 78%g print (primary) group name 79%G print (primary) group number 80%l print list of all groups by name 81%L print list of all groups by number 82.Ed 83.Pp 84The lists of groups (%l, %L) are comma-separated, and start with the primary 85group which is not repeated. 86Any other characters (preceded by %, and those not preceded by it) 87are printed literally. 88.It Fl f Ar username 89Specify a fall back 90.Ar username . 91If the lookup fails then this username will be returned. 92This can be useful for when running this service on a NAT host and 93not using the forward/proxy functionality. 94.It Fl g Ar gid 95Specify the group id number or name which the server should switch to after 96binding itself to the TCP/IP port. 97.It Fl I 98Same as 99.Fl i 100but without the restriction that the username in 101.Pa .ident 102must not match an existing user. 103.It Fl i 104If the 105.Pa .ident 106file exists in the home directory of the identified user, return the username 107found in that file instead of the real username. 108If the username found in 109.Pa .ident 110is that of an existing user, then the real username will be returned. 111.It Fl L Ar username 112Specify a 113.Dq lie 114.Ar username . 115.Nm 116will return this name for all valid ident requests. 117.It Fl l 118Use 119.Xr syslogd 8 120for logging purposes. 121.It Fl m Ar filter 122Enables forwarding of ident queries. 123The 124.Ar filter 125argument specifies which packet filter should be used to lookup the 126connections, currently 127.Sq pf 128and 129.Sq ipfilter 130are supported packet filters. 131Note that 132.Nm 133changes the ident queries to use the local port on the NAT host instead of 134the local port on the forwarding host. 135This is needed because otherwise we can't do a lookup on the proxy host. 136On the proxy host, 137.Dq proxy mode 138should be enabled with the 139.Fl P 140flag or 141.Dq lying mode 142with the 143.Fl L 144flag. 145.It Fl N 146Enable 147.Pa .noident 148files. 149If this file exists in the home directory of the identified user then return 150.Dq HIDDEN-USER 151instead of the normal USERID response. 152.It Fl n 153Return numeric user IDs instead of usernames. 154.It Fl o Ar osname 155Return 156.Ar osname 157instead of the default 158.Dq UNIX . 159.It Fl P Ar address 160Specify a proxy server which will be used to receive proxied ident 161queries from. 162See also the 163.Fl m 164flag how this operates. 165.It Fl p Ar portno 166Specify an alternative port number under which the server should run. 167The default is port 113 168(valid with flag 169.Fl b ) . 170.It Fl r 171Return a random name of alphanumeric characters. 172If the 173.Fl n 174flag is also enabled then a random number will be returned. 175.It Fl t Ar seconds 176Specify a timeout for the service. 177The default timeout is 30 seconds. 178.It Fl u Ar uid 179Specify the user id number or name to which the server should switch after 180binding itself to the TCP/IP port. 181.El 182.Sh FILES 183.Pa /etc/inetd.conf 184.Sh EXAMPLES 185.Nm 186operates from 187.Xr inetd 8 188or as standalone daemon. 189Put the following lines into 190.Xr inetd.conf 5 191to enable 192.Nm 193as an IPv4 and IPv6 service via inetd: 194.Pp 195ident stream tcp nowait nobody /usr/libexec/identd identd -l 196.Pp 197ident stream tcp6 nowait nobody /usr/libexec/identd identd -l 198.Pp 199To run 200.Nm 201as standalone daemon, use the 202.Fl b 203flag. 204.Sh SEE ALSO 205.Xr inetd.conf 5 , 206.Xr inetd 8 207.Sh AUTHORS 208This implementation of 209.Nm 210is written by 211.An Peter Postma 212.Aq peter@NetBSD.org . 213.Sh CAVEATS 214Since 215.Nm 216should typically not be run as a privileged user or group, 217.Pa .ident 218files for use when running with the 219.Fl I 220or 221.Fl i 222flags will need to be world accessible. 223The same applies for 224.Pa .noident 225files when running with the 226.Fl N 227flag. 228.Pp 229When forwarding is enabled with the 230.Fl m 231flag then 232.Nm 233will need access to either 234.Pa /etc/pf 235(pf) or 236.Pa /etc/ipnat 237(ipfilter). 238Since it's not a good idea to run 239.Nm 240under root, you'll need to adjust group owner/permissions to the device(s) 241and run 242.Nm 243under that group. 244