IDENTD(8) BSD System Manager's Manual IDENTD(8)NAMEidentd — TCP/IP Ident protocol server
SYNOPSISidentd [-46beIilNnr] [-a address] [-c charset] [-F format] [-f username]
[-g uid] [-L username] [-m filter] [-o osname] [-P address]
[-p portno] [-t seconds] [-u uid]
DESCRIPTIONidentd is a TCP/IP server which implements the user identification proto‐
col as specified in RFC 1413.
identd operates by looking up specific TCP/IP connections and returning
information which may or may not be associated with the process owning
the connection.
The following options are available:
-4 Bind to IPv4 addresses only (valid with flag -b).
-6 Bind to IPv6 addresses only (valid with flag -b).
-a address Bind to the specified address. This may be an IPv4 or IPv6
address or even a hostname. If a hostname is specified
then identd will resolve it to an address (or addresses)
and will bind this address (valid with flag -b).
-b Run in the background (as daemon).
-c charset Specify an optional character set designator to be included
in replies. charset should be a valid charset set as
described in the MIME RFC in upper case characters.
-e Return “UNKNOWN-ERROR” instead of the usual “NO-USER” or
“INVALID-PORT” error replies.
-F format Specify the format to display info. The allowed format
specifiers are:
%u print user name
%U print user number
%g print (primary) group name
%G print (primary) group number
%l print list of all groups by name
%L print list of all groups by number
The lists of groups (%l, %L) are comma-separated, and start
with the primary group which is not repeated. Any other
characters (preceded by %, and those not preceded by it)
are printed literally.
-f username Specify a fall back username. If the lookup fails then
this username will be returned. This can be useful for
when running this service on a NAT host and not using the
forward/proxy functionality.
-g gid Specify the group id number or name which the server should
switch to after binding itself to the TCP/IP port.
-I Same as -i but without the restriction that the username in
.ident must not match an existing user.
-i If the .ident file exists in the home directory of the
identified user, return the username found in that file
instead of the real username. If the username found in
.ident is that of an existing user, then the real username
will be returned.
-L username Specify a “lie” username. identd will return this name for
all valid ident requests.
-l Use syslogd(8) for logging purposes.
-m filter Enables forwarding of ident queries. The filter argument
specifies which packet filter should be used to lookup the
connections, currently ‘pf’ and ‘ipfilter’ are supported
packet filters. Note that identd changes the ident queries
to use the local port on the NAT host instead of the local
port on the forwarding host. This is needed because other‐
wise we can't do a lookup on the proxy host. On the proxy
host, “proxy mode” should be enabled with the -P flag or
“lying mode” with the -L flag.
-N Enable .noident files. If this file exists in the home
directory of the identified user then return “HIDDEN-USER”
instead of the normal USERID response.
-n Return numeric user IDs instead of usernames.
-o osname Return osname instead of the default “UNIX”.
-P address Specify a proxy server which will be used to receive prox‐
ied ident queries from. See also the -m flag how this
operates.
-p portno Specify an alternative port number under which the server
should run. The default is port 113 (valid with flag -b).
-r Return a random name of alphanumeric characters. If the -n
flag is also enabled then a random number will be returned.
-t seconds Specify a timeout for the service. The default timeout is
30 seconds.
-u uid Specify the user id number or name to which the server
should switch after binding itself to the TCP/IP port.
FILES
/etc/inetd.conf
EXAMPLESidentd operates from inetd(8) or as standalone daemon. Put the following
lines into inetd.conf(5) to enable identd as an IPv4 and IPv6 service via
inetd:
ident stream tcp nowait nobody /usr/libexec/identd identd-l
ident stream tcp6 nowait nobody /usr/libexec/identd identd-l
To run identd as standalone daemon, use the -b flag.
SEE ALSOinetd.conf(5), inetd(8)AUTHORS
This implementation of identd is written by Peter Postma
⟨peter@NetBSD.org⟩.
CAVEATS
Since identd should typically not be run as a privileged user or group,
.ident files for use when running with the -I or -i flags will need to be
world accessible. The same applies for .noident files when running with
the -N flag.
When forwarding is enabled with the -m flag then identd will need access
to either /etc/pf (pf) or /etc/ipnat (ipfilter). Since it's not a good
idea to run identd under root, you'll need to adjust group owner/permis‐
sions to the device(s) and run identd under that group.
BSD April 4, 2005 BSD
