1.\" $OpenBSD: identd.8,v 1.23 2003/06/07 19:30:07 henning Exp $ 2.\" 3.\" Copyright (c) 1997, Jason Downs. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS 15.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 16.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, 18.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 21.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" @(#)identd.8 1.9 92/02/11 Lysator 27.\" Copyright (c) 1992 Peter Eriksson, Lysator, Linkoping University. 28.\" This software has been released into the public domain. 29.\" 30.Dd July 27, 1997 31.Dt IDENTD 8 32.Os 33.Sh NAME 34.Nm identd 35.Nd TCP/IP IDENT protocol server 36.Sh SYNOPSIS 37.Nm identd 38.Bk -words 39.Op Fl i | w | b 40.Op Fl t Ar seconds 41.Op Fl u Ar uid 42.Op Fl g Ar gid 43.Op Fl p Ar port 44.Op Fl a Ar address 45.Op Fl c Ar charset 46.Op Fl noelvmNUdh 47.Ek 48.Sh DESCRIPTION 49.Nm 50is a server which implements the 51.Tn TCP/IP 52proposed standard 53.Tn IDENT 54user identification protocol as specified in the 55.Tn RFC 1413 56document. 57.Pp 58.Nm 59operates by looking up specific 60.Tn TCP/IP 61connections and returning the user name of the 62process owning the connection. 63.Pp 64The options are as follows: 65.Bl -tag -width Ds 66.It Fl i 67Tells 68.Nm identd 69to run as a process started from 70.Xr inetd 8 71with the "nowait" option in the 72.Pa /etc/inetd.conf 73file. 74Use of this mode will make 75.Xr inetd 8 76start one 77.Nm 78daemon for each connection request. 79This is the default mode of operation. 80.It Fl w 81Tells 82.Nm identd 83to run as a process started from 84.Xr inetd 8 85with the "wait" option in the 86.Pa /etc/inetd.conf 87file. 88This mode of operation will start a copy of 89.Nm 90at the first connection request and then 91.Nm 92will handle subsequent requests. 93Previous versions listed this as the preferred mode of 94operation due to the initial overhead of parsing the kernel nlist. 95This version does not use kmem or nlist parsing, so this reasoning 96is no longer valid. 97.It Fl b 98Specify operation as a stand-alone daemon. 99.It Fl h 100Hide the actual information about the user by providing an opaque 101token instead. 102This token is entered into the local system logs 103so that the administrator can later discover who the real user was. 104.It Fl H 105Hide information about non existing users (e.g., connections through NAT) as 106well as existing users. 107Implies 108.Fl h . 109.It Fl t Ar seconds 110Specifies an idle timeout in seconds where a daemon running in 111"wait" mode will timeout and exit. 112The default is no timeout. 113.It Fl u Ar uid 114Specify a user ID number or user name which the 115.Nm identd 116server should 117switch to after binding itself to the 118.Tn TCP/IP 119port if running as a stand-alone daemon. 120.Nm 121runs as user 122.Qq _identd 123by default and falls back to 124.Qq nobody 125if the 126.Qq _identd 127user does not exist. 128.It Fl g Ar gid 129Specify a group ID number or group name which the 130.Nm 131server should 132switch to after binding itself to the 133.Tn TCP/IP 134port if running as a stand-alone daemon. 135.It Fl p Ar port 136Specify an alternative port number or service name 137on which to listen when running as a stand-alone daemon. 138Default is "auth" (113). 139.It Fl a Ar address 140Specify a local IP address in dotted quad format 141to bind the listen socket to if running as a stand-alone daemon. 142By default the daemon listens on all local IP addresses. 143.It Fl l 144Use 145.Xr syslogd 8 146for logging purposes. 147.It Fl v 148Log every request to syslog if 149.Fl l 150above is specified. 151.It Fl o 152Do not reveal operating system type; 153always return 154.Dq OTHER 155instead. 156.It Fl e 157Always return 158.Dq UNKNOWN-ERROR 159instead of the 160.Dq NO-USER 161or 162.Dq INVALID-PORT 163errors. 164.It Fl c Ar charset 165Specify an optional character set designator to be included in replies. 166.Ar charset 167should be a valid character set as described in the 168.Tn MIME RFC 169in upper case characters. 170.It Fl n 171Always return uid numbers instead of usernames. 172.It Fl N 173When replying with a user name or ID, first 174check for a file 175.Pa .noident 176in the user's home directory. 177If this file is accessible, return 178.Dq HIDDEN-USER 179instead of the normal USERID response. 180.It Fl U 181When replying with a user name or ID, first 182check for a file 183.Pa .ident 184in the user's home directory. 185If this file is accessible, return 186the contents of the file 187instead of the normal USERID response. 188.It Fl m 189Allow multiple requests to be processed per session. 190Each request is specified one per line and the responses will be returned 191one per line. 192The connection will not be closed until the client closes its end of 193the connection. 194PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL SPECIFICATION AS 195IT CURRENTLY STANDS. 196.It Fl d 197This flag enables some debugging code that normally should NOT 198be enabled since that breaks the protocol and may reveal information 199that should not be available to outsiders. 200.El 201.Sh SEE ALSO 202.Xr inetd.conf 5 203.Sh NOTES 204.Nm 205uses the 206.Li LOG_DAEMON 207.Xr syslogd 8 208facility to log messages. 209.Pp 210Unlike previous versions of 211.Nm identd , 212this version uses 213.Xr sysctl 3 214to obtain information from the kernel instead of parsing kmem. 215This version does not require privilege beyond what is needed to bind 216the listen port if running as a stand-alone daemon. 217.Sh BUGS 218Since 219.Nm identd 220should typically not be run as a privileged user or group, 221.Pa .ident 222files for use when running with the 223.Fl U 224flag will need to be world accessible. 225The same applies for 226.Pa .noident 227files when running with the 228.Fl N 229flag. 230