honest_identd

Langue: en

Version: 304831 (debian - 07/07/09)

Section: 8 (Commandes administrateur)

NAME

honest_identd - another minimal RFC 1413 auth server

SYNOPSIS

honest_identd

DESCRIPTION

honest_identd was an offshoot of slidentd, which was itself designed as a lightweight alternative to the more conventional pidentd. honest_identd returns a cleartext username and, as such, is suitable for sites which use broken RFC 1413-based authentication schemes. It handles a single connection and terminates, doing no pre-forking and not implementing any configurable behaviour. It is designed to run without root privilege, and does not need it. However, if it has root privilege, it chroot's to /usr/share/empty, and sets its uid to an unprivileged user.

This server is designed to run from Dan Bernstein's tcpserver. It works with inetd and xinetd as well. It handles a single request and then terminates, does not fork and does not provide any "standalone" or "wait" modes, as these are believed by the author to be unneeded complexity for something as humble as an ident daemon.

To run it under tcpserver, use a command such as:

/usr/local/bin/tcpserver -Rl0 -u ident -g ident 0 auth /usr/sbin/honest_identd

To run it under xinetd, copy run/xinetd to /etc/xinetd.d/auth and restart xinetd , or copy the following:


service auth
{
       socket_type = stream

       wait = no

       nice = 10

       user = ident

       server = /usr/sbin/honest_identd

       instances = 4

}

To run under inetd, insert the following line (or something similar) into your /etc/inetd.conf:

auth stream tcp nowait.60 indent /usr/sbin/honest_identd honest_identd

These assume you will be using a user called "ident" and that user has already been added to your system.

If running under tcpserver, the server logs to stderr because it assumes you're using multilog or something similar to log messages. Otherwise, it logs (by default) to /var/log/slidentd. The location is configurable by editing slid_config.h. Please note that if you aren't running the daemon as root it may not have permissions to create the file. If that is the case, touch the file as root, and chown it to belong to the user slidentd is running as. Since version 0.0.13, slidentd has been able to be configured to use syslog, which avoids this sort of tedium.

CONFIGURATION

At present, configuration possibilities are minimal to say the least. However, what do you want to configure in an ident server? :) All configuration options are available by editing slid_config.h.

DENIAL OF SERVICE

The server is designed to be small and correct, and to have as few features as possible. A malicious user could attempt to carry out a denial of service attack by making large numbers of connections or by getting slidentd to log large and spurious requests. While some effort has been made to reduce the likelihood of this, some care should be taken in the configuration of the service using xinetd or tcpserver to rate limit connections. Unix has excellent facilities for imposing resource limits on processes, and I recommend running this daemon using resource limits.

NOTE ABOUT INSECURE NETWORK SERVICES

If you need to access broken hosts or services which authenticate based on a clear-text username, honest_identd is now provided for that purpose. It returns cleartext usernames, and is thus insecure. However, by running it, you are doing system crackers a _big_ favour. You should really be running slidentd instead

SEE ALSO


slidentd (8)
http://www.faqs.org/rfcs/rfc1413.html for the text of RFC 1413
http:/cr.yp.to/ucspi-tcp/tcpserver.html for Dan Bernstein's "tcpserver"
http://www.fefe.de for Felix von Leitner's libowfat and dietlibc

AUTHOR

slidentd is free software written by Sean Hunter <sean@uncarved.com>

It is distributed under the terms of the Gnu Lesser General Public License in the hope that it will be useful to somebody else. The author explicitly disclaims all warrantees expressed or implied, regarding this software package, or any other matter, real or imagined. In fact you didn't even read this, right?