Man Linux: Main Page and Category List

NAME

       oidentd.conf - The oidentd configuration file.

DESCRIPTION

       The oidentd configuration file is used to specify the amount of control
       users have over the responses oidentd returns upon  successful  lookups
       for connections owned by them.

       The  $HOME/.oidentd.conf  file  allows  a  user  to  specify what ident
       response will be returned for specific connections.

/etc/oidentd.conf SYNTAX

       USER DIRECTIVE
              The oidentd.conf file consists of 0 or more user directives. The
              user  directive  is  used  to  grant  capabilities on a per-user
              basis.

              The user directive has the following syntax:

              default {
                   <range directive>
              }

              OR

              user <username> {
                   <range directive>
              }

              The default directive matches all users for whom rules  are  not
              defined.  There  should  only  be  one default directive, and it
              should be the first statement in the file. All entries for users
              defined   after   the   default   definition  will  inherit  the
              capabilities of the  default  user.  Capabilities  can  then  be
              allowed,  denied,  or  forced  on a per-user basis by way of the
              user statement followed by the username of the user to whom  the
              properties that follow will apply.

       RANGE DIRECTIVE
              The  body  of  a  user  directive  consists  of  1 or more range
              directives.

              The range directive is used to specify  a  host/port  range  for
              which  a  set  of  capabilities  is  binding.  A range directive
              consists of 1 or more statements of the following form:

              default {
                   <capability directive>
              }

              OR

              to <host> lport <lport> from <host> fport <fport> {
                   <capability directive>
              }

              The default directive matches  all  host/port  pairs  for  which
              rules  are  not  defined.  There  should  only  be  one  default
              directive, and it should be the first statement in the block.

              Anywhere from 1 to all 4 of  the  to,  lport,  from,  and  fport
              parameters may be specified.

              The  to  parameter  is  used  to  specify the address to which a
              connection is made.

              The from parameter is used to specify the address from  which  a
              connection  originates. It may be useful to specify this address
              when a system has more than 1 IP address.

              The to and from parameters  take  either  an  IP  address  or  a
              hostname argument.

              The lport parameter is used to specify the local port from which
              a connection originates.

              The fport parameter is used to specify the destination port of a
              connection.

              The  lport  and  fport  parameters  take either a port or a port
              range. Ports can be  specified  numerically  (e.g.  113)  or  by
              giving  a  service  name (e.g. "auth"). Ranges of ports take the
              form <starting port>:<ending port>. The ending port is optional.
              If the ending port is omitted, the range is taken to be any port
              greater than or equal to the starting port.

              The omission of any of the to, lport, from and fport  parameters
              acts  like  a  wildcard  for  that  parameter.  For example, the
              statement  "from  localhost"  matches   all   connections   from
              localhost on any port to any host on any port.

       CAPABILITY DIRECTIVE
              The body of a range directive consists of one or more capability
              directives.

              Capabilities are used to assign or deny privileges  to  specific
              users.  Valid  capabilities  inside  user  directives are allow,
              deny, andforce.

              The capability directive consists of one or more  statements  of
              the form:

              allow OR deny OR force <capability>.

              The   capability  argument  must  be  one  of  the  capabilities
              described in the capability section below.

              The force action takes a third argument when the  capability  is
              reply. For example, force reply "randomuser".

$HOME/.oidentd.conf SYNTAX

       A  user’s .oidentd.conf configuration file may contain 0 or more of the
       following statements:

       global {
            <capability>
       }

       OR

       <range directive> {
            <capability>
       }

       The global directive acts as a wildcard, matching all  connections,  so
       if  used  at all, the global directive should be the first entry in the
       file and should be used only once. Use is  permitted  anywhere  in  the
       file  and  infinitely many times, however it doesn’t make much sense to
       use it in this manner.

       The range directive has the same syntax  and  semantics  as  the  range
       directive in the /etc/oidentd.conf file. See above for a description.

       Valid  capabilities  are  reply,  random,  numeric, random_numeric, and
       hide. Descriptions can be found below.

CAPABILITIES

       spoof  Allow spoofed ident responses;  allow  the  user  to  specify  a
              string  of her choosing as the ident reply. The only restriction
              on the spoofed response is that it must not be the  username  of
              another user. When a user spoofs her ident reply, the login name
              of the user is recorded along with the forged reply.
              This capability does not apply to the force action.

       spoof_all
              Allow  the  usernames  of  other  users  to  be  used  as  ident
              responses.
              This capability does not apply to the force action.

       spoof_privport
              Allow  ident  replies  to  be spoofed on privileged ports (ports
              lower than 1024).
              This capability does not apply to the force action.

       reply <string> [<string1> ... <stringN>]
              Reply to  successful  ident  lookups  with  the  ident  response
              specified  in  <string>.  If  more  than one string parameter is
              given, one of the strings will be selected randomly.

              In a user’s $HOME/.oidentd.conf file, up to 20  strings  may  be
              specified for a reply statement.

              In  the  /etc/oidentd.conf  file,  there is no limitation on the
              number of strings that may be specified.

              The strings must be quoted strings (e.g. "string"). Strings  may
              contain the following escape characters:

              \n     new line
              \t     tab
              \r     carriage return
              \b     backspace
              \v     vertical tab
              \f     form feed
              \a     alert (bell)
              \e     escape
              \\     backslash
              \NNN   The  character  with the ASCII code NNN in the octal base
                     system.
              \xNNN  The character with the ASCII code NNN in the  hexadecimal
                     base system.

              This capability only applies to the force action.

       hide   Hide the user; report a "HIDDEN-USER" error when an ident lookup
              succeeds.

       random Reply to successful ident  lookups  with  a  randomly  generated
              ident response of consisting of alphanumeric characters.

       numeric
              Reply  to successful ident lookups with the UID of the user that
              was looked up.

       random_numeric
              Reply to successful with a randomly generated ident response  of
              the form userN, where N is a random number between 0 and 100000.

EXAMPLE /etc/oidentd.conf FILE

       default {
            default {
                 deny spoof
                 deny spoof_all
                 deny spoof_privport
                 allow random_numeric
                 allow numeric
                 allow hide
            }
       }

       Grant all users the ability to generate random numeric  ident  replies,
       the  ability  to generate numeric ident replies and the ability to hide
       their identities on all ident queries. Explicitly deny the  ability  to
       spoof ident responses.

       user root {
            default {
                 force reply "UNKNOWN"
            }
       }

       Reply with "UNKNOWN" for all successful ident queries for root.

       user ryan {
            default {
                 allow spoof
                 allow spoof_all
                 allow random
                 allow hide
            }

            from 127.0.0.1 {
                 allow spoof_privport
            }
       }

       Grant  the user "ryan" the capability to spoof ident replies, including
       the ability to use other usernames as ident  replies,  generate  random
       replies  and  hide  his  ident  for all connections, and grant the user
       "ryan" the capability to spoof ident replies  to  privileged  ports  (<
       1024) on connections originating from the host 127.0.0.1.

EXAMPLE $HOME/.oidentd.conf FILE

       global {
            reply "unknown"
       }

       Reply with "unknown" to all successful ident lookups.

       to irc.example.org {
            reply "example"
       }

       Reply   with   "example"   to   ident   lookups   for   connections  to
       irc.example.org.

AUTHOR

       Ryan McCabe <ryan@numb.org>
       http://dev.ojnk.net

SEE ALSO

       oidentd(8) oidentd_masq.conf(5)