NAME
honest_identd - another minimal RFC 1413 auth server
SYNOPSIS
honest_identd
DESCRIPTION
honest_identd was an offshoot of slidentd, which was itself designed as
a lightweight alternative to the more conventional pidentd.
honest_identd returns a cleartext username and, as such, is suitable
for sites which use broken RFC 1413-based authentication schemes. It
handles a single connection and terminates, doing no pre-forking and
not implementing any configurable behaviour. It is designed to run
without root privilege, and does not need it. However, if it has root
privilege, it chroot’s to /usr/share/empty, and sets its uid to an
unprivileged user.
This server is designed to run from Dan Bernstein’s tcpserver. It
works with inetd and xinetd as well. It handles a single request and
then terminates, does not fork and does not provide any "standalone" or
"wait" modes, as these are believed by the author to be unneeded
complexity for something as humble as an ident daemon.
To run it under tcpserver, use a command such as:
/usr/local/bin/tcpserver -Rl0 -u ident -g ident 0 auth
/usr/sbin/honest_identd
To run it under xinetd, copy run/xinetd to /etc/xinetd.d/auth and
restart xinetd , or copy the following:
service auth
{
socket_type = stream
wait = no
nice = 10
user = ident
server = /usr/sbin/honest_identd
instances = 4
}
To run under inetd, insert the following line (or something similar)
into your /etc/inetd.conf:
auth stream tcp nowait.60 indent /usr/sbin/honest_identd
honest_identd
These assume you will be using a user called "ident" and that user has
already been added to your system.
If running under tcpserver, the server logs to stderr because it
assumes you’re using multilog or something similar to log messages.
Otherwise, it logs (by default) to /var/log/slidentd. The location is
configurable by editing slid_config.h. Please note that if you aren’t
running the daemon as root it may not have permissions to create the
file. If that is the case, touch the file as root, and chown it to
belong to the user slidentd is running as. Since version 0.0.13,
slidentd has been able to be configured to use syslog, which avoids
this sort of tedium.
CONFIGURATION
At present, configuration possibilities are minimal to say the least.
However, what do you want to configure in an ident server? :) All
configuration options are available by editing slid_config.h.
DENIAL OF SERVICE
The server is designed to be small and correct, and to have as few
features as possible. A malicious user could attempt to carry out a
denial of service attack by making large numbers of connections or by
getting slidentd to log large and spurious requests. While some effort
has been made to reduce the likelihood of this, some care should be
taken in the configuration of the service using xinetd or tcpserver to
rate limit connections. Unix has excellent facilities for imposing
resource limits on processes, and I recommend running this daemon using
resource limits.
NOTE ABOUT INSECURE NETWORK SERVICES
If you need to access broken hosts or services which authenticate based
on a clear-text username, honest_identd is now provided for that
purpose. It returns cleartext usernames, and is thus insecure.
However, by running it, you are doing system crackers a _big_ favour.
You should really be running slidentd instead
SEE ALSO
slidentd (8)
http://www.faqs.org/rfcs/rfc.html for the text of RFC 1413
http:/cr.yp.to/ucspi-tcp/tcpserver.html for Dan Bernstein’s "tcpserver"
http://www.fefe.de for Felix von Leitner’s libowfat and dietlibc
AUTHOR
slidentd is free software written by Sean Hunter <sean@uncarved.com>
It is distributed under the terms of the Gnu Lesser General Public
License in the hope that it will be useful to somebody else. The
author explicitly disclaims all warrantees expressed or implied,
regarding this software package, or any other matter, real or imagined.
In fact you didn’t even read this, right?
2001-06-07 honest_identd(8)