Man Linux: Main Page and Category List


       honest_identd - another minimal RFC 1413 auth server




       honest_identd was an offshoot of slidentd, which was itself designed as
       a  lightweight  alternative   to   the   more   conventional   pidentd.
       honest_identd  returns  a  cleartext username and, as such, is suitable
       for sites which use broken RFC 1413-based authentication  schemes.   It
       handles  a  single  connection and terminates, doing no pre-forking and
       not implementing any configurable behaviour.  It  is  designed  to  run
       without  root privilege, and does not need it.  However, if it has root
       privilege, it chroot’s to /usr/share/empty, and  sets  its  uid  to  an
       unprivileged user.

       This  server  is  designed  to  run from Dan Bernstein’s tcpserver.  It
       works with inetd and xinetd as well.  It handles a single  request  and
       then terminates, does not fork and does not provide any "standalone" or
       "wait" modes, as these are  believed  by  the  author  to  be  unneeded
       complexity for something as humble as an ident daemon.

       To run it under tcpserver, use a command such as:
               /usr/local/bin/tcpserver   -Rl0   -u  ident  -g  ident  0  auth

       To run it under  xinetd,  copy  run/xinetd  to  /etc/xinetd.d/auth  and
       restart xinetd , or copy the following:

       service auth
            socket_type         = stream
            wait                = no
            nice                = 10
            user                = ident
            server              = /usr/sbin/honest_identd
            instances           = 4

       To  run  under  inetd, insert the following line (or something similar)
       into your /etc/inetd.conf:

               auth  stream  tcp  nowait.60   indent   /usr/sbin/honest_identd

       These  assume you will be using a user called "ident" and that user has
       already been added to your system.

       If running under tcpserver,  the  server  logs  to  stderr  because  it
       assumes  you’re  using  multilog  or something similar to log messages.
       Otherwise, it logs (by default) to /var/log/slidentd.  The location  is
       configurable  by editing slid_config.h.  Please note that if you aren’t
       running the daemon as root it may not have permissions  to  create  the
       file.   If  that  is  the case, touch the file as root, and chown it to
       belong to the user slidentd  is  running  as.   Since  version  0.0.13,
       slidentd  has  been  able  to be configured to use syslog, which avoids
       this sort of tedium.


       At present, configuration possibilities are minimal to say  the  least.
       However,  what  do  you  want  to  configure in an ident server? :) All
       configuration options are available by editing slid_config.h.


       The server is designed to be small and correct,  and  to  have  as  few
       features  as  possible.   A malicious user could attempt to carry out a
       denial of service attack by making large numbers of connections  or  by
       getting slidentd to log large and spurious requests.  While some effort
       has been made to reduce the likelihood of this,  some  care  should  be
       taken  in the configuration of the service using xinetd or tcpserver to
       rate limit connections.  Unix has  excellent  facilities  for  imposing
       resource limits on processes, and I recommend running this daemon using
       resource limits.


       If you need to access broken hosts or services which authenticate based
       on  a  clear-text  username,  honest_identd  is  now  provided for that
       purpose.   It  returns  cleartext  usernames,  and  is  thus  insecure.
       However,  by  running it, you are doing system crackers a _big_ favour.
       You should really be running slidentd instead


       slidentd (8) for the text of RFC 1413
       http:/ for Dan Bernstein’s "tcpserver" for Felix von Leitner’s libowfat and dietlibc


       slidentd is free software written by Sean Hunter <>

       It  is  distributed  under  the  terms of the Gnu Lesser General Public
       License in the hope that it will  be  useful  to  somebody  else.   The
       author  explicitly  disclaims  all  warrantees  expressed  or  implied,
       regarding this software package, or any other matter, real or imagined.
       In fact you didn’t even read this, right?

                                  2001-06-07                  honest_identd(8)