IDENTD(8)                                               IDENTD(8)

       identd, in.identd - TCP/IP IDENT protocol server

       /usr/sbin/[in.]identd  [-i|-w|-b]  [-t<seconds>] [-u<uid>]
       [-g<gid>] [-p<port>] [-a<address>] [-c<charset>] [-C[<key-
       file>]]  [-o]  [-e]  [-l] [-V] [-m] [-N] [-d] [-F<format>]

       identd is a server which implements  the  TCP/IP  proposed
       standard  IDENT  user identification protocol as specified
       in the RFC 1413 document.

       identd operates by looking up specific TCP/IP  connections
       and returning the user name of the process owning the con-
       nection.   It  can  optionally  return  other  information
       instead of a user name.

       The  -i  flag,  which  is the default mode, should be used
       when starting the daemon  from  inetd  with  the  "nowait"
       option  in the /etc/inetd.conf file. Use of this mode will
       make inetd start one identd  daemon  for  each  connection

       The  -w  flag should be used when starting the daemon from
       inetd with the "wait" option in the /etc/inetd.conf file .
       This  is  the  prefered  mode of operation since that will
       start a copy of identd at the first connection request and
       then identd will handle subsequent requests without having
       to do the nlist  lookup  in  the  kernel  file  for  every
       request  as  in  the -i mode above. The identd daemon will
       run either forever, until a bug makes it crash or a  time-
       out, as specified by the -t flag, occurs.

       The  -b  flag  can be used to make the daemon run in stan-
       dalone mode without the assistance from inetd.  This  mode
       is  the least prefered mode since a bug or any other fatal
       condition in the server will make it terminate and it will
       then have to be restarted manually. Other than that it has
       the same advantage as the -w mode in that  it  parses  the
       nlist only once.

       The  -t<seconds>  option  is  used  to specify the timeout
       limit. This is the number of seconds a server started with
       the -w flag will wait for new connections before terminat-
       ing. The server is automatically restarted by inetd  when-
       ever a new connection is requested if it has terminated. A
       suitable value for this is 120 (2 minutes),  if  used.  It
       defaults to no timeout (i.e. will wait forever, or until a
       fatal condition occurs in the server).

       The -u<uid> option is used to specify  a  user  id  number
       which  the  ident  server  should  switch to after binding
       itself to the TCP/IP port if using the -b mode  of  opera-

       The  -g<gid>  option  is used to specify a group id number
       which the ident server  should  switch  to  after  binding
       itself  to  the TCP/IP port if using the -b mode of opera-

       The -p<port> option is used to specify an alternative port
       number  to  bind  to if using the -b mode of operation. It
       can be specified by name or by  number.  Defaults  to  the
       IDENT port (113).

       The  -a<address>  option  is  used  to  specify  the local
       address to bind the socket to if  using  the  -b  mode  of
       operation.  Can only be specified by IP address and not by
       domain name. Defaults to the INADDR_ANY address which nor-
       mally means all local addresses.

       The  -V  flag  makes identd display the version number and
       then exit.

       The -l flag tells identd to use the System logging  daemon
       syslogd for logging purposes.

       The  -o flag tells identd to not reveal the operating sys-
       tem type it  is  run  on  and  to  instead  always  return

       The  -e flag tells identd to always return "UNKNOWN-ERROR"
       instead of the "NO-USER" or "INVALID-PORT" errors.

       The -c<charset> flags tells identd  to  add  the  optional
       (according to the IDENT protocol) character set designator
       to the reply generated.  charset should be a valid charac-
       ter set as described in the MIME RFC in upper case charac-

       The -C[<keyfile>] option tells identd to return  encrypted
       tokens  instead  of  user  names.  The local and remote IP
       addresses and TCP port numbers, the local user's uid  num-
       ber, a timestamp, a random number, and a checksum, are all
       encrypted using DES with a secret  key  derived  from  the
       first  line  of  the keyfile (using des_string_to_key(3)).
       The encrypted binary information  is  then  encoded  in  a
       base64  string  (32  characters in length) and enclosed in
       square brackets to produce a token that is transmitted  to
       the  remote  client.   The  encrypted  token  can later be
       decrypted by  idecrypt(8).   There  may  not  be  a  space
       between  the  -C and the name of the keyfile.  If the key-
       file is not specified, it defaults to /etc/identd.key.

       The -n flag tells identd to  always  return  user  numbers
       instead of user names if you wish to keep the user names a
       secret.  The  -N  flag  makes  identd  check  for  a  file
       ".noident" in each homedirectory for a user which the dae-
       mon is about to return the user name  for.  It  that  file
       exists  then  the  daemon  will give the error HIDDEN-USER
       instead of the normal USERID response.

       -m flag makes identd use a mode  of  operation  that  will
       allow  multiple requests to be processed per session. Each
       request is specified one per line and the  responses  will
       be  returned  one  per  line.  The  connection will not be
       closed until the connecting part closes it's  end  of  the

       The -d flag enables  some  debugging  code  that  normally
       should  NOT  be enabled since that breaks the protocol and
       may reveal information that should  not  be  available  to

       The  -F<format> option makes identd use the specified for-
       mat to display info. The allowed format specifiers are:
            %u   print user name
            %U   print user number
            %g   print (primary) group name
            %G   print (primary) group number
            %l   print list of all groups by name
            %L   print list of all groups by number
            %p   print process ID of running process
            %c   print command name
            %C   print command and arguments
       The lists of groups  (%l,  %L)  are  comma-separated,  and
       start with the primary group which is not repeated. The %p
       and the %c and %C formats are not supported on all  archi-
       tecture   implementations  (printing  0  or  empty  string
       Any other characters (preceded by %, and  those  not  pre-
       ceded  by  it) are printed literally. The "default" format
       is %u, and you should not use anything else without the -o
       Not  implemented  yet, but on my wish-list are the follow-
            %w   print working (current) directory
            %h   print home (login, naming) directory
            %e   print the environment

       kernelfile defaults to the normally running kernel file.

       kmemfile defaults to the memory space of the normally run-
       ning kernel.

       The -v flag enables more verbose output or messages. (Fur-
       ther occurences of the -v flag make things even more  ver-
       bose.) Currently not used: ignored.

       The  -f<config-file> option causes identd to use the named
       config file (instead of the default  /etc/identd.conf  ?).
       Currently not used: ignored, no config files are used.

       The  -r<indirect_host>  option  is  used  in some way (for
       proxy queries?).

       The -C<keyfile> option is used in some way for DES encryp-

       identd  is  invoked  either  by  the  internet server (see
       inetd(8C) ) for requests to connect to the IDENT  port  as
       indicated  by  the  /etc/services  file (see services(5) )
       when using the -w or -i modes of operation or started man-
       ually by using the -b mode of operation.

       Assuming  the  server is located in /usr/etc/in.identd one
       can put either:

       ident stream tcp wait sys /usr/etc/in.identd in.identd  -w


       ident  stream  tcp nowait sys /usr/etc/in.identd in.identd

       into the /etc/inetd.conf  file.  User  "sys"  should  have
       enough rights to READ the kernel but NOT to write to it.

       To  start  it using the -b mode of operation one can put a
       line like this into the /etc/rc.local file:

       /usr/etc/in.identd -b -u2 -g2

       This will make it run in the background as user 2, group 2
       (user "sys", group "kmem" on SunOS 4.1.1).

       The username (or UID) returned ought to be the login name.
       However it (probably, for  most  architecture  implementa-
       tions)  is  the "real user ID" as stored with the process;
       there is no provision for returning  the  "effective  user
       ID". Thus the UID returned may be different from the login
       name for setuid programs (or those running as root)  which
       done  a setuid(3) call and their children. For example, it
       may (should?) be wrong for an incoming ftpd ; and  we  are
       probably  interested in the running shell, not the telnetd
       for an incoming telnet  session.  (But  of  course  identd
       returns info for outgoing connections, not incoming ones.)

       The group or list of groups returned (with the -F  option)
       are  as looked up in the /etc/passwd and /etc/group files,
       based on the UID returned. Thus these may not relate  well
       to  the group(s) of the running process for setuid or set-
       gid programs or their children.

       The command names returned with formats %c and %C  may  be
       different, use one or the other or both.

              This  file  is  as yet un-used, but will eventually
              contain configuration options for identd

              If compiled with -ldes this file  can  be  used  to
              specify a secret key for encrypting replies.

       authuser(3) , inetd(5) , idecrypt(8)

       The handling of fatal errors could be better.

                           27 May 1992                          1