1oidentd.conf(5) File Formats Manual oidentd.conf(5)
2
3
4
6 oidentd.conf - The oidentd configuration file.
7
8
10 The oidentd configuration file is used to specify the amount of control
11 users have over the responses oidentd returns upon successful lookups
12 for connections owned by them.
13
14 The $HOME/.oidentd.conf file allows a user to specify what ident
15 response will be returned for specific connections.
16
17
19 USER DIRECTIVE
20 The oidentd.conf file consists of 0 or more user directives. The
21 user directive is used to grant capabilities on a per-user
22 basis.
23
24 The user directive has the following syntax:
25
26 default {
27 <range directive>
28 }
29
30 OR
31
32 user <username> {
33 <range directive>
34 }
35
36 The default directive matches all users for whom rules are not
37 defined. There should only be one default directive, and it
38 should be the first statement in the file. All entries for users
39 defined after the default definition will inherit the capabili‐
40 ties of the default user. Capabilities can then be allowed,
41 denied, or forced on a per-user basis by way of the user state‐
42 ment followed by the username of the user to whom the properties
43 that follow will apply.
44
45
46 RANGE DIRECTIVE
47 The body of a user directive consists of 1 or more range direc‐
48 tives.
49
50 The range directive is used to specify a host/port range for
51 which a set of capabilities is binding. A range directive con‐
52 sists of 1 or more statements of the following form:
53
54 default {
55 <capability directive>
56 }
57
58 OR
59
60 to <host> fport <fport> from <host> lport <lport> {
61 <capability directive>
62 }
63
64 The default directive matches all host/port pairs for which
65 rules are not defined. There should only be one default direc‐
66 tive, and it should be the first statement in the block.
67
68 Anywhere from 1 to all 4 of the to, fport, from, and lport
69 parameters may be specified.
70
71 The to parameter is used to specify the address to which a con‐
72 nection is made.
73
74 The from parameter is used to specify the address from which a
75 connection originates. It may be useful to specify this address
76 when a system has more than one IP address.
77
78 The to and from parameters take either an IP address or a host‐
79 name argument.
80
81 The lport parameter is used to specify the local port from which
82 a connection originates.
83
84 The fport parameter is used to specify the destination port of a
85 connection.
86
87 The fport and lport parameters take either a port or a port
88 range. Ports can be specified numerically (e.g. 113) or by giv‐
89 ing a service name (e.g. "auth"). Ranges of ports take the form
90 <starting port>:<ending port>. The ending port is optional. If
91 the ending port is omitted, the range is taken to be any port
92 greater than or equal to the starting port.
93
94 The omission of any of the to, fport, from and lport parameters
95 acts like a wildcard for that parameter. For example, the state‐
96 ment "from localhost" matches all connections from localhost on
97 any port to any host on any port.
98
99
100 CAPABILITY DIRECTIVE
101 The body of a range directive consists of one or more capability
102 directives.
103
104 Capabilities are used to assign or deny privileges to specific
105 users. Valid capabilities inside user directives are allow,
106 deny, and force.
107
108 The capability directive consists of one or more statements of
109 the form:
110
111 allow OR deny OR force <capability>.
112
113 The capability argument must be one of the capabilities
114 described in the capability section below.
115
116 The force action takes a third argument when the capability is
117 reply. For example, force reply "randomuser".
118
119 The force action takes four arguments when the capability is
120 forward. For example, force forward 127.0.0.1 1113.
121
122
124 A user's $HOME/.oidentd.conf configuration file may contain 0 or more
125 of the following statements:
126
127 global {
128 <capability>
129 }
130
131 OR
132
133 <range directive> {
134 <capability>
135 }
136
137 The global directive acts as a wildcard, matching all connections, so
138 if used at all, the global directive should be the first entry in the
139 file and should be used only once. Use is permitted anywhere in the
140 file and infinitely many times, however it doesn't make much sense to
141 use it in this manner.
142
143 The range directive has the same syntax and semantics as the range
144 directive in the /etc/oidentd.conf file. See above for a description.
145
146 Valid capabilities are reply, forward, random, numeric, random_numeric,
147 and hide. Descriptions can be found below.
148
149
151 spoof Allow spoofed ident responses; allow the user to specify any
152 string as the ident reply. The only restriction on the spoofed
153 response is that it must not be the username of another user.
154 When a user spoofs their ident reply, the login name of the user
155 is recorded along with the forged reply.
156 This capability does not apply to the force action.
157
158
159 spoof_all
160 Allow the usernames of other users to be used as ident
161 responses.
162 This capability does not apply to the force action.
163
164
165 spoof_privport
166 Allow ident replies to be spoofed on privileged ports (ports
167 lower than 1024).
168 This capability does not apply to the force action.
169
170
171 reply <string> [<string1> ... <stringN>]
172 Reply to successful ident lookups with the ident response speci‐
173 fied in <string>. If more than one string parameter is given,
174 one of the strings will be selected randomly.
175
176 In a user's $HOME/.oidentd.conf file, up to 20 strings may be
177 specified for a reply statement.
178
179 In the /etc/oidentd.conf file, there is no limitation on the
180 number of strings that may be specified.
181
182 The strings must be quoted strings (e.g. "string"). Strings may
183 contain the following escape characters:
184
185 \n new line
186 \t tab
187 \r carriage return
188 \b backspace
189 \v vertical tab
190 \f form feed
191 \a alert (bell)
192 \e escape
193 \\ backslash
194 \NNN The character with the ASCII code NNN in the octal base
195 system.
196 \xNNN The character with the ASCII code NNN in the hexadecimal
197 base system.
198
199 This capability only applies to the force action.
200
201 forward <host> <port>
202 Forward the request to the specified host and port. If not
203 forced, the response is subject to the same spoofing checks as
204 reply.
205 If the request fails for any reason, reports a "HIDDEN-USER"
206 error if the forward was forced or the user is allowed to hide.
207 Otherwise, a failure is replaced with the real username.
208
209
210 hide Hide the user; report a "HIDDEN-USER" error when an ident lookup
211 succeeds.
212
213
214 random Reply to successful ident lookups with a randomly generated
215 ident response of consisting of alphanumeric characters.
216
217
218 numeric
219 Reply to successful ident lookups with the UID of the user that
220 was looked up.
221
222
223 random_numeric
224 Reply to successful with a randomly generated ident response of
225 the form userN, where N is a random number between 0 and 100000.
226
227
229 default {
230 default {
231 deny spoof
232 deny spoof_all
233 deny spoof_privport
234 deny forward
235 allow random_numeric
236 allow numeric
237 allow hide
238 }
239 }
240
241 Grant all users the ability to generate random numeric ident replies,
242 the ability to generate numeric ident replies and the ability to hide
243 their identities on all ident queries. Explicitly deny the ability to
244 spoof ident responses or forward requests.
245
246 user root {
247 default {
248 force reply "UNKNOWN"
249 }
250 }
251
252 Reply with "UNKNOWN" for all successful ident queries for root.
253
254 user ryan {
255 default {
256 allow spoof
257 allow spoof_all
258 allow random
259 allow hide
260 }
261
262 from 127.0.0.1 {
263 allow spoof_privport
264 }
265 }
266
267 Grant the user "ryan" the capability to spoof ident replies, including
268 the ability to use other usernames as ident replies, generate random
269 replies and hide his ident for all connections, and grant the user
270 "ryan" the capability to spoof ident replies to privileged ports (<
271 1024) on connections originating from the host 127.0.0.1.
272
273 user jester {
274 default {
275 force forward 127.0.0.1 1113
276 }
277 }
278
279 Forward requests for connections belonging to the user "jester" to the
280 server running at 127.0.0.1:1113.
281
282
284 global {
285 reply "unknown"
286 }
287
288 Reply with "unknown" to all successful ident lookups.
289
290 to irc.example.org {
291 reply "example"
292 }
293
294 Reply with "example" to ident lookups for connections to irc.exam‐
295 ple.org.
296
297
299 Janik Rabe <oidentd@janikrabe.com>
300 https://oidentd.janikrabe.com
301
302 Originally written by Ryan McCabe <ryan@numb.org>.
303
304
306 oidentd(8) oidentd_masq.conf(5)
307
308
309
310version 2.3.1 2018-06-13 oidentd.conf(5)