1oidentd.conf(5) File Formats Manual oidentd.conf(5)
2
6 oidentd.conf - The oidentd configuration file.
7
10 The oidentd configuration file is used to specify the amount of control
11 users have over the responses oidentd returns upon successful lookups
12 for connections owned by them.
13 The $HOME/.oidentd.conf file allows a user to specify what ident
15 response will be returned for specific connections.
16
19 USER DIRECTIVE
20 The oidentd.conf file consists of 0 or more user directives. The
21 user directive is used to grant capabilities on a per-user
22 basis.
23 The user directive has the following syntax:
25 default {
27 <range directive>
28 }
29 OR
31 user <username> {
33 <range directive>
34 }
35 The default directive matches all users for whom rules are not
37 defined. There should only be one default directive, and it
38 should be the first statement in the file. All entries for users
39 defined after the default definition will inherit the capabili‐
40 ties of the default user. Capabilities can then be allowed,
41 denied, or forced on a per-user basis by way of the user state‐
42 ment followed by the username of the user to whom the properties
43 that follow will apply.
44 RANGE DIRECTIVE
47 The body of a user directive consists of 1 or more range direc‐
48 tives.
49 The range directive is used to specify a host/port range for
51 which a set of capabilities is binding. A range directive con‐
52 sists of 1 or more statements of the following form:
53 default {
55 <capability directive>
56 }
57 OR
59 to <host> fport <fport> from <host> lport <lport> {
61 <capability directive>
62 }
63 The default directive matches all host/port pairs for which
65 rules are not defined. There should only be one default direc‐
66 tive, and it should be the first statement in the block.
67 Anywhere from 1 to all 4 of the to, fport, from, and lport
69 parameters may be specified.
70 The to parameter is used to specify the address to which a con‐
72 nection is made.
73 The from parameter is used to specify the address from which a
75 connection originates. It may be useful to specify this address
76 when a system has more than one IP address.
77 The to and from parameters take either an IP address or a host‐
79 name argument.
80 The lport parameter is used to specify the local port from which
82 a connection originates.
83 The fport parameter is used to specify the destination port of a
85 connection.
86 The fport and lport parameters take either a port or a port
88 range. Ports can be specified numerically (e.g. 113) or by giv‐
89 ing a service name (e.g. "auth"). Ranges of ports take the form
90 <starting port>:<ending port>. The ending port is optional. If
91 the ending port is omitted, the range is taken to be any port
92 greater than or equal to the starting port.
93 The omission of any of the to, fport, from and lport parameters
95 acts like a wildcard for that parameter. For example, the state‐
96 ment "from localhost" matches all connections from localhost on
97 any port to any host on any port.
98 CAPABILITY DIRECTIVE
101 The body of a range directive consists of one or more capability
102 directives.
103 Capabilities are used to assign or deny privileges to specific
105 users. Valid capabilities inside user directives are allow,
106 deny, and force.
107 The capability directive consists of one or more statements of
109 the form:
110 allow OR deny OR force <capability>.
112 The capability argument must be one of the capabilities
114 described in the capability section below.
115 The force action takes a third argument when the capability is
117 reply. For example, force reply "randomuser".
118 The force action takes four arguments when the capability is
120 forward. For example, force forward 127.0.0.1 1113.
121
124 A user's $HOME/.oidentd.conf configuration file may contain 0 or more
125 of the following statements:
126 global {
128 <capability>
129 }
130 OR
132 <range directive> {
134 <capability>
135 }
136 The global directive acts as a wildcard, matching all connections, so
138 if used at all, the global directive should be the first entry in the
139 file and should be used only once. Use is permitted anywhere in the
140 file and infinitely many times, however it doesn't make much sense to
141 use it in this manner.
142 The range directive has the same syntax and semantics as the range
144 directive in the /etc/oidentd.conf file. See above for a description.
145 Valid capabilities are reply, forward, random, numeric, random_numeric,
147 and hide. Descriptions can be found below.
148
151 spoof Allow spoofed ident responses; allow the user to specify any
152 string as the ident reply. The only restriction on the spoofed
153 response is that it must not be the username of another user.
154 When a user spoofs their ident reply, the login name of the user
155 is recorded along with the forged reply.
156 This capability does not apply to the force action.
157 spoof_all
160 Allow the usernames of other users to be used as ident
161 responses.
162 This capability does not apply to the force action.
163 spoof_privport
166 Allow ident replies to be spoofed on privileged ports (ports
167 lower than 1024).
168 This capability does not apply to the force action.
169 reply <string> [<string1> ... <stringN>]
172 Reply to successful ident lookups with the ident response speci‐
173 fied in <string>. If more than one string parameter is given,
174 one of the strings will be selected randomly.
175 In a user's $HOME/.oidentd.conf file, up to 20 strings may be
177 specified for a reply statement.
178 In the /etc/oidentd.conf file, there is no limitation on the
180 number of strings that may be specified.
181 The strings must be quoted strings (e.g. "string"). Strings may
183 contain the following escape characters:
184 \n new line
186 \t tab
187 \r carriage return
188 \b backspace
189 \v vertical tab
190 \f form feed
191 \a alert (bell)
192 \e escape
193 \\ backslash
194 \NNN The character with the ASCII code NNN in the octal base
195 system.
196 \xNNN The character with the ASCII code NNN in the hexadecimal
197 base system.
198 This capability only applies to the force action.
200 forward <host> <port>
202 Forward the request to the specified host and port. If not
203 forced, the response is subject to the same spoofing checks as
204 reply.
205 If the request fails for any reason, reports a "HIDDEN-USER"
206 error if the forward was forced or the user is allowed to hide.
207 Otherwise, a failure is replaced with the real username.
208 hide Hide the user; report a "HIDDEN-USER" error when an ident lookup
211 succeeds.
212 random Reply to successful ident lookups with a randomly generated
215 ident response of consisting of alphanumeric characters.
216 numeric
219 Reply to successful ident lookups with the UID of the user that
220 was looked up.
221 random_numeric
224 Reply to successful with a randomly generated ident response of
225 the form userN, where N is a random number between 0 and 100000.
226
229 default {
230 default {
231 deny spoof
232 deny spoof_all
233 deny spoof_privport
234 deny forward
235 allow random_numeric
236 allow numeric
237 allow hide
238 }
239 }
240 Grant all users the ability to generate random numeric ident replies,
242 the ability to generate numeric ident replies and the ability to hide
243 their identities on all ident queries. Explicitly deny the ability to
244 spoof ident responses or forward requests.
245 user root {
247 default {
248 force reply "UNKNOWN"
249 }
250 }
251 Reply with "UNKNOWN" for all successful ident queries for root.
253 user ryan {
255 default {
256 allow spoof
257 allow spoof_all
258 allow random
259 allow hide
260 }
261 from 127.0.0.1 {
263 allow spoof_privport
264 }
265 }
266 Grant the user "ryan" the capability to spoof ident replies, including
268 the ability to use other usernames as ident replies, generate random
269 replies and hide his ident for all connections, and grant the user
270 "ryan" the capability to spoof ident replies to privileged ports (<
271 1024) on connections originating from the host 127.0.0.1.
272 user jester {
274 default {
275 force forward 127.0.0.1 1113
276 }
277 }
278 Forward requests for connections belonging to the user "jester" to the
280 server running at 127.0.0.1:1113.
281
284 global {
285 reply "unknown"
286 }
287 Reply with "unknown" to all successful ident lookups.
289 to irc.example.org {
291 reply "example"
292 }
293 Reply with "example" to ident lookups for connections to irc.exam‐
295 ple.org.
296
299 Janik Rabe <oidentd@janikrabe.com>
300 https://oidentd.janikrabe.com
301 Originally written by Ryan McCabe <ryan@numb.org>.
303
306 oidentd(8) oidentd_masq.conf(5)
307version 2.3.1 2018-06-13 oidentd.conf(5)