1OIDENTD.CONF(5) oidentd User Manual OIDENTD.CONF(5)
2
3
4
6 oidentd.conf - oidentd configuration files
7
9 The oidentd configuration files are used to control the responses
10 oidentd sends to clients after receiving a query for a connection owned
11 by a particular user.
12
13 The system-wide configuration file /etc/oidentd.conf specifies the
14 types of responses individual users are permitted to send. By default,
15 users must respond with their real username.
16
17 The user configuration file ~/.config/oidentd.conf allows users to send
18 custom ident responses or to hide their identities, provided that they
19 have been granted the necessary capabilities through the system-wide
20 configuration file. If this file does not exist or oidentd was compiled
21 without XDG Base Directory support, the file ~/.oidentd.conf is used
22 instead.
23
25 The system-wide configuration file is used to grant capabilities to
26 users or force users to use a certain capability. The default behavior
27 is not to grant any privileges, which means that all users must send
28 their real usernames in response to ident queries. The system-wide
29 configuration file may be empty or missing, in which case this default
30 applies. Changes to this file take effect only after oidentd is
31 reloaded (which occurs when a SIGHUP signal is received) or restarted.
32
33 The system-wide configuration file contains zero or one directive of
34 the following form:
35
36 default {
37 range-directives...
38 }
39
40 This default directive matches all users for which no explicit rules
41 have been defined. Any user directives following this directive inherit
42 the capabilities it defines. If present, the default directive should
43 be the first directive in the user configuration file.
44
45 The system-wide configuration file may also contain zero or more
46 directives of the following form:
47
48 user username {
49 range-directives...
50 }
51
52 This user directive applies only to the specified user.
53
55 Each user may create a user configuration file at
56 ~/.config/oidentd.conf or ~/.oidentd.conf. This file must be readable
57 by the user oidentd runs as. The user configuration file is read
58 automatically after every successful lookup, so any changes take effect
59 immediately.
60
61 The user configuration file contains zero or one directive of the
62 following form:
63
64 global {
65 capability-statements...
66 }
67
68 This global directive matches all connections owned by the user. If
69 present, it should be the first directive in the user configuration
70 file.
71
72 The user configuration file may also contain zero or more directives of
73 the following form:
74
75 range-specification {
76 capability-statements...
77 }
78
79 This range directive applies only to connections that match the given
80 range specification.
81
83 At most one range directive in any given scope may take the following
84 form:
85
86 default {
87 capability-directives...
88 }
89
90 This default directive defines rules for all connections that do not
91 match any other range directive. If present, the default directive
92 should be the first directive in its scope.
93
94 A range directive may also take the following form:
95
96 range-specification {
97 capability-directives...
98 }
99
100 This range directive applies only to connections that match the given
101 range specification.
102
104 A range specification consists of filters that define which connections
105 a range directive applies to. It takes the following form:
106
107 to fhost fport fport from lhost lport lport
108
109 This range specification matches only connections with the specified
110 foreign host, foreign port, local host, and local port. At least one of
111 these filters must be specified. Omitted filters match any value.
112 Filters may be specified in any order.
113
114 The fhost filter specifies the foreign host or address of a connection,
115 from the perspective of the machine running oidentd.
116
117 The fport filter specifies the foreign port or port range of a
118 connection.
119
120 The lhost filter specifies the local host or address of a connection,
121 from the perspective of the machine running oidentd. This may be useful
122 for supporting virtual hosts on systems with more than one IP address.
123
124 The lport filter specifies the local port or port range of a
125 connection.
126
127 Ports can be specified either numerically (e.g., 113) or using a
128 service name (e.g., ident). Port ranges are specified numerically as
129 min:max. The min port may be omitted to select all ports less than or
130 equal to the max port. Likewise, the max port may be omitted to select
131 all ports greater than or equal to the min port.
132
134 A capability directive may take one of the following forms:
135
136 allow capability
137
138 In this form, the directive grants the user permission to use the
139 specified capability.
140
141 deny capability
142
143 In this form, the directive revokes the user’s permission to use the
144 specified capability.
145
146 force capability-statement
147
148 In this form, the directive forces the user to use the specified
149 capability.
150
152 The following expressions are valid capabilities:
153
154 forward
155 hide
156 numeric
157 random
158 random_numeric
159
160 These capabilities allow users to use the corresponding capability
161 statements.
162
163 spoof
164
165 The spoof capability allows users to send custom ident replies. Note
166 that this does not include replying with the name of another user or
167 spoofing replies for connections to privileged foreign ports.
168
169 spoof_all
170
171 The spoof_all capability allows users to reply with the names of other
172 users. This capability should be used with care, as it allows users to
173 impersonate other users on the local system. The spoof_all capability
174 only works in conjunction with spoof, but does not imply it.
175
176 spoof_privport
177
178 The spoof_privport capability allows users to spoof replies for
179 connections to privileged foreign ports (with port numbers below 1024).
180 The spoof_privport capability only works in conjunction with spoof, but
181 does not imply it.
182
184 A capability statement may take one of the following forms:
185
186 forward host port
187
188 Forward received queries to another ident server. The target server
189 must support forwarding (like oidentd with the --proxy option).
190
191 Additional capabilities may be required for forwarding to succeed. For
192 example, the spoof capability is required if the target server sends a
193 response other than the user’s name on the forwarding server. It may
194 therefore be desirable to also grant at least one of hide, spoof,
195 spoof_all, and spoof_privport in addition to the forward capability. If
196 force forward is used, no additional checks are performed and no
197 capabilities are required.
198
199 If forwarding fails, oidentd responds with a "HIDDEN-USER" error or
200 with the user’s real username, depending on whether the user has been
201 granted the hide capability. Replies are logged, allowing the system
202 administrator to identify which user sent a particular reply.
203
204 hide
205
206 Hide ident replies from clients. When this capability is used, oidentd
207 reports a "HIDDEN-USER" error to ident clients instead of sending an
208 ident reply.
209
210 numeric
211
212 Respond with the user ID (UID).
213
214 random
215
216 Send randomly generated, alphanumeric ident replies. A new reply is
217 generated for each ident lookup. Replies are logged, allowing the
218 system administrator to identify which user sent a particular reply.
219
220 random_numeric
221
222 Send randomly generated, numeric ident replies between 0 (inclusive)
223 and 100,000 (exclusive), prefixed with "user". A new reply is generated
224 for each ident lookup. Replies are logged, allowing the system
225 administrator to identify which user sent a particular reply.
226
227 reply reply1 [reply2 ...]
228
229 Send an ident reply chosen at random from the given list of quoted
230 replies. When used in a user configuration file, at most 20 replies may
231 be specified. In the system-wide configuration file, up to 255 replies
232 may be specified. Replies are logged, allowing the system administrator
233 to identify which user sent a particular reply.
234
236 SYSTEM-WIDE CONFIGURATION FILE
237 default {
238 default {
239 allow spoof
240 }
241
242 fport 6667 {
243 deny spoof
244 allow hide
245 }
246 }
247
248 Allow all users to spoof ident replies, except on connections to port
249 6667. Only on connections to port 6667, allow users to hide their ident
250 replies.
251
252 user "root" {
253 default {
254 force hide
255 }
256 }
257
258 Hide all connections owned by the root user.
259
260 user "lisa" {
261 lport 1024: {
262 force reply "me"
263 }
264 }
265
266 For connections owned by user "lisa" on local port 1024 or greater,
267 always reply with "me", ignoring any settings in the user configuration
268 file.
269
270 USER CONFIGURATION FILE
271 global {
272 reply "paul"
273 }
274
275 Reply with "paul" to all ident queries.
276
277 to irc.example.net fport 6667 {
278 hide
279 }
280
281 Hide ident replies for connections to irc.example.net on port 6667.
282
284 Strings may be enclosed in double quotes. This is useful for strings
285 containing special characters that would otherwise be interpreted in an
286 unintended way.
287
288 Quoted strings may contain the following escape sequences:
289
290 \a alert (bell)
291 \b backspace
292 \f form feed
293 \n newline (line feed)
294 \r carriage return
295 \t horizontal tab
296 \v vertical tab
297 \\ backslash
298 \" double quotation mark
299 \NNN the character with octal numerical value NNN
300 \xNN the character with hexadecimal numerical value NN
301
303 After encountering a number sign ("#"), oidentd ignores any remaining
304 text on the same line. This allows users to add comments to the
305 configuration file. Comments can also be written in the following form,
306 which allows them to span multiple lines:
307
308 /* comment */
309
311 Janik Rabe <oidentd@janikrabe.com>
312 <https://oidentd.janikrabe.com>
313
314 Originally written by Ryan McCabe.
315
317 Please report any bugs to Janik Rabe <oidentd@janikrabe.com>.
318
320 oidentd(8) oidentd_masq.conf(5)
321
322
323
324oidentd 2.4.0 OIDENTD.CONF(5)