1oidentd.conf(5) File Formats Manual oidentd.conf(5)
2
6 oidentd.conf - The oidentd configuration file.
7
10 The oidentd configuration file is used to specify the amount of control
11 users have over the responses oidentd returns upon successful lookups
12 for connections owned by them.
13 The $HOME/.oidentd.conf file allows a user to specify what ident
15 response will be returned for specific connections.
16
18 USER DIRECTIVE
19 The oidentd.conf file consists of 0 or more user directives. The
20 user directive is used to grant capabilities on a per-user
21 basis.
22 The user directive has the following syntax:
24 default {
26 <range directive>
27 }
28 OR
30 user <username> {
32 <range directive>
33 }
34 The default directive matches all users for whom rules are not
36 defined. There should only be one default directive, and it
37 should be the first statement in the file. All entries for users
38 defined after the default definition will inherit the capabili‐
39 ties of the default user. Capabilities can then be allowed,
40 denied, or forced on a per-user basis by way of the user state‐
41 ment followed by the username of the user to whom the properties
42 that follow will apply.
43 RANGE DIRECTIVE
45 The body of a user directive consists of 1 or more range direc‐
46 tives.
47 The range directive is used to specify a host/port range for
49 which a set of capabilities is binding. A range directive con‐
50 sists of 1 or more statements of the following form:
51 default {
53 <capability directive>
54 }
55 OR
57 to <host> lport <lport> from <host> fport <fport> {
59 <capability directive>
60 }
61 The default directive matches all host/port pairs for which
63 rules are not defined. There should only be one default direc‐
64 tive, and it should be the first statement in the block.
65 Anywhere from 1 to all 4 of the to, lport, from, and fport
67 parameters may be specified.
68 The to parameter is used to specify the address to which a con‐
70 nection is made.
71 The from parameter is used to specify the address from which a
73 connection originates. It may be useful to specify this address
74 when a system has more than 1 IP address.
75 The to and from parameters take either an IP address or a host‐
77 name argument.
78 The lport parameter is used to specify the local port from which
80 a connection originates.
81 The fport parameter is used to specify the destination port of a
83 connection.
84 The lport and fport parameters take either a port or a port
86 range. Ports can be specified numerically (e.g. 113) or by giv‐
87 ing a service name (e.g. "auth"). Ranges of ports take the form
88 <starting port>:<ending port>. The ending port is optional. If
89 the ending port is omitted, the range is taken to be any port
90 greater than or equal to the starting port.
91 The omission of any of the to, lport, from and fport parameters
93 acts like a wildcard for that parameter. For example, the state‐
94 ment "from localhost" matches all connections from localhost on
95 any port to any host on any port.
96 CAPABILITY DIRECTIVE
98 The body of a range directive consists of one or more capability
99 directives.
100 Capabilities are used to assign or deny privileges to specific
102 users. Valid capabilities inside user directives are allow,
103 deny, andforce.
104 The capability directive consists of one or more statements of
106 the form:
107 allow OR deny OR force <capability>.
109 The capability argument must be one of the capabilities
111 described in the capability section below.
112 The force action takes a third argument when the capability is
114 reply. For example, force reply "randomuser".
115
117 A user's .oidentd.conf configuration file may contain 0 or more of the
118 following statements:
119 global {
121 <capability>
122 }
123 OR
125 <range directive> {
127 <capability>
128 }
129 The global directive acts as a wildcard, matching all connections, so
131 if used at all, the global directive should be the first entry in the
132 file and should be used only once. Use is permitted anywhere in the
133 file and infinitely many times, however it doesn't make much sense to
134 use it in this manner.
135 The range directive has the same syntax and semantics as the range
137 directive in the /etc/oidentd.conf file. See above for a description.
138 Valid capabilities are reply, random, numeric, random_numeric, and
140 hide. Descriptions can be found below.
141
143 spoof Allow spoofed ident responses; allow the user to specify a
144 string of her choosing as the ident reply. The only restriction
145 on the spoofed response is that it must not be the username of
146 another user. When a user spoofs her ident reply, the login name
147 of the user is recorded along with the forged reply.
148 This capability does not apply to the force action.
149 spoof_all
151 Allow the usernames of other users to be used as ident
152 responses.
153 This capability does not apply to the force action.
154 spoof_privport
156 Allow ident replies to be spoofed on privileged ports (ports
157 lower than 1024).
158 This capability does not apply to the force action.
159 reply <string> [<string1> ... <stringN>]
161 Reply to successful ident lookups with the ident response speci‐
162 fied in <string>. If more than one string parameter is given,
163 one of the strings will be selected randomly.
164 In a user's $HOME/.oidentd.conf file, up to 20 strings may be
166 specified for a reply statement.
167 In the /etc/oidentd.conf file, there is no limitation on the
169 number of strings that may be specified.
170 The strings must be quoted strings (e.g. "string"). Strings may
172 contain the following escape characters:
173 \n new line
175 \t tab
176 \r carriage return
177 \b backspace
178 \v vertical tab
179 \f form feed
180 \a alert (bell)
181 \e escape
182 \\ backslash
183 \NNN The character with the ASCII code NNN in the octal base
184 system.
185 \xNNN The character with the ASCII code NNN in the hexadecimal
186 base system.
187 This capability only applies to the force action.
188 hide Hide the user; report a "HIDDEN-USER" error when an ident lookup
190 succeeds.
191 random Reply to successful ident lookups with a randomly generated
193 ident response of consisting of alphanumeric characters.
194 numeric
196 Reply to successful ident lookups with the UID of the user that
197 was looked up.
198 random_numeric
200 Reply to successful with a randomly generated ident response of
201 the form userN, where N is a random number between 0 and 100000.
202
204 default {
205 default {
206 deny spoof
207 deny spoof_all
208 deny spoof_privport
209 allow random_numeric
210 allow numeric
211 allow hide
212 }
213 }
214 Grant all users the ability to generate random numeric ident replies,
216 the ability to generate numeric ident replies and the ability to hide
217 their identities on all ident queries. Explicitly deny the ability to
218 spoof ident responses.
219 user root {
221 default {
222 force reply "UNKNOWN"
223 }
224 }
225 Reply with "UNKNOWN" for all successful ident queries for root.
227 user ryan {
229 default {
230 allow spoof
231 allow spoof_all
232 allow random
233 allow hide
234 }
235 from 127.0.0.1 {
237 allow spoof_privport
238 }
239 }
240 Grant the user "ryan" the capability to spoof ident replies, including
242 the ability to use other usernames as ident replies, generate random
243 replies and hide his ident for all connections, and grant the user
244 "ryan" the capability to spoof ident replies to privileged ports (<
245 1024) on connections originating from the host 127.0.0.1.
246
248 global {
249 reply "unknown"
250 }
251 Reply with "unknown" to all successful ident lookups.
253 to irc.example.org {
255 reply "example"
256 }
257 Reply with "example" to ident lookups for connections to irc.exam‐
259 ple.org.
260
263 Ryan McCabe <ryan@numb.org>
264 http://dev.ojnk.net
265
268 oidentd(8) oidentd_masq.conf(5)
269version 2.0.8 13 Jul 2003 oidentd.conf(5)