1OIDENTD.CONF(5)               oidentd User Manual              OIDENTD.CONF(5)
2
3
4

NAME

6       oidentd.conf - oidentd configuration files
7

DESCRIPTION

9       The oidentd configuration files are used to control the responses
10       oidentd sends to clients after receiving a query for a connection owned
11       by a particular user.
12
13       The system-wide configuration file /etc/oidentd.conf specifies the
14       types of responses individual users are permitted to send. By default,
15       users must respond with their real username.
16
17       The user configuration files ~/.config/oidentd.conf allow users to send
18       custom ident responses or to hide their identities, provided that they
19       have been granted the necessary capabilities through the system-wide
20       configuration file. If this file does not exist or oidentd was compiled
21       without XDG Base Directory support, the file ~/.oidentd.conf is used
22       instead. Note that user configuration files are read only after a
23       connection is determined to belong to the user in question.
24

SYSTEM-WIDE CONFIGURATION FILE

26       The system-wide configuration file is used to grant capabilities to
27       users or force users to use a certain capability. The default behavior
28       is not to grant any privileges, which means that all users must send
29       their real usernames in response to ident queries. The system-wide
30       configuration file may be empty or missing, in which case this default
31       applies. Changes to this file take effect only after oidentd is
32       reloaded (which occurs when a SIGHUP signal is received) or restarted.
33
34       The system-wide configuration file contains zero or one directive of
35       the following form:
36
37           default {
38                   range-directives...
39           }
40
41       This default directive matches all users for which no explicit rules
42       have been defined. Any user directives following this directive inherit
43       the capabilities it defines. If present, the default directive should
44       be the first directive in the user configuration file.
45
46       The system-wide configuration file may also contain zero or more
47       directives of the following form:
48
49           user username {
50                   range-directives...
51           }
52
53       This user directive applies only to the specified user.
54

USER CONFIGURATION FILE

56       Each user may create a user configuration file at
57       ~/.config/oidentd.conf or ~/.oidentd.conf. This file must be readable
58       by the user oidentd runs as. The user configuration file is read
59       automatically after every successful lookup, so any changes take effect
60       immediately.
61
62       The user configuration file contains zero or one directive of the
63       following form:
64
65           global {
66                   capability-statements...
67           }
68
69       This global directive matches all connections owned by the user. If
70       present, it should be the first directive in the user configuration
71       file.
72
73       The user configuration file may also contain zero or more directives of
74       the following form:
75
76           range-specification {
77                   capability-statements...
78           }
79
80       This range directive applies only to connections that match the given
81       range specification.
82

RANGE DIRECTIVES

84       At most one range directive in any given scope may take the following
85       form:
86
87           default {
88                   capability-directives...
89           }
90
91       This default directive defines rules for all connections that do not
92       match any other range directive. If present, the default directive
93       should be the first directive in its scope.
94
95       A range directive may also take the following form:
96
97           range-specification {
98                   capability-directives...
99           }
100
101       This range directive applies only to connections that match the given
102       range specification.
103

RANGE SPECIFICATIONS

105       A range specification consists of filters that define which connections
106       a range directive applies to. It takes the following form:
107
108           to fhost fport fport from lhost lport lport
109
110       This range specification matches only connections with the specified
111       foreign host, foreign port, local host, and local port. At least one of
112       these filters must be specified. Omitted filters match any value.
113       Filters may be specified in any order.
114
115       The fhost filter specifies the foreign host or address of a connection,
116       from the perspective of the machine running oidentd.
117
118       The fport filter specifies the foreign port or port range of a
119       connection.
120
121       The lhost filter specifies the local host or address of a connection,
122       from the perspective of the machine running oidentd. This may be useful
123       for supporting virtual hosts on systems with more than one IP address.
124
125       The lport filter specifies the local port or port range of a
126       connection.
127
128       Ports can be specified either numerically (e.g., 113) or using a
129       service name (e.g., ident). Port ranges are specified numerically as
130       min:max. The min port may be omitted to select all ports less than or
131       equal to the max port. Likewise, the max port may be omitted to select
132       all ports greater than or equal to the min port.
133

CAPABILITY DIRECTIVES

135       A capability directive may take one of the following forms:
136
137           allow capability
138
139       In this form, the directive grants the user permission to use the
140       specified capability.
141
142           deny capability
143
144       In this form, the directive revokes the user’s permission to use the
145       specified capability.
146
147           force capability-statement
148
149       In this form, the directive forces the user to use the specified
150       capability.
151

CAPABILITIES

153       The following expressions are valid capabilities:
154
155           forward
156           hide
157           numeric
158           random
159           random_numeric
160
161       These capabilities allow users to use the corresponding capability
162       statements.
163
164           spoof
165
166       The spoof capability allows users to send custom ident replies. Note
167       that this does not include replying with the name of another user or
168       spoofing replies for connections to privileged foreign ports.
169
170           spoof_all
171
172       The spoof_all capability allows users to reply with the names of other
173       users. This capability should be used with care, as it allows users to
174       impersonate other users on the local system. The spoof_all capability
175       only works in conjunction with spoof, but does not imply it.
176
177           spoof_privport
178
179       The spoof_privport capability allows users to spoof replies for
180       connections to privileged foreign ports (with port numbers below 1024).
181       The spoof_privport capability only works in conjunction with spoof, but
182       does not imply it.
183

CAPABILITY STATEMENTS

185       A capability statement may take one of the following forms:
186
187           forward host port
188
189       Forward received queries to another ident server. The target server
190       must support forwarding (like oidentd with the --proxy option).
191
192       Additional capabilities may be required for forwarding to succeed. For
193       example, the spoof capability is required if the target server sends a
194       response other than the user’s name on the forwarding server. It may
195       therefore be desirable to also grant at least one of hide, spoof,
196       spoof_all, and spoof_privport in addition to the forward capability. If
197       force forward is used, no additional checks are performed and no
198       capabilities are required.
199
200       If forwarding fails, oidentd responds with a "HIDDEN-USER" error or
201       with the user’s real username, depending on whether the user has been
202       granted the hide capability. Replies are logged, allowing the system
203       administrator to identify which user sent a particular reply.
204
205           hide
206
207       Hide ident replies from clients. When this capability is used, oidentd
208       reports a "HIDDEN-USER" error to ident clients instead of sending an
209       ident reply.
210
211           numeric
212
213       Respond with the user ID (UID).
214
215           random
216
217       Send randomly generated, alphanumeric ident replies. A new reply is
218       generated for each ident lookup. Replies are logged, allowing the
219       system administrator to identify which user sent a particular reply.
220
221           random_numeric
222
223       Send randomly generated, numeric ident replies between 0 (inclusive)
224       and 100,000 (exclusive), prefixed with "user". A new reply is generated
225       for each ident lookup. Replies are logged, allowing the system
226       administrator to identify which user sent a particular reply.
227
228           reply reply1 [reply2 ...]
229
230       Send an ident reply chosen at random from the given list of quoted
231       replies. When used in a user configuration file, at most 20 replies may
232       be specified. In the system-wide configuration file, up to 255 replies
233       may be specified. Replies are logged, allowing the system administrator
234       to identify which user sent a particular reply.
235

EXAMPLES

237   SYSTEM-WIDE CONFIGURATION FILE
238           default {
239                   default {
240                           allow spoof
241                   }
242
243                   fport 6667 {
244                           deny spoof
245                           allow hide
246                   }
247           }
248
249       Allow all users to spoof ident replies, except on connections to port
250       6667. Only on connections to port 6667, allow users to hide their ident
251       replies.
252
253           user "root" {
254                   default {
255                           force hide
256                   }
257           }
258
259       Hide all connections owned by the root user.
260
261           user "lisa" {
262                   lport 1024: {
263                           force reply "me"
264                   }
265           }
266
267       For connections owned by user "lisa" on local port 1024 or greater,
268       always reply with "me", ignoring any settings in the user configuration
269       file.
270
271   USER CONFIGURATION FILE
272           global {
273                   reply "paul"
274           }
275
276       Reply with "paul" to all ident queries.
277
278           to irc.example.net fport 6667 {
279                   hide
280           }
281
282       Hide ident replies for connections to irc.example.net on port 6667.
283

STRING FORMATTING

285       Strings may be enclosed in double quotes. This is useful for strings
286       containing special characters that would otherwise be interpreted in an
287       unintended way.
288
289       Quoted strings may contain the following escape sequences:
290
291           \a    alert (bell)
292           \b    backspace
293           \f    form feed
294           \n    newline (line feed)
295           \r    carriage return
296           \t    horizontal tab
297           \v    vertical tab
298           \\    backslash
299           \"    double quotation mark
300           \NNN  the character with octal numerical value NNN
301           \xNN  the character with hexadecimal numerical value NN
302

COMMENTS

304       After encountering a number sign ("#"), oidentd ignores any remaining
305       text on the same line. This allows users to add comments to the
306       configuration file. Comments can also be written in the following form,
307       which allows them to span multiple lines:
308
309           /* comment */
310

AUTHOR

312       Janik Rabe <oidentd@janikrabe.com>
313           https://oidentd.janikrabe.com
314
315       Originally written by Ryan McCabe.
316

BUGS

318       Please report any bugs to Janik Rabe <oidentd@janikrabe.com>.
319

SEE ALSO

321       oidentd(8) oidentd_masq.conf(5)
322
323
324
325oidentd 2.5.0                                                  OIDENTD.CONF(5)
Impressum