1OIDENTD.CONF(5) oidentd User Manual OIDENTD.CONF(5)
2
6 oidentd.conf - oidentd configuration files
7
9 The oidentd configuration files are used to control the responses
10 oidentd sends to clients after receiving a query for a connection owned
11 by a particular user.
12 The system-wide configuration file /etc/oidentd.conf specifies the
14 types of responses individual users are permitted to send. By default,
15 users must respond with their real username.
16 The user configuration files ~/.config/oidentd.conf allow users to send
18 custom ident responses or to hide their identities, provided that they
19 have been granted the necessary capabilities through the system-wide
20 configuration file. If this file does not exist or oidentd was compiled
21 without XDG Base Directory support, the file ~/.oidentd.conf is used
22 instead. Note that user configuration files are read only after a
23 connection is determined to belong to the user in question.
24
26 The system-wide configuration file is used to grant capabilities to
27 users or force users to use a certain capability. The default behavior
28 is not to grant any privileges, which means that all users must send
29 their real usernames in response to ident queries. The system-wide
30 configuration file may be empty or missing, in which case this default
31 applies. Changes to this file take effect only after oidentd is
32 reloaded (which occurs when a SIGHUP signal is received) or restarted.
33 The system-wide configuration file contains zero or one directive of
35 the following form:
36 default {
38 range-directives...
39 }
40 This default directive matches all users for which no explicit rules
42 have been defined. Any user directives following this directive inherit
43 the capabilities it defines. If present, the default directive should
44 be the first directive in the user configuration file.
45 The system-wide configuration file may also contain zero or more
47 directives of the following form:
48 user username {
50 range-directives...
51 }
52 This user directive applies only to the specified user.
54
56 Each user may create a user configuration file at
57 ~/.config/oidentd.conf or ~/.oidentd.conf. This file must be readable
58 by the user oidentd runs as. The user configuration file is read
59 automatically after every successful lookup, so any changes take effect
60 immediately.
61 The user configuration file contains zero or one directive of the
63 following form:
64 global {
66 capability-statements...
67 }
68 This global directive matches all connections owned by the user. If
70 present, it should be the first directive in the user configuration
71 file.
72 The user configuration file may also contain zero or more directives of
74 the following form:
75 range-specification {
77 capability-statements...
78 }
79 This range directive applies only to connections that match the given
81 range specification.
82
84 At most one range directive in any given scope may take the following
85 form:
86 default {
88 capability-directives...
89 }
90 This default directive defines rules for all connections that do not
92 match any other range directive. If present, the default directive
93 should be the first directive in its scope.
94 A range directive may also take the following form:
96 range-specification {
98 capability-directives...
99 }
100 This range directive applies only to connections that match the given
102 range specification.
103
105 A range specification consists of filters that define which connections
106 a range directive applies to. It takes the following form:
107 to fhost fport fport from lhost lport lport
109 This range specification matches only connections with the specified
111 foreign host, foreign port, local host, and local port. At least one of
112 these filters must be specified. Omitted filters match any value.
113 Filters may be specified in any order.
114 The fhost filter specifies the foreign host or address of a connection,
116 from the perspective of the machine running oidentd.
117 The fport filter specifies the foreign port or port range of a
119 connection.
120 The lhost filter specifies the local host or address of a connection,
122 from the perspective of the machine running oidentd. This may be useful
123 for supporting virtual hosts on systems with more than one IP address.
124 The lport filter specifies the local port or port range of a
126 connection.
127 Ports can be specified either numerically (e.g., 113) or using a
129 service name (e.g., ident). Port ranges are specified numerically as
130 min:max. The min port may be omitted to select all ports less than or
131 equal to the max port. Likewise, the max port may be omitted to select
132 all ports greater than or equal to the min port.
133
135 A capability directive may take one of the following forms:
136 allow capability
138 In this form, the directive grants the user permission to use the
140 specified capability.
141 deny capability
143 In this form, the directive revokes the user’s permission to use the
145 specified capability.
146 force capability-statement
148 In this form, the directive forces the user to use the specified
150 capability.
151
153 The following expressions are valid capabilities:
154 forward
156 hide
157 numeric
158 random
159 random_numeric
160 These capabilities allow users to use the corresponding capability
162 statements.
163 spoof
165 The spoof capability allows users to send custom ident replies. Note
167 that this does not include replying with the name of another user or
168 spoofing replies for connections to privileged foreign ports.
169 spoof_all
171 The spoof_all capability allows users to reply with the names of other
173 users. This capability should be used with care, as it allows users to
174 impersonate other users on the local system. The spoof_all capability
175 only works in conjunction with spoof, but does not imply it.
176 spoof_privport
178 The spoof_privport capability allows users to spoof replies for
180 connections to privileged foreign ports (with port numbers below 1024).
181 The spoof_privport capability only works in conjunction with spoof, but
182 does not imply it.
183
185 A capability statement may take one of the following forms:
186 forward host port
188 Forward received queries to another ident server. The target server
190 must support forwarding (like oidentd with the --proxy option).
191 Additional capabilities may be required for forwarding to succeed. For
193 example, the spoof capability is required if the target server sends a
194 response other than the user’s name on the forwarding server. It may
195 therefore be desirable to also grant at least one of hide, spoof,
196 spoof_all, and spoof_privport in addition to the forward capability. If
197 force forward is used, no additional checks are performed and no
198 capabilities are required.
199 If forwarding fails, oidentd responds with a "HIDDEN-USER" error or
201 with the user’s real username, depending on whether the user has been
202 granted the hide capability. Replies are logged, allowing the system
203 administrator to identify which user sent a particular reply.
204 hide
206 Hide ident replies from clients. When this capability is used, oidentd
208 reports a "HIDDEN-USER" error to ident clients instead of sending an
209 ident reply.
210 numeric
212 Respond with the user ID (UID).
214 random
216 Send randomly generated, alphanumeric ident replies. A new reply is
218 generated for each ident lookup. Replies are logged, allowing the
219 system administrator to identify which user sent a particular reply.
220 random_numeric
222 Send randomly generated, numeric ident replies between 0 (inclusive)
224 and 100,000 (exclusive), prefixed with "user". A new reply is generated
225 for each ident lookup. Replies are logged, allowing the system
226 administrator to identify which user sent a particular reply.
227 reply reply1 [reply2 ...]
229 Send an ident reply chosen at random from the given list of quoted
231 replies. When used in a user configuration file, at most 20 replies may
232 be specified. In the system-wide configuration file, up to 255 replies
233 may be specified. Replies are logged, allowing the system administrator
234 to identify which user sent a particular reply.
235
237 SYSTEM-WIDE CONFIGURATION FILE
238 default {
239 default {
240 allow spoof
241 }
242 fport 6667 {
244 deny spoof
245 allow hide
246 }
247 }
248 Allow all users to spoof ident replies, except on connections to port
250 6667. Only on connections to port 6667, allow users to hide their ident
251 replies.
252 user "root" {
254 default {
255 force hide
256 }
257 }
258 Hide all connections owned by the root user.
260 user "lisa" {
262 lport 1024: {
263 force reply "me"
264 }
265 }
266 For connections owned by user "lisa" on local port 1024 or greater,
268 always reply with "me", ignoring any settings in the user configuration
269 file.
270 USER CONFIGURATION FILE
272 global {
273 reply "paul"
274 }
275 Reply with "paul" to all ident queries.
277 to irc.example.net fport 6667 {
279 hide
280 }
281 Hide ident replies for connections to irc.example.net on port 6667.
283
285 Strings may be enclosed in double quotes. This is useful for strings
286 containing special characters that would otherwise be interpreted in an
287 unintended way.
288 Quoted strings may contain the following escape sequences:
290 \a alert (bell)
292 \b backspace
293 \f form feed
294 \n newline (line feed)
295 \r carriage return
296 \t horizontal tab
297 \v vertical tab
298 \\ backslash
299 \" double quotation mark
300 \NNN the character with octal numerical value NNN
301 \xNN the character with hexadecimal numerical value NN
302
304 After encountering a number sign ("#"), oidentd ignores any remaining
305 text on the same line. This allows users to add comments to the
306 configuration file. Comments can also be written in the following form,
307 which allows them to span multiple lines:
308 /* comment */
310
312 Janik Rabe <oidentd@janikrabe.com>
313 https://oidentd.janikrabe.com
314 Originally written by Ryan McCabe.
316
318 Please report any bugs to Janik Rabe <oidentd@janikrabe.com>.
319
321 oidentd(8) oidentd_masq.conf(5)
322oidentd 2.5.0 OIDENTD.CONF(5)