ffingerd - secure and lightweight finger daemon

The ffingerd program is a drop-in replacement for the standard fingerd that comes with most systems today. Most finger daemons in use today support several features which are not acceptable for security-conscious system administrators, so many chose to disable the finger service completely. This version of the finger daemon is invoked by inetd, but it's not meant to be run as root. In fact, it should run as nobody. Ffingerd does not allow global finger queries (finger @host), indirect finger queries (finger foo@host.a@host.b), it does not give away valuable information like the shell, login directory and time of last login, and users can put a ".nofinger" file in their homes and then ffingerd will respond with "That user does not want to be fingered".

Requests that may indicate attacks are logged by ffingerd through the syslog(3) facility. The default facility is LOG_INFO, you can change that by editing config.h after running configure.

These requests are logged :

empty finger attempts

finger @victim.com	# find out who's logged in
indirect finger attempts
finger root@victim.com@innocuous.edu
	# to victim.com this finger query comes from
	# innocuous.edu

unwanted finger attempts
Users can put .nofinger files in their home, and then attempts to
finger them will yield

That user does not want to be fingered

~/.nofinger, ~/.plan, ~/.project, ~/.pubkey

When ffingerd is running as nobody and a user does not have world execute permission set for his home, then ffingerd can not check whether that user has a .nofinger file there and assumes it's not there.

http://www.fefe.de/ffingerd/

Felix von Leitner (felix@fefe.de),