man honest_identd (Administration système) - another minimal RFC 1413 auth server
NAME
honest_identd - another minimal RFC 1413 auth server
SYNOPSIS
honest_identd
DESCRIPTION
honest_identd was an offshoot of slidentd, which was itself designed as a lightweight alternative to the more conventional pidentd. honest_identd returns a cleartext username and, as such, is suitable for sites which use broken RFC 1413-based authentication schemes. It handles a single connection and terminates, doing no pre-forking and not implementing any configurable behaviour. It is designed to run without root privilege, and does not need it. However, if it has root privilege, it chroot's to /usr/share/empty, and sets its uid to an unprivileged user.
This server is designed to run from Dan Bernstein's tcpserver. It works with inetd and xinetd as well. It handles a single request and then terminates, does not fork and does not provide any "standalone" or "wait" modes, as these are believed by the author to be unneeded complexity for something as humble as an ident daemon.
To run it under tcpserver, use a command such as: /usr/local/bin/tcpserver -Rl0 -u ident -g ident 0 auth /usr/sbin/honest_identd
To run it under xinetd, copy run/xinetd to /etc/xinetd.d/auth and restart xinetd , or copy the following:
service auth
{
socket_type = stream
wait = no
nice = 10
user = ident
server = /usr/sbin/honest_identd
instances = 4
}
To run under inetd, insert the following line (or something similar) into your /etc/inetd.conf:
auth stream tcp nowait.60 indent /usr/sbin/honest_identd honest_identd
These assume you will be using a user called "ident" and that user has already been added to your system.
If running under tcpserver, the server logs to stderr because it assumes you're using multilog or something similar to log messages. Otherwise, it logs (by default) to /var/log/slidentd. The location is configurable by editing slid_config.h. Please note that if you aren't running the daemon as root it may not have permissions to create the file. If that is the case, touch the file as root, and chown it to belong to the user slidentd is running as. Since version 0.0.13, slidentd has been able to be configured to use syslog, which avoids this sort of tedium.
CONFIGURATION
At present, configuration possibilities are minimal to say the least. However, what do you want to configure in an ident server? :) All configuration options are available by editing slid_config.h.
DENIAL OF SERVICE
The server is designed to be small and correct, and to have as few features as possible. A malicious user could attempt to carry out a denial of service attack by making large numbers of connections or by getting slidentd to log large and spurious requests. While some effort has been made to reduce the likelihood of this, some care should be taken in the configuration of the service using xinetd or tcpserver to rate limit connections. Unix has excellent facilities for imposing resource limits on processes, and I recommend running this daemon using resource limits.
NOTE ABOUT INSECURE NETWORK SERVICES
If you need to access broken hosts or services which authenticate based on a clear-text username, honest_identd is now provided for that purpose. It returns cleartext usernames, and is thus insecure. However, by running it, you are doing system crackers a _big_ favour. You should really be running slidentd instead
SEE ALSO
slidentd (8)
http://www.faqs.org/rfcs/rfc1413.html for the text of RFC 1413
http:/cr.yp.to/ucspi-tcp/tcpserver.html for Dan Bernstein's "tcpserver"
http://www.fefe.de for Felix von Leitner's libowfat and dietlibc
AUTHOR
slidentd is free software written by Sean Hunter <sean@uncarved.com>
It is distributed under the terms of the Gnu Lesser General Public License in the hope that it will be useful to somebody else. The author explicitly disclaims all warrantees expressed or implied, regarding this software package, or any other matter, real or imagined. In fact you didn't even read this, right?