'\" t .\" Title: oidentd.conf .\" Author: [see the "AUTHOR(S)" section] .\" Generator: Asciidoctor 2.0.16 .\" Manual: oidentd User Manual .\" Source: oidentd 3.0.0 .\" Language: English .\" .TH "OIDENTD.CONF" "5" "" "oidentd 3.0.0" "oidentd User Manual" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .ss \n[.ss] 0 .nh .ad l .de URL \fI\\$2\fP <\\$1>\\$3 .. .als MTO URL .if \n[.g] \{\ . mso www.tmac . am URL . ad l . . . am MTO . ad l . . . LINKSTYLE blue R < > .\} .SH "NAME" oidentd.conf \- oidentd configuration files .SH "DESCRIPTION" .sp The \fBoidentd\fP configuration files are used to control the responses \fBoidentd\fP sends to clients after receiving a query for a connection owned by a particular user. .sp The system\-wide configuration file \fB/usr/local/etc/oidentd.conf\fP specifies the types of responses individual users are permitted to send. By default, users must respond with their real username. .sp The user configuration files \fB~/.config/oidentd.conf\fP allow users to send custom ident responses or to hide their identities, provided that they have been granted the necessary capabilities through the system\-wide configuration file. If this file does not exist or \fBoidentd\fP was compiled without XDG Base Directory support, the file \fB~/.oidentd.conf\fP is used instead. Note that user configuration files are read only after a connection is determined to belong to the user in question. .SH "SYSTEM\-WIDE CONFIGURATION FILE" .sp The system\-wide configuration file is used to grant capabilities to users or force users to use a certain capability. The default behavior is not to grant any privileges, which means that all users must send their real usernames in response to ident queries. The system\-wide configuration file may be empty or missing, in which case this default applies. Changes to this file take effect only after \fBoidentd\fP is reloaded (which occurs when a SIGHUP signal is received) or restarted. .sp The system\-wide configuration file contains zero or one directive of the following form: .sp .if n .RS 4 .nf .fam C \fBdefault\fP { \fIrange\-directives...\fP } .fam .fi .if n .RE .sp This default directive matches all users for which no explicit rules have been defined. Any user directives following this directive inherit the capabilities it defines. If present, the default directive should be the first directive in the user configuration file. .sp The system\-wide configuration file may also contain zero or more directives of the following form: .sp .if n .RS 4 .nf .fam C \fBuser\fP \fIusername\fP { \fIrange\-directives...\fP } .fam .fi .if n .RE .sp This user directive applies only to the specified user. .SH "USER CONFIGURATION FILE" .sp Each user may create a user configuration file at \fB~/.config/oidentd.conf\fP or \fB~/.oidentd.conf\fP. This file must be readable by the user \fBoidentd\fP runs as. The user configuration file is read automatically after every successful lookup, so any changes take effect immediately. .sp The user configuration file contains zero or one directive of the following form: .sp .if n .RS 4 .nf .fam C \fBglobal\fP { \fIcapability\-statements...\fP } .fam .fi .if n .RE .sp This global directive matches all connections owned by the user. If present, it should be the first directive in the user configuration file. .sp The user configuration file may also contain zero or more directives of the following form: .sp .if n .RS 4 .nf .fam C \fIrange\-specification\fP { \fIcapability\-statements...\fP } .fam .fi .if n .RE .sp This range directive applies only to connections that match the given range specification. .SH "RANGE DIRECTIVES" .sp At most one range directive in any given scope may take the following form: .sp .if n .RS 4 .nf .fam C \fBdefault\fP { \fIcapability\-directives...\fP } .fam .fi .if n .RE .sp This default directive defines rules for all connections that do not match any other range directive. If present, the default directive should be the first directive in its scope. .sp A range directive may also take the following form: .sp .if n .RS 4 .nf .fam C \fIrange\-specification\fP { \fIcapability\-directives...\fP } .fam .fi .if n .RE .sp This range directive applies only to connections that match the given range specification. .SH "RANGE SPECIFICATIONS" .sp A range specification consists of filters that define which connections a range directive applies to. It takes the following form: .sp .if n .RS 4 .nf .fam C \fBto\fP \fIfhost\fP \fBfport\fP \fIfport\fP \fBfrom\fP \fIlhost\fP \fBlport\fP \fIlport\fP .fam .fi .if n .RE .sp This range specification matches only connections with the specified foreign host, foreign port, local host, and local port. At least one of these filters must be specified. Omitted filters match any value. Filters may be specified in any order. .sp The \fIfhost\fP filter specifies the foreign host or address of a connection, from the perspective of the machine running \fBoidentd\fP. .sp The \fIfport\fP filter specifies the foreign port or port range of a connection. .sp The \fIlhost\fP filter specifies the local host or address of a connection, from the perspective of the machine running \fBoidentd\fP. This may be useful for supporting virtual hosts on systems with more than one IP address. .sp The \fIlport\fP filter specifies the local port or port range of a connection. .sp Ports can be specified either numerically (e.g., 113) or using a service name (e.g., ident). Port ranges are specified numerically as \fImin\fP:\fImax\fP. The \fImin\fP port may be omitted to select all ports less than or equal to the \fImax\fP port. Likewise, the \fImax\fP port may be omitted to select all ports greater than or equal to the \fImin\fP port. .SH "CAPABILITY DIRECTIVES" .sp A capability directive may take one of the following forms: .sp .if n .RS 4 .nf .fam C \fBallow\fP \fIcapability\fP .fam .fi .if n .RE .sp In this form, the directive grants the user permission to use the specified capability. .sp .if n .RS 4 .nf .fam C \fBdeny\fP \fIcapability\fP .fam .fi .if n .RE .sp In this form, the directive revokes the user\(cqs permission to use the specified capability. .sp .if n .RS 4 .nf .fam C \fBforce\fP \fIcapability\-statement\fP .fam .fi .if n .RE .sp In this form, the directive forces the user to use the specified capability. .SH "CAPABILITIES" .sp The following expressions are valid capabilities: .sp .if n .RS 4 .nf .fam C \fBforward\fP \fBhide\fP \fBnumeric\fP \fBrandom\fP \fBrandom_numeric\fP .fam .fi .if n .RE .sp These capabilities allow users to use the corresponding capability statements. .sp .if n .RS 4 .nf .fam C \fBspoof\fP .fam .fi .if n .RE .sp The \fBspoof\fP capability allows users to send custom ident replies. Note that this does not include replying with the name of another user or spoofing replies for connections to privileged foreign ports. .sp .if n .RS 4 .nf .fam C \fBspoof_all\fP .fam .fi .if n .RE .sp The \fBspoof_all\fP capability allows users to reply with the names of other users. This capability should be used with care, as it allows users to impersonate other users on the local system. The \fBspoof_all\fP capability only works in conjunction with \fBspoof\fP, but does not imply it. .sp .if n .RS 4 .nf .fam C \fBspoof_privport\fP .fam .fi .if n .RE .sp The \fBspoof_privport\fP capability allows users to spoof replies for connections to privileged foreign ports (with port numbers below 1024). The \fBspoof_privport\fP capability only works in conjunction with \fBspoof\fP, but does not imply it. .SH "CAPABILITY STATEMENTS" .sp A capability statement may take one of the following forms: .sp .if n .RS 4 .nf .fam C \fBforward\fP \fIhost\fP \fIport\fP .fam .fi .if n .RE .sp Forward received queries to another ident server. The target server must support forwarding (like \fBoidentd\fP with the \fB\-\-proxy\fP option). .sp Additional capabilities may be required for forwarding to succeed. For example, the \fBspoof\fP capability is required if the target server sends a response other than the user\(cqs name on the forwarding server. It may therefore be desirable to also grant at least one of \fBhide\fP, \fBspoof\fP, \fBspoof_all\fP, and \fBspoof_privport\fP in addition to the \fBforward\fP capability. If \fBforce forward\fP is used, no additional checks are performed and no capabilities are required. .sp If forwarding fails, \fBoidentd\fP responds with a "HIDDEN\-USER" error or with the user\(cqs real username, depending on whether the user has been granted the \fBhide\fP capability. Replies are logged, allowing the system administrator to identify which user sent a particular reply. .sp .if n .RS 4 .nf .fam C \fBhide\fP .fam .fi .if n .RE .sp Hide ident replies from clients. When this capability is used, \fBoidentd\fP reports a "HIDDEN\-USER" error to ident clients instead of sending an ident reply. .sp .if n .RS 4 .nf .fam C \fBnumeric\fP .fam .fi .if n .RE .sp Respond with the user ID (UID). .sp .if n .RS 4 .nf .fam C \fBrandom\fP .fam .fi .if n .RE .sp Send randomly generated, alphanumeric ident replies. A new reply is generated for each ident lookup. Replies are logged, allowing the system administrator to identify which user sent a particular reply. .sp .if n .RS 4 .nf .fam C \fBrandom_numeric\fP .fam .fi .if n .RE .sp Send randomly generated, numeric ident replies between 0 (inclusive) and 100,000 (exclusive), prefixed with "user". A new reply is generated for each ident lookup. Replies are logged, allowing the system administrator to identify which user sent a particular reply. .sp .if n .RS 4 .nf .fam C \fBreply\fP \fIreply1\fP [\fIreply2\fP ...] .fam .fi .if n .RE .sp Send an ident reply chosen at random from the given list of quoted replies. When used in a user configuration file, at most 20 replies may be specified. In the system\-wide configuration file, up to 255 replies may be specified. Replies are logged, allowing the system administrator to identify which user sent a particular reply. .SH "EXAMPLES" .SS "SYSTEM\-WIDE CONFIGURATION FILE" .sp .if n .RS 4 .nf .fam C \fBdefault\fP { \fBdefault\fP { \fBallow\fP \fBspoof\fP } \fBfport\fP 6667 { \fBdeny\fP \fBspoof\fP \fBallow\fP \fBhide\fP } } .fam .fi .if n .RE .sp Allow all users to spoof ident replies, except on connections to port 6667. Only on connections to port 6667, allow users to hide their ident replies. .sp .if n .RS 4 .nf .fam C \fBuser\fP "root" { \fBdefault\fP { \fBforce\fP \fBhide\fP } } .fam .fi .if n .RE .sp Hide all connections owned by the root user. .sp .if n .RS 4 .nf .fam C \fBuser\fP "lisa" { \fBlport\fP 1024: { \fBforce\fP \fBreply\fP "me" } } .fam .fi .if n .RE .sp For connections owned by user "lisa" on local port 1024 or greater, always reply with "me", ignoring any settings in the user configuration file. .SS "USER CONFIGURATION FILE" .sp .if n .RS 4 .nf .fam C \fBglobal\fP { \fBreply\fP "paul" } .fam .fi .if n .RE .sp Reply with "paul" to all ident queries. .sp .if n .RS 4 .nf .fam C \fBto\fP irc.example.net \fBfport\fP 6667 { \fBhide\fP } .fam .fi .if n .RE .sp Hide ident replies for connections to irc.example.net on port 6667. .SH "STRING FORMATTING" .sp Strings may be enclosed in double quotes. This is useful for strings containing special characters that would otherwise be interpreted in an unintended way. .sp Quoted strings may contain the following escape sequences: .sp .if n .RS 4 .nf .fam C \(rsa alert (bell) \(rsb backspace \(rsf form feed \(rsn newline (line feed) \(rsr carriage return \(rst horizontal tab \(rsv vertical tab \(rs\(rs:\(rs backslash \(rs" double quotation mark \(rs\(rs:\fINNN\fP the character with octal numerical value \fINNN\fP \(rsx\fINN\fP the character with hexadecimal numerical value \fINN\fP .fam .fi .if n .RE .SH "COMMENTS" .sp After encountering a number sign ("#"), \fBoidentd\fP ignores any remaining text on the same line. This allows users to add comments to the configuration file. Comments can also be written in the following form, which allows them to span multiple lines: .sp .if n .RS 4 .nf .fam C /* \fIcomment\fP */ .fam .fi .if n .RE .SH "AUTHOR" .sp .MTO "info\(atjanikrabe.com" "Janik Rabe" "" .RS 4 .URL "https://janikrabe.com/projects/oidentd/" "" "" .RE .sp Originally written by Ryan McCabe. .SH "BUGS" .sp Please report any bugs to \c .MTO "info\(atjanikrabe.com" "Janik Rabe" "." .SH "SEE ALSO" .sp \fBoidentd\fP(8) \fBoidentd_masq.conf\fP(5)