Provided by: oidentd_2.0.8-4_amd64 bug

NAME

       oidentd.conf - The oidentd configuration file.

DESCRIPTION

       The  oidentd  configuration  file is used to specify the amount of control users have over
       the responses oidentd returns upon successful lookups for connections owned by them.

       The $HOME/.oidentd.conf file allows a user to specify what ident response will be returned
       for specific connections.

/etc/oidentd.conf SYNTAX

       USER DIRECTIVE
              The  oidentd.conf file consists of 0 or more user directives. The user directive is
              used to grant capabilities on a per-user basis.

              The user directive has the following syntax:

              default {
                   <range directive>
              }

              OR

              user <username> {
                   <range directive>
              }

              The default directive matches all users for  whom  rules  are  not  defined.  There
              should  only  be one default directive, and it should be the first statement in the
              file. All entries for users defined after the default definition will  inherit  the
              capabilities  of  the  default  user.  Capabilities can then be allowed, denied, or
              forced on a per-user basis by way of the user statement followed by the username of
              the user to whom the properties that follow will apply.

       RANGE DIRECTIVE
              The body of a user directive consists of 1 or more range directives.

              The  range  directive  is  used  to  specify  a  host/port range for which a set of
              capabilities is binding. A range directive consists of 1 or more statements of  the
              following form:

              default {
                   <capability directive>
              }

              OR

              to <host> lport <lport> from <host> fport <fport> {
                   <capability directive>
              }

              The  default directive matches all host/port pairs for which rules are not defined.
              There should only be one default directive, and it should be the first statement in
              the block.

              Anywhere  from  1  to  all  4  of  the to, lport, from, and fport parameters may be
              specified.

              The to parameter is used to specify the address to which a connection is made.

              The from parameter  is  used  to  specify  the  address  from  which  a  connection
              originates.  It may be useful to specify this address when a system has more than 1
              IP address.

              The to and from parameters take either an IP address or a hostname argument.

              The lport parameter is used to specify the  local  port  from  which  a  connection
              originates.

              The fport parameter is used to specify the destination port of a connection.

              The  lport  and  fport  parameters take either a port or a port range. Ports can be
              specified numerically (e.g. 113) or by giving a service name (e.g. "auth").  Ranges
              of  ports take the form <starting port>:<ending port>. The ending port is optional.
              If the ending port is omitted, the range is taken to be any port  greater  than  or
              equal to the starting port.

              The  omission  of  any  of  the  to,  lport,  from and fport parameters acts like a
              wildcard for that parameter. For example, the statement  "from  localhost"  matches
              all connections from localhost on any port to any host on any port.

       CAPABILITY DIRECTIVE
              The body of a range directive consists of one or more capability directives.

              Capabilities  are  used  to  assign  or  deny  privileges  to specific users. Valid
              capabilities inside user directives are allow, deny, andforce.

              The capability directive consists of one or more statements of the form:

              allow OR deny OR force <capability>.

              The capability argument must be one of the capabilities described in the capability
              section below.

              The  force action takes a third argument when the capability is reply. For example,
              force reply "randomuser".

$HOME/.oidentd.conf SYNTAX

       A user's .oidentd.conf  configuration  file  may  contain  0  or  more  of  the  following
       statements:

       global {
            <capability>
       }

       OR

       <range directive> {
            <capability>
       }

       The  global directive acts as a wildcard, matching all connections, so if used at all, the
       global directive should be the first entry in the file and should be used only  once.  Use
       is  permitted anywhere in the file and infinitely many times, however it doesn't make much
       sense to use it in this manner.

       The range directive has the same syntax and  semantics  as  the  range  directive  in  the
       /etc/oidentd.conf file. See above for a description.

       Valid  capabilities are reply, random, numeric, random_numeric, and hide. Descriptions can
       be found below.

CAPABILITIES

       spoof  Allow spoofed ident responses; allow the user to specify a string of  her  choosing
              as  the  ident  reply. The only restriction on the spoofed response is that it must
              not be the username of another user. When a user spoofs her ident reply, the  login
              name of the user is recorded along with the forged reply.
              This capability does not apply to the force action.

       spoof_all
              Allow the usernames of other users to be used as ident responses.
              This capability does not apply to the force action.

       spoof_privport
              Allow ident replies to be spoofed on privileged ports (ports lower than 1024).
              This capability does not apply to the force action.

       reply <string> [<string1> ... <stringN>]
              Reply to successful ident lookups with the ident response specified in <string>. If
              more than one string parameter is given,  one  of  the  strings  will  be  selected
              randomly.

              In a user's $HOME/.oidentd.conf file, up to 20 strings may be specified for a reply
              statement.

              In the /etc/oidentd.conf file, there is no limitation on the number of strings that
              may be specified.

              The  strings  must  be  quoted  strings  (e.g.  "string").  Strings may contain the
              following escape characters:

              \n     new line
              \t     tab
              \r     carriage return
              \b     backspace
              \v     vertical tab
              \f     form feed
              \a     alert (bell)
              \e     escape
              \\     backslash
              \NNN   The character with the ASCII code NNN in the octal base system.
              \xNNN  The character with the ASCII code NNN in the hexadecimal base system.
              This capability only applies to the force action.

       hide   Hide the user; report a "HIDDEN-USER" error when an ident lookup succeeds.

       random Reply to successful ident lookups with  a  randomly  generated  ident  response  of
              consisting of alphanumeric characters.

       numeric
              Reply to successful ident lookups with the UID of the user that was looked up.

       random_numeric
              Reply  to  successful  with  a randomly generated ident response of the form userN,
              where N is a random number between 0 and 100000.

EXAMPLE /etc/oidentd.conf FILE

       default {
            default {
                 deny spoof
                 deny spoof_all
                 deny spoof_privport
                 allow random_numeric
                 allow numeric
                 allow hide
            }
       }

       Grant all users the ability to generate random  numeric  ident  replies,  the  ability  to
       generate  numeric  ident  replies  and  the  ability to hide their identities on all ident
       queries. Explicitly deny the ability to spoof ident responses.

       user root {
            default {
                 force reply "UNKNOWN"
            }
       }

       Reply with "UNKNOWN" for all successful ident queries for root.

       user ryan {
            default {
                 allow spoof
                 allow spoof_all
                 allow random
                 allow hide
            }

            from 127.0.0.1 {
                 allow spoof_privport
            }
       }

       Grant the user "ryan" the capability to spoof ident replies, including the ability to  use
       other  usernames  as  ident  replies,  generate  random replies and hide his ident for all
       connections, and grant the user "ryan" the capability to spoof ident replies to privileged
       ports (< 1024) on connections originating from the host 127.0.0.1.

EXAMPLE $HOME/.oidentd.conf FILE

       global {
            reply "unknown"
       }

       Reply with "unknown" to all successful ident lookups.

       to irc.example.org {
            reply "example"
       }

       Reply with "example" to ident lookups for connections to irc.example.org.

AUTHOR

       Ryan McCabe <ryan@numb.org>
       http://dev.ojnk.net

SEE ALSO

       oidentd(8) oidentd_masq.conf(5)