bionic (5) oidentd.conf.5.gz

Provided by: oidentd_2.0.8-10_amd64 bug

NAME

       oidentd.conf - The oidentd configuration file.

DESCRIPTION

       The  oidentd  configuration  file  is used to specify the amount of control users have over the responses
       oidentd returns upon successful lookups for connections owned by them.

       The $HOME/.oidentd.conf file allows a user to specify what ident response will be returned  for  specific
       connections.

/etc/oidentd.conf SYNTAX

       USER DIRECTIVE
              The  oidentd.conf  file consists of 0 or more user directives. The user directive is used to grant
              capabilities on a per-user basis.

              The user directive has the following syntax:

              default {
                   <range directive>
              }

              OR

              user <username> {
                   <range directive>
              }

              The default directive matches all users for whom rules are not defined. There should only  be  one
              default directive, and it should be the first statement in the file. All entries for users defined
              after the default definition will inherit the capabilities of the default user.  Capabilities  can
              then  be  allowed,  denied, or forced on a per-user basis by way of the user statement followed by
              the username of the user to whom the properties that follow will apply.

       RANGE DIRECTIVE
              The body of a user directive consists of 1 or more range directives.

              The range directive is used to specify a host/port range  for  which  a  set  of  capabilities  is
              binding. A range directive consists of 1 or more statements of the following form:

              default {
                   <capability directive>
              }

              OR

              to <host> lport <lport> from <host> fport <fport> {
                   <capability directive>
              }

              The  default  directive  matches all host/port pairs for which rules are not defined. There should
              only be one default directive, and it should be the first statement in the block.

              Anywhere from 1 to all 4 of the to, lport, from, and fport parameters may be specified.

              The to parameter is used to specify the address to which a connection is made.

              The from parameter is used to specify the address from which a connection originates.  It  may  be
              useful to specify this address when a system has more than 1 IP address.

              The to and from parameters take either an IP address or a hostname argument.

              The lport parameter is used to specify the local port from which a connection originates.

              The fport parameter is used to specify the destination port of a connection.

              The  lport  and  fport  parameters  take  either  a  port  or a port range. Ports can be specified
              numerically (e.g. 113) or by giving a service name (e.g. "auth"). Ranges of ports  take  the  form
              <starting  port>:<ending  port>.  The  ending port is optional. If the ending port is omitted, the
              range is taken to be any port greater than or equal to the starting port.

              The omission of any of the to, lport, from and fport parameters acts  like  a  wildcard  for  that
              parameter.  For  example, the statement "from localhost" matches all connections from localhost on
              any port to any host on any port.

       CAPABILITY DIRECTIVE
              The body of a range directive consists of one or more capability directives.

              Capabilities are used to assign or deny privileges to specific users.  Valid  capabilities  inside
              user directives are allow, deny, andforce.

              The capability directive consists of one or more statements of the form:

              allow OR deny OR force <capability>.

              The capability argument must be one of the capabilities described in the capability section below.

              The  force  action  takes  a third argument when the capability is reply. For example, force reply
              "randomuser".

$HOME/.oidentd.conf SYNTAX

       A user's .oidentd.conf configuration file may contain 0 or more of the following statements:

       global {
            <capability>
       }

       OR

       <range directive> {
            <capability>
       }

       The global directive acts as a wildcard, matching  all  connections,  so  if  used  at  all,  the  global
       directive  should  be the first entry in the file and should be used only once. Use is permitted anywhere
       in the file and infinitely many times, however it doesn't make much sense to use it in this manner.

       The range directive has the same syntax and semantics as the range  directive  in  the  /etc/oidentd.conf
       file. See above for a description.

       Valid capabilities are reply, random, numeric, random_numeric, and hide. Descriptions can be found below.

CAPABILITIES

       spoof  Allow  spoofed  ident  responses;  allow the user to specify a string of her choosing as the ident
              reply. The only restriction on the spoofed response is that it must not be the username of another
              user.  When  a  user spoofs her ident reply, the login name of the user is recorded along with the
              forged reply.
              This capability does not apply to the force action.

       spoof_all
              Allow the usernames of other users to be used as ident responses.
              This capability does not apply to the force action.

       spoof_privport
              Allow ident replies to be spoofed on privileged ports (ports lower than 1024).
              This capability does not apply to the force action.

       reply <string> [<string1> ... <stringN>]
              Reply to successful ident lookups with the ident response specified in <string>. If more than  one
              string parameter is given, one of the strings will be selected randomly.

              In a user's $HOME/.oidentd.conf file, up to 20 strings may be specified for a reply statement.

              In  the  /etc/oidentd.conf  file,  there  is  no  limitation  on the number of strings that may be
              specified.

              The strings must be quoted strings (e.g. "string").  Strings  may  contain  the  following  escape
              characters:

              \n     new line
              \t     tab
              \r     carriage return
              \b     backspace
              \v     vertical tab
              \f     form feed
              \a     alert (bell)
              \e     escape
              \\     backslash
              \NNN   The character with the ASCII code NNN in the octal base system.
              \xNNN  The character with the ASCII code NNN in the hexadecimal base system.
              This capability only applies to the force action.

       hide   Hide the user; report a "HIDDEN-USER" error when an ident lookup succeeds.

       random Reply  to  successful  ident  lookups  with  a  randomly generated ident response of consisting of
              alphanumeric characters.

       numeric
              Reply to successful ident lookups with the UID of the user that was looked up.

       random_numeric
              Reply to successful with a randomly generated ident response of the  form  userN,  where  N  is  a
              random number between 0 and 100000.

EXAMPLE /etc/oidentd.conf FILE

       default {
            default {
                 deny spoof
                 deny spoof_all
                 deny spoof_privport
                 allow random_numeric
                 allow numeric
                 allow hide
            }
       }

       Grant  all  users  the  ability to generate random numeric ident replies, the ability to generate numeric
       ident replies and the ability to hide their identities on all ident queries. Explicitly deny the  ability
       to spoof ident responses.

       user root {
            default {
                 force reply "UNKNOWN"
            }
       }

       Reply with "UNKNOWN" for all successful ident queries for root.

       user ryan {
            default {
                 allow spoof
                 allow spoof_all
                 allow random
                 allow hide
            }

            from 127.0.0.1 {
                 allow spoof_privport
            }
       }

       Grant the user "ryan" the capability to spoof ident replies, including the ability to use other usernames
       as ident replies, generate random replies and hide his ident for all  connections,  and  grant  the  user
       "ryan" the capability to spoof ident replies to privileged ports (< 1024) on connections originating from
       the host 127.0.0.1.

EXAMPLE $HOME/.oidentd.conf FILE

       global {
            reply "unknown"
       }

       Reply with "unknown" to all successful ident lookups.

       to irc.example.org {
            reply "example"
       }

       Reply with "example" to ident lookups for connections to irc.example.org.

AUTHOR

       Ryan McCabe <ryan@numb.org>
       http://dev.ojnk.net

SEE ALSO

       oidentd(8) oidentd_masq.conf(5)