-----------------------------
identd Erweiterung fuer fli4l
-----------------------------

getestet mit fli4l 2.0.x

Dieses Paket bindet den oidentd 1.7.1 in fli4l ein.
Er startet einen masquerading ident ein, der User
einer IP im LAN zuordned und somit z.B. das chatten
im IRC erleichtert.

Konfiguration:
IDENT_HOSTS_N='2' giebt die Anzahl der eintraege an

IDENT_HOST_1='192.168.0.2	user1	UNIX'
giebt            <IP>      	<USER>  <SYSTEM> an

IDENT_SPOOF='SPOOFED' giebt an welche ident anstelle von "root"
fuer einen als root laufenden dienst auf dem fli4l verwendet werden soll.

Naeheres zu oidentd siehe unten.


(dies ist nicht Teil des Opts sondern lediglich eine Ergaenzung!)
--------------------------------------------------------------------------
oidentd v1.7.1 by Ryan McCabe <odin@numb.org>

Oidentd is an ident (rfc1413 compliant) daemon which runs on GNU/Linux,
FreeBSD and OpenBSD.  Oidentd supports most features of pidentd as well as
a number of features absent in pidentd.  Most notably, oidentd allows
users, given the proper permission, to specify the identd response that
the server will output when a successful lookup is completed.  Oidentd
also allows for pseudo-random strings (either a prefix, such as "user,"
followed by a number between 0 and 99999, or 10 pseudo-random characters
of the set 0-9A-Za-z) to be returned upon the completion of a successful
lookup instead of a username or a UID.  Oidentd supports IP masqueraded
connections and supports fowarding ident requests for IP masqeraded
connections to the machines from which the connections originate.  For
information on how to setup support for masqueraded connections, see the
"INSTALL" file. NOTE: Currently, only Linux and OpenBSD support IP
masquerading.

For a more complete list of features, consult the manual page or run
oidentd -h.

NOTE: Some requests may be interpreted as having failed (by the client
      side and with ident in general, not just with this particular
      daemon) when "OTHER" is returned instead of the name of the
      operating system on which identd is running. (the -o option)

I have tested oidentd with both libc5 (x86) and glibc (x86 and alpha) on
GNU/Linux 2.[02].x, on FreeBSD 3.[0-4] (x86) and on OpenBSD 2.[245] (x86). 

NOTE: GNU make is required to compile this package. On some BSD systems, it
      may be installed as "gmake."  GNU make can be obtained from
      ftp.gnu.org, or any GNU mirror, in the directory /pub/gnu/make.
      Please don't mail me saying that make fails with "Need an operator."

The most recent version of oidentd will always be available at
http://ojnk.sourceforge.net

Please mail any suggestions, questions, comments, bug reports, et cetera to
odin@numb.org


$Id: README,v 1.7 2000/10/22 18:56:26 odin Exp $


$Id: INSTALL,v 1.8 2000/10/22 18:56:26 odin Exp $

-------------------
INSTALLING OIDENTD
-------------------

Issuing the commands "./configure", then "make", then "make install" will
(respectively) configure, compile and install the oidentd daemon and its
manual page.  By default, the daemon is installed in /usr/local/sbin/oidentd,
and the uncompressed manual page is installed in /usr/local/man/man8.

A number of compile time values can be manipulated via the configure
script.  For a summary, put "./configure --help".

After oidentd has been installed, an entry for it must be added in the 
/etc/inetd.conf file, if you are running inetd.  A generic example for
Linux is:

auth     stream   tcp   nowait  nobody  /usr/local/sbin/oidentd oidentd -i

If you prefer not to use inetd, oidentd can be run as a stand-alone
daemon.  For more information and complete a description of all options,
refer to the manual page.

NOTE: According to Matthias Andree <ma@dt.e-technik.uni-dortmund.de>:

      If oidentd is run from xinetd, the INTERCEPT flag must not be set
      on the identd service in xinetd.conf.  If it is set, oidentd sees
      all connections as coming from localhost which will make all
      userid/login name lookups fail.

Oidentd does not require superuser privileges and should not be run as
root.  On OpenBSD and on FreeBSD, oidentd should be run
with group kmem.  An example inetd line is:

auth  stream  tcp  wait  nobody:kmem  /usr/local/sbin/oidentd oidentd -wi

----------------
IP-MASQUERADING
----------------

If you are using IP masquerading, oidentd can optionally return a
username for all masqueraded connections from other machines.  Support for
this is specified by calling oidentd with the -m flag and by creating an
/etc/oidentd.users file.  This file must be readable by the oidentd daemon
user and has the following format:

IP-ADDRESS[/<mask>]            USER-NAME   SYSTEM-TYPE

Example:
192.168.1.1                    someone     UNIX
192.168.1.2                    noone       WINDOWS
192.168.1.1/32                 user1       UNIX
192.168.1.0/24                 user3       UNIX
192.168.0.0/16                 user4       UNIX
somehost                       user5       UNIX
10.0.0.0/8                     user6       UNIX
192.168.1.0/255.255.255.0      user7       UNIX

(You get the point)

As of version 1.4 (1.6.0, successfully!), oidentd can forward requests
for an IP masqueraded connection to the machine from which connection
originates by way of the -f option.  This will only work if the host to
which the connection is forwarded is running oidentd (with -P <proxy>)
or if the host's ident daemon will return a valid reply regardless of the
input supplied by and address of the host requesting the info (some ident
daemons for windows do this, maybe others).

---------------
IDENT SPOOFING
---------------

Oidentd can optionally return an ident other than the default (your
username or UID, depending on how oidentd is run).  To enable identd
spoofing, observe the following procedure:

1. Add -s or -S to the flags with which oidentd is called.  Consult the
   manual page for a description of these options.

2. If the file /etc/identd.spoof does not exist, create it and
   give the user as which oidentd runs read permission for it.

  - In order for local users to spoof identd replies, their usernames must
    be contained in the /etc/identd.spoof file.  If oidentd was called with
    -S instead of -s, their usernames must *not* be contained in this file
    if they are to be able to spoof identd replies; with -S all users
    except those users listed in /etc/identd.spoof may spoof identd
    replies.

    - The format of the /etc/identd.spoof file is one
      entry per line.  Lines beginning with '#' are considered
      comments.  An entry has the form user[:identd reply].  The
      the "ident reply parameter is optional.  For example:

user
#user2
nobody:UNKNOWN

3. When ident spoofing is enabled, oidentd first checks the /etc/identd.spoof
   file to ensure the user owning the connection has permission to spoof
   identd replies.  If the username is found in the /etc/identd.spoof file,
   if an identd reply is specified in that file, this reply is returned
   immediately.  If no reply is specified, oidentd looks for the string it
   should return in an .ispoof file, which must be located in the home
   directory of users.  This file should only contain the reply that oidentd
   will return upon a successful request for the user.  The .ispoof file
   must be owned by the user for which the request is made.  Be sure this
   file is readable by the daemon user (ie, be sure the user as which oidentd
   runs has at least search permission for the home directory and read
   permission for .ispoof).  For example:

$ id
uid=500(user) gid=100(users)
$ echo response > ~/.ispoof && chmod o+x ~ && chmod o+r ~/.ispoof

------------------------------
OPTIONS (output of oidentd -h)
------------------------------

Usage: oidentd  [options]
  -a <address>  Bind to <address>. (Defaults to INADDR_ANY)
  -A            When spoofing is enabled, enable users to spoof
                ident on connections to privileged ports.
  -c <charset>  Specify an alternate charset. (Defaults to "US-ASCII")
  -d            Enable debugging.
  -e            Return "UNKNOWN-ERROR" for all errors.
  -f <port>     Forward requests for masqueraded hosts to the host on <port>
  -F            Same as -f, but always use the default port (113) by default
  -g <gid>      Run with specified gid.
  -i            Run from inetd.
  -m            Enable support for IP masquerading.
  -n            Return UIDs instead of usernames
  -N            Allow identd hiding via ".noident"
  -o            Return "OTHER" instead of the operating system.
  -p <port>     Listen for connections on specified port. (Defaults to auth)
  -q            Suppress normal logging.
  -P <host>     host acts as a proxy, forwarding connections to us.
  -r            Randomize identd replies.
                    Note: The -n and -r options are incompatible.
  -s            Allow identd spoofing.
  -S            Same as -s but allow all users but those listed in
                /etc/identd.spoof to spoof replies.
  -t <seconds>  Wait for <seconds> before closing connection. (Defaults to 15)
  -T <seconds>  oidentd will remain accepting connections when run
                with -w for <seconds>.
  -u <uid>      Run with specified uid.
  -v/-V         Display version information and exit.
  -w            Wait mode.
  -x <string>   If a query fails, pretend it succeeded, returning <string>
  -W            oidentd is wrapped. (tcp wrappers)
  -h            This help message.
