|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<html>
|
|
Packit |
ddac9e |
<head>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
"HTML Tidy for Linux/x86 (vers 1st June 2002), see www.w3.org">
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<title>README for authd</title>
|
|
Packit |
ddac9e |
</head>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<body>
|
|
Packit |
ddac9e |
authd: a RFC 1413 ident protocol daemon
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
FEATURES
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
written in C; small and fast
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
two operation modes:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
server via inetd/xinetd
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
script/interactive via command line
|
|
Packit |
ddac9e |
arguments
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
supports IPv6 and IPv4
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
pidentd option compatibility
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
easy to use openssl compatible strong symmetric
|
|
Packit |
ddac9e |
encryption
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
many privacy and anonymizing options
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
works well even with broken clients
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
internationalized log and help messages
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
free software licensed under the GPL. This program is
|
|
Packit |
ddac9e |
released under the GPL with the additional exemption that
|
|
Packit |
ddac9e |
compiling, linking, and/or using OpenSSL is allowed.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
REQUIREMENTS & SETUP
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Building
|
|
Packit |
ddac9e |
Although authd was built and tested on Red Hat Linux
|
|
Packit |
ddac9e |
9, Red Hat Enterprise Linux and Fedora Core 1 & 2,
|
|
Packit |
ddac9e |
it will probably compile on any recent 2003/2004-era
|
|
Packit |
ddac9e |
GNU/Linux distro with openssl and recent versions of
|
|
Packit |
ddac9e |
the GNU tool chain (compiler + make) and GNU C library.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
authd does not require autoconf. If needed, change
|
|
Packit |
ddac9e |
any defaults by editing the <samp>config.h</samp> file.
|
|
Packit |
ddac9e |
To build, simply run "make"
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Installing
|
|
Packit |
ddac9e |
"make install" will install
|
|
Packit |
ddac9e |
"<samp>in.authd</samp>" and any translations in
|
|
Packit |
ddac9e |
"<samp>/usr/local/sbin</samp>" and
|
|
Packit |
ddac9e |
"<samp>/usr/local/locale</samp>" respectively, so
|
|
Packit |
ddac9e |
you'll need to set the make variable
|
|
Packit |
ddac9e |
prefix if you want the files to go somewhere
|
|
Packit |
ddac9e |
else than "<samp>/usr/local</samp>". It will install as
|
|
Packit |
ddac9e |
the filename "<samp>in.authd</samp>" to reflect that it
|
|
Packit |
ddac9e |
is intended to run as a inetd/xinetd hosted server; in
|
|
Packit |
ddac9e |
other words, server input/output is connected to stdin
|
|
Packit |
ddac9e |
and stdout.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
If you're using encryption, put a one line pass
|
|
Packit |
ddac9e |
phrase in the file "<samp>/etc/ident.key</samp>" (or
|
|
Packit |
ddac9e |
another place if you change the default location via a
|
|
Packit |
ddac9e |
server option), making sure the file is readable by the
|
|
Packit |
ddac9e |
authd process and NOT readable/writable by others
|
|
Packit |
ddac9e |
("chmod o-rw"). If the permissions
|
|
Packit |
ddac9e |
are not set correctly, authd will refuse to
|
|
Packit |
ddac9e |
encrypt.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Running
|
|
Packit |
ddac9e |
authd should be able to read
|
|
Packit |
ddac9e |
<samp>/proc/net/tcp</samp> and/or
|
|
Packit |
ddac9e |
<samp>/proc/net/tcp6</samp> to actually match users to
|
|
Packit |
ddac9e |
ports-- although it will run without these files.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
A sample xinetd configuration file has been
|
|
Packit |
ddac9e |
provided; copying xinetd.conf.auth to
|
|
Packit |
ddac9e |
/etc/xinetd.d should work for Red Hat
|
|
Packit |
ddac9e |
distributions. Be sure to make any changes needed to
|
|
Packit |
ddac9e |
the default values and path as needed then
|
|
Packit |
ddac9e |
restart/reload the xinetd daemon to use it.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
All of the options available can be seen with the
|
|
Packit |
ddac9e |
"-h" option. Some notes on some of the less
|
|
Packit |
ddac9e |
obvious options and parameters:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--abrupt
|
|
Packit |
ddac9e |
If an error occurs after the client has sent the
|
|
Packit |
ddac9e |
port pair, just drop the connection rather than tell
|
|
Packit |
ddac9e |
the client (allowed by RFC 1413). authd may do this
|
|
Packit |
ddac9e |
anyway for certain errors that prevent it from
|
|
Packit |
ddac9e |
sending a reply (I/O error or an out of memory
|
|
Packit |
ddac9e |
situation). "--abrupt" overrides
|
|
Packit |
ddac9e |
"-e" and "--xerror".
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
-E[cipher]
|
|
Packit |
ddac9e |
Any symmetric block/stream encryption method
|
|
Packit |
ddac9e |
supported by the installed openssl can be used as a
|
|
Packit |
ddac9e |
parameter. To see a list of available
|
|
Packit |
ddac9e |
ciphers, use "openssl enc
|
|
Packit |
ddac9e |
-h"
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
-l[mask]
|
|
Packit |
ddac9e |
An optional base 10, base 8 (prefix with
|
|
Packit |
ddac9e |
"0"), or base 16 (prefix with
|
|
Packit |
ddac9e |
"0x") bit mask of system log priority
|
|
Packit |
ddac9e |
levels that you wish to log. For example, an
|
|
Packit |
ddac9e |
mask of 17<small><sub>8</sub></small>
|
|
Packit |
ddac9e |
("-l017") only logs messages of priority
|
|
Packit |
ddac9e |
error or higher.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--fn[=uint]
|
|
Packit |
ddac9e |
Sends the full-name/"finger" info rather than the
|
|
Packit |
ddac9e |
username. Some systems contain additional fields of
|
|
Packit |
ddac9e |
information after the full name of a person, such
|
|
Packit |
ddac9e |
as the office, office phone number and home phone,
|
|
Packit |
ddac9e |
separated by commas. To display only the first
|
|
Packit |
ddac9e |
field, specify "1". To specify up to two
|
|
Packit |
ddac9e |
fields, specify "2"... and so on.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
If the "-n" option is also specified,
|
|
Packit |
ddac9e |
then the numeric user id will be followed by the
|
|
Packit |
ddac9e |
2nd up to uint fields providing that
|
|
Packit |
ddac9e |
uint is greater than two.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--hybrid
|
|
Packit |
ddac9e |
Only applies to IPv6 addresses activated with the
|
|
Packit |
ddac9e |
"--verbose" option. When used, the bottom 32 bits of
|
|
Packit |
ddac9e |
the address with be displayed in the traditional IPv4
|
|
Packit |
ddac9e |
format of four dot separated base 10 numbers rather
|
|
Packit |
ddac9e |
than the IPv6 style of eight 16-bit colon separated
|
|
Packit |
ddac9e |
hex pairs.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--mapped=ipv6
|
|
Packit |
ddac9e |
Allows IPv6 addresses whose first 96 bits (in other
|
|
Packit |
ddac9e |
words, everything except for the last 32 bits) are
|
|
Packit |
ddac9e |
ipv6 to match IPv4 addresses which are
|
|
Packit |
ddac9e |
identical to the bottom 32-bits of the IPv6 address.
|
|
Packit |
ddac9e |
Useful for IPv6/IPv4 multi-interface environments
|
|
Packit |
ddac9e |
where IPv4 addresses on different interfaces are
|
|
Packit |
ddac9e |
mapped to IPv6 addresses. It does not match IPv4
|
|
Packit |
ddac9e |
"<samp>localhost</samp>" (<samp>127.0.0.1</samp>)
|
|
Packit |
ddac9e |
with IPv6's equivalent (<samp>::1</samp>).
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--os[=rfc1340]
|
|
Packit |
ddac9e |
Without an argument, it will display the same value
|
|
Packit |
ddac9e |
returned by the "uname" command as the
|
|
Packit |
ddac9e |
operating system, rather than "UNIX". You may wish to
|
|
Packit |
ddac9e |
do this if the username returned (perhaps from pam
|
|
Packit |
ddac9e |
talking to a Windows server) does not make sense
|
|
Packit |
ddac9e |
within a traditional UNIX or Linux system.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--resolve
|
|
Packit |
ddac9e |
Only applies to addresses and ports activated with
|
|
Packit |
ddac9e |
the "--verbose" option. Causes <samp>in.authd</samp>
|
|
Packit |
ddac9e |
to resolve addresses using nameservers, and replace
|
|
Packit |
ddac9e |
service port numbers with their names, when
|
|
Packit |
ddac9e |
available. Resolving addresses slows the server
|
|
Packit |
ddac9e |
down.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--username[=login]
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Causes authd to report the username login
|
|
Packit |
ddac9e |
for all valid established tcp connections, regardless
|
|
Packit |
ddac9e |
of the actual user. login must point to a
|
|
Packit |
ddac9e |
valid entry in the password database. If used in
|
|
Packit |
ddac9e |
conjunction with "-n", the uid of the
|
|
Packit |
ddac9e |
login will be returned. It will
|
|
Packit |
ddac9e |
not change the uid number provided with the
|
|
Packit |
ddac9e |
"--verbose" option.
|
|
Packit |
ddac9e |
"--username" is useful for providing the
|
|
Packit |
ddac9e |
actual user on single user workstations or servers
|
|
Packit |
ddac9e |
that have changed their original associated uids to
|
|
Packit |
ddac9e |
effective ones. It is also useful for masking the
|
|
Packit |
ddac9e |
true username for privacy purposes (in this case
|
|
Packit |
ddac9e |
authd is running as a dummy placebo server).
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
--verbose
|
|
Packit |
ddac9e |
Adds the following information after the username
|
|
Packit |
ddac9e |
or full name (depending on the option selected),
|
|
Packit |
ddac9e |
separated by commas:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
true userid number
|
|
Packit |
ddac9e |
Different from "-n" which is affected
|
|
Packit |
ddac9e |
by "--username".
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
time stamp
|
|
Packit |
ddac9e |
Date and time is provided in ASCII ISO 8601
|
|
Packit |
ddac9e |
UTC/Zulu (aka Greenwich Median, or GMT) time. The
|
|
Packit |
ddac9e |
day of week and time in the authd's local
|
|
Packit |
ddac9e |
timezone using the locale's format and encoding
|
|
Packit |
ddac9e |
are also provided in parentheses.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
local address and port
|
|
Packit |
ddac9e |
Port is separated from the address by a vertical
|
|
Packit |
ddac9e |
bar, "local" is from the perspective of the authd
|
|
Packit |
ddac9e |
server.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
remote address and port
|
|
Packit |
ddac9e |
Port is separated from the address by a vertical
|
|
Packit |
ddac9e |
bar, "remote" is from the perspective of the
|
|
Packit |
ddac9e |
authd server.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
The authd daemon will not read any input from stdin if
|
|
Packit |
ddac9e |
port pairs are specified as parameters. Also, only the
|
|
Packit |
ddac9e |
first port pair will be processed unless the
|
|
Packit |
ddac9e |
"-m" option is specified.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Testing
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Run "netstat -A inet -n" and find an
|
|
Packit |
ddac9e |
established tcp connection.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Input the two ports prefixed with colons as single
|
|
Packit |
ddac9e |
command line argument (no whitespace unless the
|
|
Packit |
ddac9e |
entire pair is enclosed in quotes for the command
|
|
Packit |
ddac9e |
line parser), in the same order, separated by a
|
|
Packit |
ddac9e |
comma. Example:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>$ /usr/sbin/in.inetd
|
|
Packit |
ddac9e |
33201,6667</samp>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Execute "telnet localhost auth" and
|
|
Packit |
ddac9e |
type the two ports separated by a comma. The two
|
|
Packit |
ddac9e |
ports selected must have a foreign address of
|
|
Packit |
ddac9e |
<samp>localhost</samp>, or <samp>127.0.0.1</samp> as
|
|
Packit |
ddac9e |
well as a matching local address. If they do
|
|
Packit |
ddac9e |
not, a <samp>NO-USER</samp> error will be
|
|
Packit |
ddac9e |
returned.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
DIFFERENCES FROM PIDENTD 3.0.18
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
no config file
|
|
Packit |
ddac9e |
There is no "<samp>/etc/ident.conf</samp>", as all the
|
|
Packit |
ddac9e |
options you need for a simple inet super daemon based
|
|
Packit |
ddac9e |
server can be easily passed from the command line
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
no special crypto tools
|
|
Packit |
ddac9e |
Key generation requires no special tools; a plain text
|
|
Packit |
ddac9e |
pass phrase in a file is all that's required to encrypt.
|
|
Packit |
ddac9e |
To decrypt, the openssl enc tool is used.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
no standalone server mode
|
|
Packit |
ddac9e |
For a simple server, launching via the ubiquitous
|
|
Packit |
ddac9e |
inetd/xinetd is all that's needed. The super server
|
|
Packit |
ddac9e |
provides most of the options present in pidentd.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
no protocol extensions
|
|
Packit |
ddac9e |
The VERSION and QUIT commands are
|
|
Packit |
ddac9e |
unnecessary, a security risk in the case of
|
|
Packit |
ddac9e |
VERSION, and a violation of RFC 1413 protocol.
|
|
Packit |
ddac9e |
As they are not used by any client, they have been
|
|
Packit |
ddac9e |
intentionally omitted. The "-e" option is
|
|
Packit |
ddac9e |
instead used to mask error messages.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
no automatic verbose encryption
|
|
Packit |
ddac9e |
Encrypting replies does not automatically include port
|
|
Packit |
ddac9e |
and time information, which makes the reply excessively
|
|
Packit |
ddac9e |
long. This information may be included with the
|
|
Packit |
ddac9e |
"--verbose" option.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
HOW TO INCREASE PRIVACY
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
You can allow users to either opt-out or opt-in from
|
|
Packit |
ddac9e |
exposing their userid creating a file in their home
|
|
Packit |
ddac9e |
directory (defaults are "<samp>~/.noident</samp>" and
|
|
Packit |
ddac9e |
"<samp>~/.ident</samp>" respectively) and by setting the
|
|
Packit |
ddac9e |
appropriate server option ("-N" or
|
|
Packit |
ddac9e |
"--ident"). If both options are set then
|
|
Packit |
ddac9e |
"<samp>~/.noident</samp>" will cancel out a
|
|
Packit |
ddac9e |
"<samp>~/.ident</samp>" if both are present. If a file is
|
|
Packit |
ddac9e |
present (or not present) which indicates that the user
|
|
Packit |
ddac9e |
does not wish his information to be revealed, a
|
|
Packit |
ddac9e |
<samp>HIDDER-USER</samp> error message is returned.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
If you just want an ident server to speed up broken
|
|
Packit |
ddac9e |
servers that insist on some form of ident but you don't
|
|
Packit |
ddac9e |
want to reveal any usernames, you can make authd "lie"
|
|
Packit |
ddac9e |
to clients and tell them that the ports are owned by
|
|
Packit |
ddac9e |
any arbitrary user with the "--username"
|
|
Packit |
ddac9e |
option. When set to its default, the authd daemon will
|
|
Packit |
ddac9e |
reply with either <samp>NO-USER</samp> errors or
|
|
Packit |
ddac9e |
"<samp>nobody</samp>" as the port owner. Note that the
|
|
Packit |
ddac9e |
argument supplied to "--username" must be a
|
|
Packit |
ddac9e |
valid username. As some daemons do run as
|
|
Packit |
ddac9e |
"<samp>nobody</samp>", you may wish to create a special
|
|
Packit |
ddac9e |
username just for authd, such as
|
|
Packit |
ddac9e |
"<samp>somebody</samp>", using the command:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>$ /usr/sbin/useradd -s /sbin/nologin -r
|
|
Packit |
ddac9e |
somebody</samp>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Encryption allows the system administrator owning the
|
|
Packit |
ddac9e |
authd server to be aware of any ident information that is
|
|
Packit |
ddac9e |
sent to him from remote sites while not unnecessarily
|
|
Packit |
ddac9e |
exposing the usernames to any anonymous system.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
The "-e" option can be used to return
|
|
Packit |
ddac9e |
<samp>UNKNOWN-ERROR</samp> instead of
|
|
Packit |
ddac9e |
<samp>INVALID-PORT</samp>, <samp>NO-USER</samp>, and
|
|
Packit |
ddac9e |
<samp>HIDDEN-USER</samp>.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
HOW TO USE ENCRYPTION
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
put a plain text password or pass phrase that is
|
|
Packit |
ddac9e |
terminated by a newline in the file
|
|
Packit |
ddac9e |
"<samp>/etc/ident.key</samp>". Any additional data after
|
|
Packit |
ddac9e |
the newline is ignored. If the pass phrase is in a
|
|
Packit |
ddac9e |
different file and/or location, use the
|
|
Packit |
ddac9e |
"--passwd" option to tell authd where it
|
|
Packit |
ddac9e |
is.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Make sure the owner/group and permissions are set so
|
|
Packit |
ddac9e |
that the daemon (which usually runs as
|
|
Packit |
ddac9e |
"<samp>nobody</samp>" if you use the default xinetd
|
|
Packit |
ddac9e |
configuration file) can read it. Make sure that other
|
|
Packit |
ddac9e |
can't read or write to it by using:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>$ chmod o-rw
|
|
Packit |
ddac9e |
/etc/ident.key</samp>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
authd will refuse to encrypt if this is not
|
|
Packit |
ddac9e |
done.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
To decrypt the string, the "openssl" tool
|
|
Packit |
ddac9e |
(using the "enc" sub-tool) is needed. If the
|
|
Packit |
ddac9e |
base64 encrypted string is longer than 64 characters,
|
|
Packit |
ddac9e |
it will need to be broken into multiple lines of 64
|
|
Packit |
ddac9e |
characters or less (why? because openssl enc -base64
|
|
Packit |
ddac9e |
doesn't like it any other way-- even though base64 only
|
|
Packit |
ddac9e |
needs line breaks for e-mail). Feed the short base64
|
|
Packit |
ddac9e |
string into the command:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>$ /usr/bin/openssl enc -d -base64
|
|
Packit |
ddac9e |
-aes-128-cbc -pass file:/etc/ident.key</samp>
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
(Change the cipher to what's appropriate if you did
|
|
Packit |
ddac9e |
not use the default for the "-E" authd
|
|
Packit |
ddac9e |
option or the default was changed in
|
|
Packit |
ddac9e |
<samp>config.h</samp>) Use enc's
|
|
Packit |
ddac9e |
-in option if the base64 encryption is
|
|
Packit |
ddac9e |
stored in a file rather than being piped into
|
|
Packit |
ddac9e |
stdin)
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Do understand the security ramifications of
|
|
Packit |
ddac9e |
storing a password/pass phrase in unencrypted form on a
|
|
Packit |
ddac9e |
file system. A system is secure if the cost of
|
|
Packit |
ddac9e |
breaking the system is greater than the value of the
|
|
Packit |
ddac9e |
data. Thus, do not increase the value of the authd
|
|
Packit |
ddac9e |
password by using it anywhere else-- it should only be
|
|
Packit |
ddac9e |
used to encrypt usernames & userids and address/port
|
|
Packit |
ddac9e |
info returned by "--verbose" -- (relatively
|
|
Packit |
ddac9e |
low value information already readable by any local
|
|
Packit |
ddac9e |
user)
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
INTERNATIONALIZATION
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Sometimes, the username and/or gecos field returned
|
|
Packit |
ddac9e |
by the system may not be in ASCII. An example would be a
|
|
Packit |
ddac9e |
system that authenticates against accounts stored on
|
|
Packit |
ddac9e |
Windows. Windows permits non-ASCII in their usernames and
|
|
Packit |
ddac9e |
Name/Comment descriptions. In these cases, use the
|
|
Packit |
ddac9e |
"--codeset" option to specify the character
|
|
Packit |
ddac9e |
encoding/charset used. This will not convert any
|
|
Packit |
ddac9e |
messages; it will simply inform the client as to the
|
|
Packit |
ddac9e |
character encoding. The character encoding will
|
|
Packit |
ddac9e |
not be sent to the client if the response
|
|
Packit |
ddac9e |
appears to be all ASCII (all printable characters; no
|
|
Packit |
ddac9e |
control characters), even if the option is
|
|
Packit |
ddac9e |
specified.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
in the rare case that the string to be sent is not
|
|
Packit |
ddac9e |
ASCII, a --codeset has been specified without
|
|
Packit |
ddac9e |
the optional parameter, and the program is unable to
|
|
Packit |
ddac9e |
determine the codeset used by the operating system,
|
|
Packit |
ddac9e |
"<samp>X-UNKNOWN</samp>" will be returned as the
|
|
Packit |
ddac9e |
codeset.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
You may want error messages (also local timestamps with
|
|
Packit |
ddac9e |
the --verbose option) to be sent in a different locale
|
|
Packit |
ddac9e |
from the current locale (inetd/xinetd often is
|
|
Packit |
ddac9e |
configured to launch daemons in the "C"
|
|
Packit |
ddac9e |
locale). The locale to use can be configured with the
|
|
Packit |
ddac9e |
"--lang" option. By default, the daemon
|
|
Packit |
ddac9e |
starts in the locale of the parent (usually
|
|
Packit |
ddac9e |
xinetd/inetd) that launched it. If --codeset
|
|
Packit |
ddac9e |
is also specified, it overrides the character encoding
|
|
Packit |
ddac9e |
of the specified locale.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
Be aware that many system log daemons are not
|
|
Packit |
ddac9e |
capable of handling non-ASCII yet, so combining this
|
|
Packit |
ddac9e |
with the "-l" option may not produce
|
|
Packit |
ddac9e |
readable syslog messages.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
EXTENDED ERROR MESSAGES
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
These only appear when authd is launched with the
|
|
Packit |
ddac9e |
"--xerror" option, because some server
|
|
Packit |
ddac9e |
administrators do not believe in giving outsiders any
|
|
Packit |
ddac9e |
useful information regarding the state of their servers.
|
|
Packit |
ddac9e |
However, the --xerror is useful for diagnostics
|
|
Packit |
ddac9e |
and troubleshooting.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-PROC</samp>
|
|
Packit |
ddac9e |
either <samp>/proc/net/tcp</samp> or
|
|
Packit |
ddac9e |
<samp>/proc/net/tcp6</samp> was not in the format that
|
|
Packit |
ddac9e |
authd expected it to be in. This may be because:
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
the files are not part of a true linux
|
|
Packit |
ddac9e |
<samp>/proc</samp> filesystem
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
you are running a modified or experimental
|
|
Packit |
ddac9e |
kernel
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
you are running a kernel much newer than this
|
|
Packit |
ddac9e |
program's last update and the file format has
|
|
Packit |
ddac9e |
changed
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
the proc file macros in config.h have been
|
|
Packit |
ddac9e |
changed to point to something else
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-NAME</samp>
|
|
Packit |
ddac9e |
A username was specified as an argument, but the
|
|
Packit |
ddac9e |
username couldn't be found in the password database
|
|
Packit |
ddac9e |
(<samp>/etc/passwd</samp>, NIS, or whatever the system
|
|
Packit |
ddac9e |
uses).
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-UID</samp>
|
|
Packit |
ddac9e |
The UID taken from <samp>/proc/net/tcp6</samp> or
|
|
Packit |
ddac9e |
<samp>/proc/net/tcp</samp> couldn't be found in the
|
|
Packit |
ddac9e |
password database.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-FILE</samp>
|
|
Packit |
ddac9e |
The pathname for the <samp>.ident</samp> or
|
|
Packit |
ddac9e |
<samp>.noident</samp> file (home directory path +
|
|
Packit |
ddac9e |
filename) was excessively long or bogus.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-CRYPTO</samp>
|
|
Packit |
ddac9e |
Suffixed by zero or more sequences of dashes and eight
|
|
Packit |
ddac9e |
digit hexadecimal numbers. Either the pass phrase file
|
|
Packit |
ddac9e |
couldn't be opened (wrong filename, doesn't exist, wrong
|
|
Packit |
ddac9e |
permissions (must be readable by authd and NOT
|
|
Packit |
ddac9e |
readable/writable by "others"), the pass phrase was too
|
|
Packit |
ddac9e |
short for the given encryption, the crypto algorithm was
|
|
Packit |
ddac9e |
inappropriate for the type of data (for example, not
|
|
Packit |
ddac9e |
symmetric or does not permit non-fixed lengths), or some
|
|
Packit |
ddac9e |
other internal (usually memory resource related)
|
|
Packit |
ddac9e |
condition.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-ERRNO</samp>
|
|
Packit |
ddac9e |
Suffixed with a dash and a decimal number corresponding
|
|
Packit |
ddac9e |
to what was returned by errno. Usually will occur due to
|
|
Packit |
ddac9e |
an I/O error or an out-of-memory condition. On Linux,
|
|
Packit |
ddac9e |
<samp>2</samp> is a "file not found" and <samp>12</samp>
|
|
Packit |
ddac9e |
is an out of memory condition. Note that some out of
|
|
Packit |
ddac9e |
memory conditions will cause the server to exit before
|
|
Packit |
ddac9e |
printing a message.
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
<samp>X-RFC1413</samp>
|
|
Packit |
ddac9e |
The userid reply was longer than 512 characters and/or
|
|
Packit |
ddac9e |
contained CRLF. While this shouldn't happen with sane
|
|
Packit |
ddac9e |
data, this could possibly occur if an exceptionally
|
|
Packit |
ddac9e |
long/strange gecos field and the combination of
|
|
Packit |
ddac9e |
"--verbose" and "--fn".
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
|
|
Packit |
ddac9e |
</body>
|
|
Packit |
ddac9e |
</html>
|
|
Packit |
ddac9e |
|