REQUIREMENTS & SETUP
Building
Although authd was built and tested on Red Hat Linux 9, Red Hat Enterprise Linux and Fedora Core 1 & 2, it will probably compile on any recent 2003/2004-era GNU/Linux distro with openssl and recent versions of the GNU tool chain (compiler + make) and GNU C library.
authd does not require autoconf. If needed, change any defaults by editing the <samp>config.h</samp> file. To build, simply run "make"
Installing
"make install" will install "<samp>in.authd</samp>" and any translations in "<samp>/usr/local/sbin</samp>" and "<samp>/usr/local/locale</samp>" respectively, so you'll need to set the make variable prefix if you want the files to go somewhere else than "<samp>/usr/local</samp>". It will install as the filename "<samp>in.authd</samp>" to reflect that it is intended to run as a inetd/xinetd hosted server; in other words, server input/output is connected to stdin and stdout.
If you're using encryption, put a one line pass phrase in the file "<samp>/etc/ident.key</samp>" (or another place if you change the default location via a server option), making sure the file is readable by the authd process and NOT readable/writable by others ("chmod o-rw"). If the permissions are not set correctly, authd will refuse to encrypt.
Running
authd should be able to read <samp>/proc/net/tcp</samp> and/or <samp>/proc/net/tcp6</samp> to actually match users to ports-- although it will run without these files.
A sample xinetd configuration file has been provided; copying xinetd.conf.auth to /etc/xinetd.d should work for Red Hat distributions. Be sure to make any changes needed to the default values and path as needed then restart/reload the xinetd daemon to use it.
All of the options available can be seen with the "-h" option. Some notes on some of the less obvious options and parameters:
-l[mask]
An optional base 10, base 8 (prefix with "0"), or base 16 (prefix with "0x") bit mask of system log priority levels that you wish to log. For example, an mask of 17<small><sub>8</sub></small> ("-l017") only logs messages of priority error or higher.
--fn[=uint]
Sends the full-name/"finger" info rather than the username. Some systems contain additional fields of information after the full name of a person, such as the office, office phone number and home phone, separated by commas. To display only the first field, specify "1". To specify up to two fields, specify "2"... and so on.
If the "-n" option is also specified, then the numeric user id will be followed by the 2nd up to uint fields providing that uint is greater than two.
--hybrid
Only applies to IPv6 addresses activated with the "--verbose" option. When used, the bottom 32 bits of the address with be displayed in the traditional IPv4 format of four dot separated base 10 numbers rather than the IPv6 style of eight 16-bit colon separated hex pairs.
--verbose
Adds the following information after the username or full name (depending on the option selected), separated by commas:
<samp>$ /usr/sbin/in.inetd 33201,6667</samp>
If you just want an ident server to speed up broken servers that insist on some form of ident but you don't want to reveal any usernames, you can make authd "lie" to clients and tell them that the ports are owned by any arbitrary user with the "--username" option. When set to its default, the authd daemon will reply with either <samp>NO-USER</samp> errors or "<samp>nobody</samp>" as the port owner. Note that the argument supplied to "--username" must be a valid username. As some daemons do run as "<samp>nobody</samp>", you may wish to create a special username just for authd, such as "<samp>somebody</samp>", using the command:
<samp>$ /usr/sbin/useradd -s /sbin/nologin -r somebody</samp>
Encryption allows the system administrator owning the authd server to be aware of any ident information that is sent to him from remote sites while not unnecessarily exposing the usernames to any anonymous system.
HOW TO USE ENCRYPTION
Make sure the owner/group and permissions are set so that the daemon (which usually runs as "<samp>nobody</samp>" if you use the default xinetd configuration file) can read it. Make sure that other can't read or write to it by using:
<samp>$ chmod o-rw /etc/ident.key</samp>
authd will refuse to encrypt if this is not done.
To decrypt the string, the "openssl" tool (using the "enc" sub-tool) is needed. If the base64 encrypted string is longer than 64 characters, it will need to be broken into multiple lines of 64 characters or less (why? because openssl enc -base64 doesn't like it any other way-- even though base64 only needs line breaks for e-mail). Feed the short base64 string into the command:
<samp>$ /usr/bin/openssl enc -d -base64 -aes-128-cbc -pass file:/etc/ident.key</samp>
(Change the cipher to what's appropriate if you did not use the default for the "-E" authd option or the default was changed in <samp>config.h</samp>) Use enc's -in option if the base64 encryption is stored in a file rather than being piped into stdin)
Do understand the security ramifications of storing a password/pass phrase in unencrypted form on a file system. A system is secure if the cost of breaking the system is greater than the value of the data. Thus, do not increase the value of the authd password by using it anywhere else-- it should only be used to encrypt usernames & userids and address/port info returned by "--verbose" -- (relatively low value information already readable by any local user)
INTERNATIONALIZATION Sometimes, the username and/or gecos field returned by the system may not be in ASCII. An example would be a system that authenticates against accounts stored on Windows. Windows permits non-ASCII in their usernames and Name/Comment descriptions. In these cases, use the "--codeset" option to specify the character encoding/charset used. This will not convert any messages; it will simply inform the client as to the character encoding. The character encoding will not be sent to the client if the response appears to be all ASCII (all printable characters; no control characters), even if the option is specified. in the rare case that the string to be sent is not ASCII, a --codeset has been specified without the optional parameter, and the program is unable to determine the codeset used by the operating system, "<samp>X-UNKNOWN</samp>" will be returned as the codeset. * You may want error messages (also local timestamps with the --verbose option) to be sent in a different locale from the current locale (inetd/xinetd often is configured to launch daemons in the "C" locale). The locale to use can be configured with the "--lang" option. By default, the daemon starts in the locale of the parent (usually xinetd/inetd) that launched it. If --codeset is also specified, it overrides the character encoding of the specified locale.
Be aware that many system log daemons are not capable of handling non-ASCII yet, so combining this with the "-l" option may not produce readable syslog messages.
EXTENDED ERROR MESSAGES
These only appear when authd is launched with the "--xerror" option, because some server administrators do not believe in giving outsiders any useful information regarding the state of their servers. However, the --xerror is useful for diagnostics and troubleshooting.
<samp>X-ERRNO</samp>
Suffixed with a dash and a decimal number corresponding to what was returned by errno. Usually will occur due to an I/O error or an out-of-memory condition. On Linux, <samp>2</samp> is a "file not found" and <samp>12</samp> is an out of memory condition. Note that some out of memory conditions will cause the server to exit before printing a message.
<samp>X-RFC1413</samp>
The userid reply was longer than 512 characters and/or contained CRLF. While this shouldn't happen with sane data, this could possibly occur if an exceptionally long/strange gecos field and the combination of "--verbose" and "--fn".