Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IDECRYPT(8)		    System Manager's Manual		   IDECRYPT(8)

       idecrypt	- Decrypt tokens obtained from identd


       idecrypt	 is  a	utility	 for  decrypting  the  encrypted  tokens  that
       identd(8) provided instead of usernames when it is  run	in  encrypted-
       token mode (that	is, with the -C	flag).

       idecrypt	 reads	up  to	1024  lines from the /usr/local/etc/identd.key
       file, converting	each line to a DES key using des_string_to_key(3).  It
       then reads standard input, searching for	encrypted tokens in the	format
       produced	by identd(8), decrypts the tokens if possible, and copies  all
       unrecognised  text from standard	input to standard output without modi-

       If more than one	key appears in the key file, then identd(8)  will  use
       the  first key for encryption, and idecrypt will	attempt	to use all the
       keys for	decryption.  This allows new keys  to  be  used	 by  identd(8)
       without	losing	the  ability for idecrypt to decrypt old tokens	(until
       there are more than 1024	keys in	the key	file).

       Each encrypted token consists of	 32  base64  characters,  enclosed  in
       square  brackets.   To make it easier to	process	logs generated by ver-
       sions of	tcpd (8) that convert the square brackets to underlines,  ide-
       crypt  permits  underline  characters instead of	square brackets	in its

       idecrypt's output from decrypting each token is a human readable	string
       containing  the	timestamp  (displayed as a local time in ctime(3) for-
       mat), the numeric uid, the local	IP address, the	local port number, the
       remote IP address and the remote	port number.

       Suppose	that  the  local  host	has  IP	 address,  the local
       /usr/local/etc/identd.key file contains


       and the local host is running the identd(8) server  in  encrypted-token

       Now,  if	 a  local  user	 with uid 501 telnets to a remote host with IP
       address, the remote host may choose to	make  an  ident	 query
       back  to	 the  local  host,  in	order to obtain	some information to be
       logged for possible use later.  The local identd(8) might send the fol-
       lowing  encrypted  token	 to the	remote host instead of sending a user-


       If the administrator of the remote host later provides the  administra-
       tor  of	the  local host	with a copy of the encrypted token, and	if the
       secret	 key	has    not    been    removed	 from	 the	 local
       /usr/local/etc/identd.key  file,	 then  the  administrator of the local
       host can	run idecrypt and can provide the encrypted token  in  standard

       idecrypt	will then print	the following decrypted	information:

       Sun May 19 00:25:23 1996	501 2304 23

       This  represents	 the  time  the	encrypted token	was created, the local
       user id,	the local IP address  and  port	 number,  and  the  remote  IP
       address and port	number.

       identd(8) tcpd(8)

       The handling of fatal errors could be better.

				  19 May 1996			   IDECRYPT(8)


Want to link to this manual page? Use this URL:

home | help