Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IDECRYPT(8)		    System Manager's Manual		   IDECRYPT(8)

       idecrypt	- Decrypt tokens obtained from identd


       idecrypt	 is  a	utility	 for  decrypting  the  encrypted  tokens  that
       identd(8) provided instead of usernames when it is run in encrypted-to-
       ken mode	(that is, with the -C flag).

       idecrypt	 reads	up  to	1024  lines from the /usr/local/etc/identd.key
       file, converting	each line to a DES key using des_string_to_key(3).  It
       then reads standard input, searching for	encrypted tokens in the	format
       produced	by identd(8), decrypts the tokens if possible, and copies  all
       unrecognised  text from standard	input to standard output without modi-

       If more than one	key appears in the key file, then identd(8)  will  use
       the  first key for encryption, and idecrypt will	attempt	to use all the
       keys for	decryption.  This allows new keys  to  be  used	 by  identd(8)
       without	losing	the  ability for idecrypt to decrypt old tokens	(until
       there are more than 1024	keys in	the key	file).

       Each encrypted token consists of	 32  base64  characters,  enclosed  in
       square  brackets.   To make it easier to	process	logs generated by ver-
       sions of	tcpd (8) that convert the square brackets to underlines,  ide-
       crypt  permits  underline  characters instead of	square brackets	in its

       idecrypt's output from decrypting each token is a human readable	string
       containing  the	timestamp  (displayed as a local time in ctime(3) for-
       mat), the numeric uid, the local	IP address, the	local port number, the
       remote IP address and the remote	port number.

       Suppose that the	local host has IP address, the	local /usr/lo-
       cal/etc/identd.key file contains


       and the local host is running the identd(8) server  in  encrypted-token

       Now,  if	a local	user with uid 501 telnets to a remote host with	IP ad-
       dress, the remote host may choose to make an ident query  back
       to the local host, in order to obtain some information to be logged for
       possible	use later.  The	local identd(8)	might send the	following  en-
       crypted token to	the remote host	instead	of sending a username:


       If  the administrator of	the remote host	later provides the administra-
       tor of the local	host with a copy of the	encrypted token,  and  if  the
       secret	key   has   not	  been	 removed   from	  the  local  /usr/lo-
       cal/etc/identd.key file,	then the administrator of the local  host  can
       run idecrypt and	can provide the	encrypted token	in standard input.

       idecrypt	will then print	the following decrypted	information:

       Sun May 19 00:25:23 1996	501 2304 23

       This  represents	 the  time  the	encrypted token	was created, the local
       user id,	the local IP address and port number, and the  remote  IP  ad-
       dress and port number.

       identd(8) tcpd(8)

       The handling of fatal errors could be better.

				  19 May 1996			   IDECRYPT(8)


Want to link to this manual page? Use this URL:

home | help