Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
identd(1)							     identd(1)

       identd, in.identd - TCP/IP IDENT	protocol server

       [in.]identd [options]

       Identd  is a server which implements the	TCP/IP proposed	standard IDENT
       user identification protocol as specified in the	RFC 1413 document.

       identd operates by looking up specific TCP/IP connections and returning
       the  user name of the process owning the	connection.  It	can optionally
       return other information	instead	of a user name.

       -h	 Display the available command line options.

       -V	 Displays the version and OS version it	was compiled for,  and
		 then exit.

       -d	 Enables extra debugging messages.

       -C<file>	 Directs identd	to parse additional configuration options from
		 the file specified.

       -i	 May be	used when  starting  the  daemon  by  inetd  with  the
		 "nowait" option (see below).

       -w	 May be	used when starting the daemon by inetd with the	"wait"
		 option	(see below).

       -I	 May be	used when the daemon is	started	by init	(see below).

       -b	 flag may be used to make the daemon run  in  standalone  mode
		 (see below).

       -u<user>	 Used  to  specify  a  user number or name to which the	server
		 should	switch to after	binding	itself to the TCP/IP port  and
		 opening the kernel devices.

       -g<group> Used  to  specify  a  group  number  or name which the	server
		 should	switch to after	binding	itself to the TCP/IP port  and
		 opening the kernel devices.

       -p<port>	 Used  to  specify an alternative TCP port to bind to, if run-
		 ning as a standalone daemon or	started	by init	Can be	speci-
		 fied  by name or by number. Defaults to the IDENT port	(113).

       -t<limit> Used to specify the request timeout limit. This is the	 maxi-
		 mum number of seconds a server	will allow a client connection
		 to be active before terminating it. It	defaults to  120  sec-

		 Specify the location of a file	to store the process number of
		 the Identd daemon.

		 Control the number of threads to use for kernel lookups

		 Set the syslog	facility to use	instead	of 'daemon'.

       -o	 Directs identd	to return OTHER	instead	of UNIX	as the	"oper-
		 ating system".

       -E	 Enables  DES  encryption  of the returned data	(see below for
		 more information).

       -n	 Directs identd	to always return user numbers instead of  user
		 names	(for  example  if  you	wish  to keep the user names a

       -N	 Directs identd	to check for a file ".noident"	in  each  home
		 directory  for	 the  user which the daemon is about to	return
		 the user name for. It that file exists	then the  daemon  will
		 give  the  error  HIDDEN-USER	instead	 of  the normal	USERID

       -e	 Enables certain non-standard protocol	extensions.  Currently
		 defined extensions include the	requests VERSION to return the
		 Ident daemon version and QUIT to terminate a session  (useful
		 in conjunction	with the -m option).

       -m	 Enables  identd  to  use  a mode of operation that will allow
		 multiple requests to be processed per session.	 Each  request
		 is  specified one per line and	the responses will be returned
		 one per line. The connection will not	be  closed  until  the
		 connecting part closes	it's end of the	line.

       The prefered way	to start identd	depends	on how it was built.

       If  it  was  built  with	 support  for multithreading then it should be
       started either from init	, as a standalone daemon or from  inetd	 using
       the "wait" mode (if your	inetd supports it!)

       If  it  was  built without support for multithreading then it should be
       started from inetd using	the normal "nowait" mode for "stream tcp" ser-
       vices.  (The  main  reason being	that it	will be	single-threaded, so it
       will only serve one client connection at	a time).

       identd normally will autodetect how it was invoked so there normally is
       no need to use the four command line switches (-i, -w, -I, -b).

       DES  encryption	is only	available if the daemon	was built with support
       for it enabled.

       An encryption key (1024 bytes long) should be stored in the key file  (
       /usr/local/etc/identd.key  ) and	it should be generated using a crypto-
       graphically safe	random generator in order to be	really safe. It	should
       not contain any NUL (0x00) characters since this	is used	as a string to
       generate	the real binary	DES key.

       This file may contain multiple 1024 byte	long keys, and the server will
       use the last key	stored in that file.

       The  returned  token will contain the local and remote IP addresses and
       TCP port	numbers, the local user's uid number, a	 timestamp,  a	random
       number,	and a checksum - all encrypted using DES. The encrypted	binary
       information is then encoded in a	BASE64 string (32 characters long) and
       enclosed	 in  square brackets to	produce	a token	that is	transmitted to
       the remote client.

       The encrypted token can later be	decrypted  by  the  idecrypt  command.
       This  program  will attempt to decrypt a	token with all the keys	stored
       in the key file until it	succeeds (or have tried	all the	keys).

       The configuration file contains a list of option=value pairs.

       syslog:facility = FACILITY
		 Set which facility to use when	sending	syslog messages.

       server:user = USER
		 Set what user (and group, from	the passwd database) the  dae-
		 mon should run	as after it has	opened all the kernel handles.
		 (Default: nobody)

       server:group = GROUP
		 Override the group id (as set by the server:user option).

       server:port = PORT
		 Set what TCP/IP port the daemon should	listen	to.  (Default:

       server:backlog =	LIMIT
		 Set the size of the server listen() backlog limit.

       server:pid-file = PATH
		 Set  the  path	 to  the file where the	server will store it's
		 process id.

       server:max-request = LIMIT
		 Max number of	concurrent  requests  allowed.	Default	 is  0
		 (zero)	which means "no	limit".

       protocol:extensions = ON/OFF
		 Enable/disable	 the nonstandard protocol extensions ( VERSION
		 and QUIT currently). Default: off

       protocol:multiquery = ON/OFF
		 Enable/disable	the multiple queries per  connection  feature.
		 Default: off

       protocol:timeout	= SECONDS
		 Max  number  of  seconds since	connection or last request. If
		 set to	0 (zero), no timeout will be used. Default:  120  sec-

       kernel:threads =	LIMIT
		 Max  number  of  threads  doing  kernel lookups concurrently.
		 Default: 8

       kernel:buffers =	LIMIT
		 Max number of queued kernel lookup requests. Default: 32

       kernel:attempts = LIMIT
		 Max number of times to	retry a	kernel lookup in case of fail-
		 ure.  Default:	5

       result:uid-only = YES/NO
		 Disable  uid->username	 lookups  (only	 return	 uid numbers).
		 Default: no

       result:noident =	ON/OFF
		 Enable/disable	checking for the   ".noident"  file  in	 users
		 home directories.

       result:charset =	CHARSET
		 Define	 the  character	set returned in	replies. Default: "US-

       result:opsys = OPSYS
		 Define	the operating system  returned	in  replies.  Default:

       result:syslog-level = LEVEL
		 If  set  to  anything	other than "none", all request replies
		 till be sent to the syslog service with the specificed	sever-
		 ity level.  Default: none

       result:encrypt =	YES/NO
		 Enable	 encryption  of	 replies. Only available if Identd was
		 built with a DES encryption library.

       encrypt:key-file	= PATH
		 Path to the file containing the encryption keys.

       include = PATH
		 Include (and parse) the  contents  of	another	 configuration

       The  username  (or UID) returned	ought to be the	login name. However it
       (probably, for most architecture	implementations) is the	"real user ID"
       as stored with the process. Thus	the UID	returned may be	different from
       the login name for setuid programs (or those running as root) which has
       done a setuid(3)	call and their children. For example, it may (should?)
       be wrong	for an incoming	ftpd ; and we are probably interested  in  the
       running	shell, not the telnetd for an incoming telnet session. (But of
       course identd returns  info  for	 outgoing  connections,	 not  incoming

	      Contains the default configuration options for identd.

	      Contains (if enabled) the	process	number of the identd daemon.

	      If compiled with DES encryption enabled, the 1024	first bytes of
	      this file	is used	to  specify  the  secret  key  for  encrypting

       The  daemon  is free software. You can redistribute it and/or modify it
       as you wish - as	long as	you don't claim	that you wrote it.

       The source code for the latest version of  the  daemon  can  always  be
       FTP'd from one of the following addresses:

       Main site:


       The author can be contacted at:

       Email:	   Peter Eriksson <>

       idecrypt(8) , ikeygen(8)	, authuser(3) ,	inetd.conf(5) ,

				  8 Jan	1999			     identd(1)


Want to link to this manual page? Use this URL:

home | help