Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OIDENTD(8)		      oidentd User Manual		    OIDENTD(8)

       oidentd - flexible, RFC 1413 compliant ident daemon with	NAT support

       oidentd [OPTIONS]

       oidentd implements the Identification Protocol as described in RFC
       1413. By	default, oidentd replies with the username of the owner	of
       connections. This behavior can be altered in oidentd.conf(5) and	by
       using the options specified in this document.

       -a, --address=ADDRESS
	   Bind	to the specified address. This option causes oidentd to	listen
	   for incoming	connections only on the	specified address or addresses
	   instead of on all interfaces. This option may be specified more
	   than	once to	configure multiple addresses.

       -c, --charset=CHARSET
	   Inform clients that ident replies use the specified character set
	   as defined in RFC 1340 or its successors. The default is not	to
	   send	a character set	to clients.

       -C, --config=FILE
	   Use the specified system-wide configuration file. If	this option is
	   not given, oidentd defaults to /usr/local/etc/oidentd.conf. The
	   format of the system-wide configuration file	is described in

       -d, --debug
	   Show	debug messages,	including detailed lookup information that may
	   be useful for diagnosing issues with	failed lookups.	This option is
	   only	available if oidentd was compiled with debugging support.

       -e, --error
	   Hide	error messages,	returning UNKNOWN-ERROR	for all	errors.	This
	   includes the	NO-USER, HIDDEN-USER and INVALID-PORT errors. This
	   option may be used to conceal the fact that oidentd is hiding ident
	   responses for a user.

       -f, --forward=[PORT]
	   Forward requests for	hosts masquerading through the server oidentd
	   is running on to the	host that established the corresponding
	   connection. The target host must be running oidentd with the
	   --proxy option, or some ident server	returning static responses
	   regardless of the query. If no port is specified, the default ident
	   port	(113) is used. If forwarding fails, oidentd falls back to the
	   response specified in oidentd_masq.conf(5). This option implies
	   --masquerade. The --masquerade-first	option can be used to forward
	   queries only	if no response was specified in	oidentd_masq.conf(5).

       -g, --group=GROUP|GID
	   Run as the specified	group or GID. If this option is	not given,
	   oidentd falls back to running as "oidentd", "nobody", "nogroup" or
	   GID 65534, in this order. On	systems	that require oidentd to	run as
	   the superuser, a warning is shown and the group is not changed

       -h, --help
	   Print a summary of options and exit.

       -i, --foreground
	   Do not fork to background. This option may be useful	for debugging,
	   or for running oidentd from a service manager like systemd(1) with

       -I, --stdio
	   Read	a single ident query from standard input, write	the response
	   to standard output, then exit. This option may be useful for
	   debugging, or when running oidentd from a listener daemon such as

       -l, --limit=MAX
	   Limit the maximum number of concurrent connections to the specified
	   value. Further connections beyond this limit	will be	closed
	   immediately without spawning	a new process. If this option is not
	   specified, no limit is enforced.

       -m, --masquerade
	   Enable support for NAT connections, allowing	Ident lookups intended
	   for hosts masquerading through the server running oidentd. Ident
	   responses for NAT connections can be	configured in the
	   oidentd_masq.conf(5)	configuration file.

       -M, --masquerade-first
	   If an entry matching	the target host	exists in the
	   oidentd_masq.conf(5)	configuration file, return the configured
	   Ident response instead of forwarding	the query. With	this option,
	   queries are forwarded only if no static response has	been
	   configured. If this option is not specified,	the default behavior
	   of --forward	is to forward queries before checking the
	   oidentd_masq.conf(5)	file. This option implies --forward and

       -o, --other=[OS]
	   Set an alternative operating	system string to send alongside	ident
	   responses. Note that	some clients may interpret queries as having
	   failed when an unknown operating system is returned.	If this	option
	   is not specified, the value UNIX is used. If	this option is
	   specified without an	argument, OTHER	is returned.

       -p, --port=PORT
	   Listen on the specified port	instead	of port	113.

       -P, --proxy=ORIGIN
	   Allow the specified host to forward queries to this instance	using
	   the --forward option. If --reply is not specified, this option must
	   be enabled for oidentd to correctly handle forwarded	connections.

       -q, --quiet
	   Suppress normal logging, showing only critical messages.

       -r, --reply=REPLY
	   When	a lookup fails,	send the specified ident response as if	it had

       -R, --reply-all=REPLY
	   Send	the specified reply in response	to all well-formed queries.
	   When	this option is used, the configuration files are not read and
	   connection lookups are never	performed. Privileged initialization
	   is not performed on systems that would otherwise require it,	so
	   unprivileged	users can run oidentd with this	option as long as they
	   have	permission to bind the requested port.

       -S, --nosyslog
	   Log messages	to the standard	error stream, even if it is not	a
	   terminal. If	standard error is a terminal, messages are written to
	   it by default.

       -t, --timeout=SECONDS
	   Close connections if	no ident query is received within the
	   specified number of seconds.	By default, connections	are closed
	   after 30 seconds.

       -u, --user=USER|UID
	   Run as the specified	user or	UID. If	this option is not given,
	   oidentd falls back to running as "oidentd", "nobody"	or UID 65534,
	   in this order. On systems that require oidentd to run as the
	   superuser, a	warning	is shown and the user is not changed

       -U, --udb
	   Look	up connection owners using libudb. Lookup results that do not
	   match any local user	are returned verbatim. If a UDB	lookup fails,
	   the operating system	is queried directly. This option also applies
	   to NAT connections if the --masquerade option is specified.

       -v, --version
	   Print version and build information and exit.

	   System-wide configuration file; see oidentd.conf(5).

       ~/.config/oidentd.conf, ~/.oidentd.conf
	   User	configuration files; see oidentd.conf(5).

	   Masquerading	configuration file; see	oidentd_masq.conf(5).

       Janik Rabe <>

       Originally written by Ryan McCabe.

       Please report any bugs to Janik Rabe <>.

       oidentd.conf(5) oidentd_masq.conf(5)

oidentd	2.5.1							    OIDENTD(8)


Want to link to this manual page? Use this URL:

home | help