README for mdidentd v0.90 --------------------------- Last updated: $Date: 2008-02-10 18:23:39 -0600 (Sun, 10 Feb 2008) $ * Description ------------------ mdidentd is a special Ident daemon that permits processes to set their own fake ident replies regardless of the userid they are running under. mdidentd functions as a wrapper to the existing Ident daemon installed on the system. It works by replying to fake ident requests on its own, and delegating normal requests to the existing ident daemon. It can also function stand-alone (i.e. without another daemon installed), but it will only be able to service fake ident requests and nothing else. mdidentd was written by Murat Deligonul (murat@linuxftw.com) * How it works ---------------------- * The server listens on tcp port 113 (the standard IDENT port) and on a domain socket residing by default at /var/run/mdidentd. * Programs register fake idents through the domain socket. * When mdidentd receives an ident request, it first checks its internal list of fake idents and replies with the fake one if a match is found. If no match is found, the system's other ident daemon is spawned to handle the request. * Compiling ---------------------- mdidentd is not currently distributed in a stand alone package, so you have probably obtained it with ezbounce. You will need to run ./configure from the top level ezbounce directory and then type "make tools" You'll need a C++ compiler. GCC 3.2 or later will work fine. * Installation ----------------------- After compiling, mdidentd can be installed anywhere. The basic syntax for running it is: mdidentd [options] As mentioned, an existing Ident daemon is required. Furthermore, the Ident daemon must be runnable from inetd (or similar software like xinetd). This means that the daemon accepts network input from stdin and responds through stdout. On many systems, these are set up by inetd or xinetd; see their configuration files in /etc/inetd.conf or /etc/xinetd.d/. You will need to disable their operation there. Also make note of the paths to the daemon executables and any command line options. Some systems have stand-alone Ident daemons such as pidentd or oidentd. mdidentd will not work with these, unless the daemons have a "inetd" compatibility option. Alternatively, mdidentd can be run standalone, by using "/bin/true" as the existing Ident daemon. In this case, mdidentd can only service fake ident requests -- it will have no way of processing any other requests. Note that mdidentd will need to be run as root. It binds to port 113, a privileged port, and creates a UNIX domain socket at /var/run/mdidentd. There is a command line option available to make mdidentd become a different user once it has created these resources. See below. * Configuring ezbounce ------------------------ If you are using ezbounce, you will need to configure your users so that they may use mdidentd for fake idents. An example: user "steve" { set enable-fake-idents 1 ... other options ... } You will also need to set the configuration option "fake-ident-method": set fake-ident-method "mdidentd" ... other proxy options ... user "xxx" { ... } Once connected, a user may change his fake ident setting with the 'ident' command. * Command line options ----------------------- The full syntax for mdidentd's command line is: mdidentd [-f|-h|-u] [options] -f: Stay in the foreground. Do not fork and go into the background -u : Become this user after binding to port 113. The uid needs to be a numeric id. -h : Set a limit on the number of fake idents that will be stored. -r: This prevents people from setting fake idents that happen to be names of valid users on the system. The path to an ident daemon. It must be something inetd-based. For most people it will be simply the path of the ident daemon that was listed in their inetd.conf file. Alternatively, you could use a dummy command such as /bin/true, but mdidentd will not be able to service non-fake ident requests. [options] Any additional command line options you want to pass to the ident daemon mentioned above. * Other things --------------- Fake ident requests for 'root' are not allowed. In the future I might add support for a configuration file that will store lists of idents people are not allowed to set.