identd problems – patch
I had some identd problems on IRC today and I think I figured out the cause.
You
may also want to see auth/tcp server failing (looping),
service terminated.
The issue
Today I did some firewall work and rearranged the startup procedures on my box.
Basically, I moved stuff from /etc/rc.local to /usr/local/etc/rc.d
(because the former is now deprecated and it is recommended that you use the latter only;
see Starting stuff at boot time). After restarting the box
and gettng back onto IRC, I found my hostmask wasn’t correct. It had a ~ in front of
it. This indicates that your ident failed (I admit to not knowing much about this
area, so my basics may be wrong).
What I tried
My first thoughts were that my firewall was blocking the incoming requests. So I
tried this from an external connection:
$ telnet mydomain.org 113 Trying my.ip.addre.ss... Connected to my.org. Escape character is '^]'.
OK. The incoming requests are being accepted. So what’s wrong?
What worked
After trying the above, I remembered that I’d been fooling around with the identd
command line options. I had recently added -o and -e so
I removed both of these and hup’d inetd. identd now
worked. With a bit more playing, I figured out it was the -o option which was
causing the ident to fail. From the ident man page:
The -o flag tells identd to not reveal the operating sys- tem type it is run on and to instead always return "OTHER".
Interesting.
Other notes
Most of you will know that I run Windows NT on my desktop. mIRC is my
favoured IRC client. Within mIRC, under File | Setup | Identd, you’ll see the
options for an identd server. I found these options were not necessary when
I was running identd on my gateway. In fact, they had no effect.
Testing identd
Here is an easy way to test if identd is working. This is best done
with two telnet sessions. This example assumes you have telnet enabled and you are
worked
ident works quite simply by providing a mechanism to verify if someone is
connected or not. It allows one computer to ask another "is so-and-so connected
to my port from this port on your box?". It is a simple verification
method. In this test, we will connect to our box from our box, then check the ports
being used, then ask ident for a verification.
In the first telnet session, we will set up a telnet to ourselves but not do anything
with it. In the second telnet session, we look at the first session and see what
port it is connecting from. Then we’ll use that information in our ident query.
- In your first telnet session, connect to the localhost, and leave it sitting there.
You don’t have to login.# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: - In your second telnet session, find out what port your telnet is trying to connect from.
Run netstat -a and look for something like this:tcp 0 0
localhost.telnet localhost.1380 ESTABLISHED - Then type this. 113 is the identd port. 23 is the port telnet
connects to. And 1380 is the port we were connecting from in step 2.
Subsititute the port you found in step 2.
$ telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
23,1380
23 , 1380 : USERID : UNIX:DAN
Connection closed by foreign host.
Given all of the above steps, you should be able to verify that identd is
running.
An identd patch
I created a patch for pidentd-2.8.5 because I didn’t like the way the -N
option worked. From man identd:
The -n flag tells identd to always return user numbers instead of user names if you wish to keep the user names a secret. The -N flag makes identd check for a file ".noident" in each homedirectory for a user which the dae- mon is about to return the user name for. It that file exists then the daemon will give the error HIDDEN-USER instead of the normal USERID response.
However, identd returns this if you use the -N flag and have a .noident
file in the home directory:
23 , 1380 : ERROR : HIDDEN-USER
which is an error, oddly enough. I’d rather have success than a error. So I
made a patch to fix this. With that patch,
the following is returned for a .noident user:
23 , 1380 : USERID : UNIX:HIDDEN-USER
That’s useful for some users which you may not wish to ident, but still wish to return
a valid ident response.