identd problems – patch
I had some identd problems on IRC today and I think I figured out the cause.You may also want to see auth/tcp server failing (looping), service terminated.
The issue
Today I did some firewall work and rearranged the startup procedures on my box. Basically, I moved stuff from /etc/rc.local to /usr/local/etc/rc.d (because the former is now deprecated and it is recommended that you use the latter only; see Starting stuff at boot time). After restarting the box and gettng back onto IRC, I found my hostmask wasn’t correct. It had a ~ in front of it. This indicates that your ident failed (I admit to not knowing much about this area, so my basics may be wrong).What I tried
My first thoughts were that my firewall was blocking the incoming requests. So I tried this from an external connection:$ telnet mydomain.org 113 Trying my.ip.addre.ss... Connected to my.org. Escape character is '^]'.
OK. The incoming requests are being accepted. So what’s wrong?
What worked
After trying the above, I remembered that I’d been fooling around with the identd command line options. I had recently added -o and -e so I removed both of these and hup’d inetd. identd now worked. With a bit more playing, I figured out it was the -o option which was causing the ident to fail. From the ident man page:The -o flag tells identd to not reveal the operating sys- tem type it is run on and to instead always return "OTHER".
Interesting.
Other notes
Most of you will know that I run Windows NT on my desktop. mIRC is my favoured IRC client. Within mIRC, under File | Setup | Identd, you’ll see the options for an identd server. I found these options were not necessary when I was running identd on my gateway. In fact, they had no effect.Testing identd
Here is an easy way to test if identd is working. This is best done with two telnet sessions. This example assumes you have telnet enabled and you are workedident works quite simply by providing a mechanism to verify if someone is connected or not. It allows one computer to ask another "is so-and-so connected to my port from this port on your box?". It is a simple verification method. In this test, we will connect to our box from our box, then check the ports being used, then ask ident for a verification.
In the first telnet session, we will set up a telnet to ourselves but not do anything with it. In the second telnet session, we look at the first session and see what port it is connecting from. Then we’ll use that information in our ident query.
- In your first telnet session, connect to the localhost, and leave it sitting there.
You don’t have to login.
# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: - In your second telnet session, find out what port your telnet is trying to connect from.
Run netstat -a and look for something like this:
tcp 0 0 localhost.telnet localhost.1380 ESTABLISHED
- Then type this. 113 is the identd port. 23 is the port telnet connects to. And 1380 is the port we were connecting from in step 2. Subsititute the port you found in step 2.
Given all of the above steps, you should be able to verify that identd is running.$ telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
23,1380
23 , 1380 : USERID : UNIX:DAN
Connection closed by foreign host.
An identd patch
I created a patch for pidentd-2.8.5 because I didn’t like the way the -N option worked. From man identd:The -n flag tells identd to always return user numbers instead of user names if you wish to keep the user names a secret. The -N flag makes identd check for a file ".noident" in each homedirectory for a user which the dae- mon is about to return the user name for. It that file exists then the daemon will give the error HIDDEN-USER instead of the normal USERID response.
However, identd returns this if you use the -N flag and have a .noident file in the home directory:
23 , 1380 : ERROR : HIDDEN-USER
which is an error, oddly enough. I’d rather have success than a error. So I made a patch to fix this. With that patch, the following is returned for a .noident user:
23 , 1380 : USERID : UNIX:HIDDEN-USER
That’s useful for some users which you may not wish to ident, but still wish to return a valid ident response.