nullidentd ---------- Version 1.0 Copyright 1999 Brian Young <bayoung@acm.org> Modified 2011 by dxtr What ---- nullidentd is intended to be a bare minimum identd server. The program implements the auth protocol from RFC 1413. This protocol is used to identify active TCP connections. It depends on the trustworthiness of the server and as such is completely useless as a method of identification. Unfortunately some applications still require that an identd server is available to query about incoming connections. nullidentd implements the absolute minimum server to allow these applications to function. It returns a fake response for any request. Note that a similar effect to nullidentd can be acheived by rejecting connections to the auth port. Servers usually don't require a response. Under Linux kernel version 2.0.x the following command accomplishes this: ipfwadm -I -a reject -P tcp -y -D 0/0 auth For kernel version 2.2.x the ipchains command is: ipchains -A input -j REJECT -p tcp -y -d 0/0 auth The auth port is tcp 113. Goals ----- When I determined that I needed to run an identd server on my server I looked for the simplest identd server I could find. I didn't find one as simple as I wanted. nullidentd is a single source file less than 150 lines long. It is intended to be so simple that it is probably bug free. It can certainly be understood in its entirety with no difficulty. It should also be somewhat immune to denial of service attacks by following strict timeouts on idle clients. Installation ------------ Build the program by simply typing 'make'. Edit the makefile if it's required. There is a 'make install' rule, but you may want to edit the makefile to set the installation directory. nullidentd has been built and tested on a Linux 2.2 system. Portability fixes are welcomed. nullidentd must be run from inetd. I have the following line in my inetd.conf: auth stream tcp nowait nobody /usr/local/sbin/nullidentd nullidentd There's only one (optional) parameter, it specifies what userid the identd server will return as a response. The default userid is 'foobar'. Note that no validation is attempted on the port numbers of the request. Rant ---- If you write or maintain any application that requires or even uses identd PLEASE STOP. The protocol is completely untrustworthy and as such is useless for purposes of identification. If an application really requires identification of users it should have a more secure means, e.g. passwords. If the application doesn't require this level of identification then it implicitly allows anonymous clients, hence the userid of a client is not needed.