pidentd + fm patch v1.1
by Cory Visi <merlin@cert.bawx.net>
-----------------------------------

Installation
------------

pidentd+fm patch is a unified diff patch that applies to the pidentd source
code. The latest source code can be obtained here:

ftp.lysator.liu.se/pub/ident/servers

Version 1.x of the patch applies to the stable series of pidentd (2.7.x and 
2.8.x). Later versions will also apply to the development series (3.x.x). As 
of March 3, 1999, the latest stable release is 2.8.5. Version 1.x of the patch
will apply cleanly to pidentd 2.8.5. It will also apply to other versions with
possible minor rejections. No functionality should be lost except in the case
of an update to a kernel-specific module. In this case a little editing
should restore the functionality.

To apply the patch, first extract the pidentd source code. Enter the relevant
directory, and use:

patch -p1 < pidentd+fm-1.1.patch

to apply the fm patch. Now edit the Makefile. Depending on your system, you
may want to change some paths and filenames. Select the various -D (DEFINE)
options available. The options specific to the patch will be discussed later.
Finally, make <os> && make install.

NOTE: If you compiled your Linux kernel with the secure procfs patch you must
      run pidentd with sufficient access to read /proc. There is no need to
      run pidentd as root (highly discouraged), only as a user with privileges
      to read /proc (i.e. put that user in the procfs access group).

COMMENT: The -o option tells pidentd to always respond with "OTHER" for the
         operating system type. The response "OTHER" is not always accepted
	 as a valid operating system type. If you are having problems with
	 pidentd and are using this option, try removing it.

Features and Usage
------------------

Fakeid Option
-------------
The fakeid option allows users to setup an alternate username to be idented as.
This option is enabled by running pidentd with the -x option. Only one of the
-N (hidden users allowed with .noident) and -x option can be used
simultaneously. These options are exclusive. A user can then place an (up to
ten character, any longer will be truncated) string in ~/.fakeid. This file
will be read in during an ident query the string will be returned as the user
instead of the real username.

By default, the string in the ~/.fakeid will be ignored if it matches a valid
username entry in /etc/passwd. This restriction is not imposed on a user of
uid 0. This is to provide some security on multi-user systems. This security
can be disabled by removed -DSECURE_FAKEID from the Makefile.

BitchX can directly interface with this feature via the "/newuser" command if
it is compiled properly. After running the configure script, edit
include/config.h in the BitchX source tree. Make sure CIDENTD and WDIDENT are
not defined and change the third DEFAULT_IDENT_HACK file to ".fakeid". The
compile options can also be bypassed with the command "/set IDENT_HACK .fakeid".

Static Linux IP Masquerading Support
------------------------------------
This option is only available on Linux systems. To enable IP masquerading
support, run pidentd with the -q option. When this option is enabled, pidentd
will attempt to identify a remote host, remote port, and local port set as
a "gateway" connection from an IP masqueraded system. A notice will be logged
via syslog (if you use -l) when an IP masqueraded lookup succeeds.

A user is associated with a relevant connection by use of simple static
IP -> user,system-type mapping. The map file is an ASCII text file deliminated 
by tabs or spaces defined at compile time (default is /etc/identd.masq). The
file has three columns: IP, user, and system-type. No comments or blank lines
are allowed and the IP cannot be a hostname. A sample file is provided with the
patch. This file is read in every time a query is made. In future versions of
the patch, it will be hashed and read into memory for faster lookups.

Relayed Linux IP Masquerading Support
-------------------------------------
This option is only available on Linux systems and when IP Masquerading support
is enabled (via the -q option).  This option allows an ident request to be
relayed to a machine behind an IP Masquerading Linux machine. The user and
system-type response is then passed to the remote ident request. This option
is slightly complicated, since by definition of the ident protocol (RFC 1413),
it cannot work. An "ident" is made by matching two ports (local and remote)
obtained via transmitted data and a remote address obtained via the connection.
Therefore, only a host with a certain established connection can request
identification of that connection. A Linux gateway system cannot request
identification for a connection to a remote system. The pidentd+fm patch 
implements a method of circumventing this limitation.

The option to relay an ident request is selected by specifying "RELAY" as the 
system-type in the map file (/etc/identd.masq); the username is ignored. This
will succeed for all broken ident daemons that do not do proper lookups (e.g.
almost all Windows ARC clients implement a broken ident daemon).

To allow for relayed ident requests to succeed on *NIX machine being IP
Masqueraded, the machine behind the IP Masquerade must be running pidentd+fm
with the -Q option. This option makes pidentd less intelligent, in that it does
not check the remote address when performing a connection lookup. It is not
recommended that this option be used on an untrusted local network as it
disables a simple security check in the ident protocol.

---
Many configurations have still not been tested. If you have any comments, suggestions, 
and especially bug reports, please e-mail me at Cory Visi <merlin@cert.bawx.net>.
