SUMMARY: pidentd 3.0.18 on Solaris 10 with DES encryption
and
How to send unencrypted identd infor to localhosts, and encrypted identd
informationt o remote systems using tcp_wrappers
donwload pidentd 3.0.18
ftp://ftp.lysator.liu.se/pub/ident/servers/
apply patch to k_sunos510.c
http://sunportal.codeprof.com/pipermail/summaries/2005-February/006132.html
disable IPv6 by removing "-DHAVE_IPV6=1" from the CPPFLAGS in the
configure script: (It is not sufficient to use -DHAVE_IPV6=0, as
the include file sockaddr.h uses #ifdef HAVE_IPV6, and -DHAVE_IPV6=0
still defines it)
*** pidentd-3.0.18/configure.FCS Sun Jun 13 00:38:42 2004
--- pidentd-3.0.18/configure Sat Feb 19 11:52:20 2005
***************
*** 2379,2385 ****
;;
*10)
host_os=sunos510
! CPPFLAGS="$CPPFLAGS -DHAVE_IPV6=1"
;;
esac
if test "`isainfo -k`" = "sparcv9"; then
--- 2379,2385 ----
;;
*10)
host_os=sunos510
! CPPFLAGS="$CPPFLAGS"
;;
esac
if test "`isainfo -k`" = "sparcv9"; then
Setup some environment variables (I am using SUNWspro version 10
to compile) and run configure, then make:
# setenv PATH /usr/ccs/bin:/opt/SUNWspro/bin:$PATH
# setenv CC cc
# setenv CFLAGS -fast
# setenv LDFLAGS "-s -L/usr/sfw/lib/64 -R/usr/sfw/lib/64"
# unsetenv LD_LIBRARY_PATH
# ./configure --prefix="" --with-threads=yes --with-des=yes --with-des-includes=/usr/sfw/include --with-des-libraries=/usr/sfw/lib/64
# make
voila, you should have a identd supporting encyption....
# ls -l pidentd-3.0.18/src/{identd,ibench,idecrypt,ikeygen}
-rwxr-xr-x 1 locadm locadm 12256 Feb 19 11:55 pidentd-3.0.18/src/ibench
-rwxr-xr-x 1 locadm locadm 27776 Feb 19 11:55 pidentd-3.0.18/src/idecrypt
-rwxr-xr-x 1 locadm locadm 86512 Feb 19 11:55 pidentd-3.0.18/src/identd
-rwxr-xr-x 1 locadm locadm 10728 Feb 19 11:55 pidentd-3.0.18/src/ikeygen
# ldd pidentd-3.0.18/src/identd
libpthread.so.1 => /lib/64/libpthread.so.1
libcrypto.so.0.9.7 => /usr/sfw/lib/64/libcrypto.so.0.9.7
libkvm.so.1 => /usr/lib/64/libkvm.so.1
libelf.so.1 => /lib/64/libelf.so.1
libnsl.so.1 => /lib/64/libnsl.so.1
libsocket.so.1 => /lib/64/libsocket.so.1
libc.so.1 => /lib/64/libc.so.1
libmp.so.2 => /lib/64/libmp.so.2
libmd5.so.1 => /lib/64/libmd5.so.1
libscf.so.1 => /lib/64/libscf.so.1
libdoor.so.1 => /lib/64/libdoor.so.1
libuutil.so.1 => /lib/64/libuutil.so.1
libm.so.2 => /lib/64/libm.so.2
/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libc_psr.so.1
/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libmd5_psr.so.1
I install identd as /usr/sbin/in.identd:
-r-xr-xr-x 1 root bin 86512 Feb 19 11:56 /usr/sbin/in.identd
Added a line to /etc/inet/inetd.conf:
ident stream tcp nowait root /usr/sbin/in.identd in.identd -i -E
And imported the new line:
# inetconv -f
100235/1 -> /var/svc/manifest/network/rpc/100235_1-rpc_ticotsord.xml
Importing 100235_1-rpc_ticotsord.xml ...Done
100083/1 -> /var/svc/manifest/network/rpc/100083_1-rpc_tcp.xml
Importing 100083_1-rpc_tcp.xml ...Done
100068/2-5 -> /var/svc/manifest/network/rpc/100068_2-5-rpc_udp.xml
Importing 100068_2-5-rpc_udp.xml ...Done
ident -> /var/svc/manifest/network/ident-tcp.xml
Importing ident-tcp.xml ...Done
Generated a key in /etc/identd.key
# pidentd-3.0.18/src/ikeygen
Verfify that ident service is listening
# netstat -an |grep 113
*.113 *.* 0 0 49152 0 LISTEN
Quick test:
# telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
33201,113
33201 , 113 : USERID : OTHER :[1UTLQodFC6rk9PV9xhMBzXb+WIfMZl6n]
Connection to localhost closed by foreign host.
33201 is the port number of the connection, find it with netstat run
while the connection is established...
# netstat -an |grep 113
*.113 *.* 0 0 49152 0 LISTEN
127.0.0.1.33201 127.0.0.1.113 49152 0 49152 0 ESTABLISHED
127.0.0.1.113 127.0.0.1.33201 49152 0 49152 0 ESTABLISHED
A big thank you to Jim Seymour and Casper Dik for helping me to find the
right way to make this work!
Cheers
--pwo
P.S.: we use tcp_wrappers to run identd with encryption for remote
connections, and without encryption for the local domain. I still
have to test this setup with Solaris 10 .... but basically this is
how it works:
add to inetd.conf the call without encryption:
/etc/inet/inetd.conf
ident stream tcp nowait root /usr/sbin/in.identd in.identd -i
use inetconv -f to import the line
Add to /etc/hosts.allow:
in.identd : LOCAL, .YourLocalDomain
Add to /etc/hosts.deny:
in.identd : ALL : twist /usr/sbin/in.identd -i -E
Enable tcp_wrappers for inetd services:
# inetadm -p |grep -i tcp_wrappers
# inetadm -M tcp_wrappers=TRUE
# inetadm -p |grep -i tcp_wrappers
Now local clients should see an output similar to this:
# telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
33220,113
33220 , 113 : USERID : UNIX :locadm
Connection to localhost closed by foreign host.
And remote clients will see:
# telnet solris10-test-system 113
Trying 10.10.10.10...
Connected to solris10-test-system.
Escape character is '^]'.
113,59519
113 , 59519 : USERID : OTHER :[dEXYGVB+MZTOQRz5c6SauaW3hvn21hlo]
Connection closed by foreign host.
--
Peter W. Osel Email: pwo at Infineon.COM
Principal - Development Systems Phone: +1.408.501.6321
Infineon Technologies Cell: +1.408.348.6735
North America Corp. Cell: +49.160.475.8577 (outside US)
1730 North First Street Fax: +1.408.501.2410
San Jose, CA 95112, USA WWW: http://pwo.de/
pgp key fingerprint = 79 2D DD 49 C0 AA D8 CF 2C F9 A5 6A BA 37 0E 28
