janikrabe / oidentd Goto Github PK

If you try to compile without enabling IPv6, but enabling masquerade, compilation will fail.

x86_64-pc-linux-gnu-gcc   -march=native -mfpmath=sse,387 -mtune=intel -O3 -frecord-gcc-switches -fomit-frame-pointer -malign-data=abi -mtls-dialect=gnu2 -pipe  -Wl,--as-needed -Wl,--defsym=__gentoo_check_ldflags__=0 -Wl,-O1 -Wl,--sort-common -Wl,-z,now -o oidentd oidentd.o util.o inet_util.o forward.o user_db.o options.o masq.o cfg_scan.o cfg_parse.o os.o -Lmissing -lmissing  -lnetfilter_conntrack
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: os.o: in function `masq_ct_line.part.0':
os.c:(.text+0x824): undefined reference to `sin_setv6'
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: os.c:(.text+0x846): undefined reference to `sin_setv6'
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: os.c:(.text+0x853): undefined reference to `sin_setv6'
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: os.c:(.text+0x862): undefined reference to `sin_setv6'
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: os.c:(.text+0xa21): undefined reference to `get_user6'
collect2: error: ld returned 1 exit status

Sometime recently oidentd became unable to function if it was started with restricted privileges. I used to run xinetd with the config:

user = nobody
server = oidentd
server_args = -I

As far as I know this would start oidentd as nobody and oidentd would then listen to STDIO for the request that comes from xinetd. But now oidentd fails to start, complaining:

Fatal: Failed to drop privileges (global)

But if you listen from STDIO, you don't need to try to drop privileges if you are already non-root, no? You can easily test this by running oidentd as your own user:

➜  ~ oidentd -I
Fatal: Failed to drop privileges (global)

I had to change my xinetd config to say user = root and server_args = -I -u nobody, so now I am starting oidentd as root only for it to drop back to nobody immediately.

Is this an issue? I would have expected oidentd only to drop privileges if it's running as root in the first place.

Hi,

It's possible to adapt oidentd to macos ?

When I trying to run ./configure :
(...)
checking for getopt_long... yes
checking for setgroups... yes
checking for unveil... no
checking for library containing socket... none required
checking for getaddrinfo... yes
checking for freeaddrinfo... yes
checking for gai_strerror... yes
checking for getnameinfo... yes
checking for inet_ntop... yes
checking for struct sockaddr_storage... yes
checking for ss_family member in struct sockaddr_storage... yes
checking for struct sockaddr_in6... yes
checking for struct in6_addr... yes
checking for struct addrinfo... yes
checking netinet/ip_compat.h netinet/ip_fil.h netinet/ip_nat.h usability... no
checking netinet/ip_compat.h netinet/ip_fil.h netinet/ip_nat.h presence... no
checking for netinet/ip_compat.h netinet/ip_fil.h netinet/ip_nat.h... no
checking for netinet/ip_nat.h... no
checking for /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h... no
checking if nat_t has nat_p member... no
configure: error: oidentd does not yet support darwin20.5.0

When building on Mageia, I get this error:

gcc -DHAVE_CONFIG_H -I. -I.. -I "./missing" -D "SYSCONFDIR="/etc"" -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fPIC -std=gnu89 -MT os.o -MD -MP -MF .deps/os.Tpo -c -o os.o os.c
os.c: In function 'callback_nfct':
os.c:181:31: error: parameter name omitted
static int callback_nfct(enum nf_conntrack_msg_type,
^
os.c: In function 'masq':
os.c:469:19: error: 'CT_LIBNFCT' undeclared (first use in this function)
if (conntrack == CT_LIBNFCT) {
^
os.c:469:19: note: each undeclared identifier is reported only once for each function it appears in
os.c:470:11: error: expected expression before '{' token
query = { sock, lport, fport, laddr, faddr, 1 };
^
Makefile:477: recipe for target 'os.o' failed
make[3]: *** [os.o] Error 1
make[3]: Leaving directory '/home/solbu/mageia-rpm/oidentd/BUILD/oidentd-2.3.0/src'
Makefile:503: recipe for target 'install-recursive' failed
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory '/home/solbu/mageia-rpm/oidentd/BUILD/oidentd-2.3.0/src'
Makefile:660: recipe for target 'install' failed
make[1]: *** [install] Error 2
make[1]: Leaving directory '/home/solbu/mageia-rpm/oidentd/BUILD/oidentd-2.3.0/src'
Makefile:430: recipe for target 'install-recursive' failed
make: *** [install-recursive] Error 1
error: Bad exit status from /home/solbu/mageia-rpm/oidentd/BUILDROOT/rpm-tmp.OPcOzB (%install)

HI there,
I recently noticed that oidentd is crashing.
Here is some information on what ive found in the syslog as well as versiuon information.

oidentd 2.3.1 by Janik Rabe <[email protected]>
Originally written by Ryan McCabe <[email protected]>
https://oidentd.janikrabe.com

Build information:
        Kernel driver: linux.c
        Needs kmem access: No
        Needs root access: No
        Debugging build: No
        Masquerading support: Yes
        IPv6 support: Yes
        Linux libcap-ng support: Yes
        Linux libnfct support: Yes
        UDB library support: No

Aug 16 21:12:03 <hostname> oidentd[19300]: Connection from weber.freenode.net (162.213.39.42):34303
Aug 16 21:12:03 <hostname> oidentd[19300]: Caught SIGSEGV; please report this to [email protected]
Aug 16 21:12:43 <hostname> oidentd[19304]: Connection from weber.freenode.net (162.213.39.42):57553
Aug 16 21:12:43 hostname oidentd[19304]: [weber.freenode.net] Successful lookup: 35590 , 6665 : quasselcore (quasselcore)
Aug 16 21:13:02 host quasselcore: [Warn ] CoreNetwork::doAutoReconnect(): Cannot reconnect while not being disconnected!
Aug 16 21:15:01 <hostname> CRON[19325]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

I am running Ubuntu 1804 LTS

I have compiled version 2.5.0
run with 'sudo ./oidentd -i -d'

'ls -i -P' output includes:
adb 3464845 gregbert 9u IPv4 124223527 0t0 TCP www:57408->192.168.2.114:5555 (ESTABLISHED)

so i telnet localhost 113 and give:
[me]: 57408,5555
[oidentd response]: 57408,5555:ERROR:NO-USER

I have tried multiple config configurations, including no config so it is using defaults

What did work: 'sudo oidentd -i -u root -g root -r test' - this correctly returns 'test', but still the lookup fails.

oidentd 2.5.0 by Janik Rabe <[email protected]>
Originally written by Ryan McCabe <[email protected]>
https://janikrabe.com/projects/oidentd/

Build information:
        Kernel driver:         linux.c
        Needs kmem access:     No
        Needs root access:     No
        Debug build:           Yes
        Masquerading support:  Yes
        IPv6 support:          Yes
        Linux libnfct support: Yes

Build settings:
        Configuration directory:   /usr/local/etc
        User configuration file:   ~/.config/oidentd.conf
        User configuration file:   ~/.oidentd.conf

Linux 5.10.21-1-lts x86_64
Archlinux

Am I doing something wrong?

I'm using 2.4.0 in alpine 10.3 within docker. With the following configs, oidentd always returns ERROR:NO-USER for my nc test:

$ cat /etc/oidentd.conf
user znc {
    default {
        allow spoof
        allow spoof_all
    }
}

$ cat /home/znc/.oidentd.conf
global { reply "abc" }

$ stat -c '%a' /home/znc
711

$ stat -c '%U %G %a' /home/znc/.oidentd.conf
znc nogroup 644

$ cat /etc/passwd | grep znc
znc:x:100:65533:Linux User,,,:/home/znc:/sbin/nologin

oidentd is run with

oidentd --foreground --nosyslog

configure options

./configure \
        --prefix=/usr \
        --sysconfdir=/etc \
        --disable-nat \
        --disable-libnfct \
        --disable-xdgbdir

and the nc command

$ nc 1.1.1.1 113 
1,1
1,1:ERROR:NO-USER

where 1.1.1.1 is the server's public ip.

From the doc, I expect no matter what ports are given, it should return user id abc.

What did I miss?

Per thread title, after updating to FreeBSD 13, oidentd no longer differentiates connections and returns the owner user as root on all ident requests.

oident installed using the standard "pkg install oidentd" functionality, was working as expected on 12.x.

Would be happy to help debug.

This would allow you to specify specific subnets in the to/from fields in range specifications. For example, if you wanted to spoof a specific user on your local network, you could set the to field as 192.168.0.0/24 in the range specification.

libudb (user database library) is a library that intends to provide an abstraction layer for looking up user information. It serves as an alternative to oidentd's built-in kernel interface, and can also integrate with other programs such as RADIUS servers.

However, libudb has been unmaintained for more than ten years, and it is doubtful whether it compiles with any recent kernels. I'm also unable to find a download link for the library, although I did find the project webpage earlier this year.

I'm planning to deprecate libudb support in the next release, and remove it entirely from the following major release. If anyone still uses oidentd with libudb, please let me know.

Currently, libudb is used if oidentd is run with the --udb (-U) flag. The command oidentd --version shows whether oidentd was compiled with support for libudb.

oidentd needs to run as root on FreeBSD, DragonFly BSD and NetBSD. The current approach is not to drop privileges automatically and to show a warning instead.

It would be much better if oidentd was able to run as an unprivileged user.