diff -c --recursive --new-file pidentd-2.8.1/Makefile pidentd-2.8.1-libwrap/Makefile *** pidentd-2.8.1/Makefile Tue Jul 29 00:01:22 1997 --- pidentd-2.8.1-libwrap/Makefile Wed Jan 21 15:46:50 1998 *************** *** 52,57 **** --- 52,72 ---- # find a free one on ftp.lysator.liu.se in pub/libraries or on # ftp.funet.fi in pub/crypt/libdes. # + # Usage of LIBWRAP makes sense only when you plan running the daemon as stand- + # alone or from inetd with -w flag (if using with -i flag it's probably + # much better idea to use tcpd from tcp_wrappers to implement access control). + # Note that LIBWRAP option requires that you have libwrap.a and tcpd.h + # located in place from where your compiler can find them, otherwise add + # necessary -I (-I/usr/local/include) to GDEFS and -L (-L/usr/local/lib) + # to LDFLAGS. Also add -lwrap to GLIBS. + # IMPORTANT! don't use 'rfc931' flag in 'identd' access control rules + # in /etc/hosts.deny (this might cause race condition, and high loads...) + # For example in your /etc/hosts.deny there could be lines like this: + # identd: .evil.org : deny + # identd: ALL : allow + # to refuce connections from any host in evil.org domain, and allow from + # anywhere else. + # # GDEFS=-DINCLUDE_EXTENSIONS -DINCLUDE_PROXY -DINCLUDE_CRYPT \ # # GDEFS=-DINCLUDE_EXTENSIONS -DINCLUDE_PROXY -DINCLUDE_CRYPT \ *************** *** 59,71 **** # GDEFS=-DINCLUDE_EXTENSIONS -DSTRONG_LOG -DALLOW_FORMAT \ -DDPATH_CONFIG='\"$(CONFDIR)/identd.conf\"' \ ! -DPATH_DESKEY='\"$(CONFDIR)/identd.key\"' # GLIBS=-lident -ldes ! GLIBS= CFLAGS=-O ! #LDFLAGS=-L$(DESTROOT)/lib all: @echo "Please specify the type of system you wish to build for." --- 74,89 ---- # GDEFS=-DINCLUDE_EXTENSIONS -DSTRONG_LOG -DALLOW_FORMAT \ -DDPATH_CONFIG='\"$(CONFDIR)/identd.conf\"' \ ! -DPATH_DESKEY='\"$(CONFDIR)/identd.key\"' \ ! -DLIBWRAP -I/usr/local/include -DINCLUDE_CRYPT # GLIBS=-lident -ldes ! GLIBS= -lwrap -ldes ! #GLIBS= CFLAGS=-O ! LDFLAGS=-L$(DESTROOT)/lib ! all: @echo "Please specify the type of system you wish to build for." *************** *** 280,286 **** irix62_32: @echo "Building for Silicon Graphics IRIX 6.2, 32bit CPUs ..." ! @(cd src ; $(MAKE) CC="$(CC)" LDFLAGS="$(LDFLAGS) -mips3" LIBS="-lelf $(GLIBS)" CFLAGS="$(CFLAGS) -mips3 -DIRIX -DIRIX62 $(GDEFS)" MAKE=$(MAKE) KSRC=irix5 PREFIX="$(PREFIX)" $(PREFIX)identd) irix62_64: @echo "Building for Silicon Graphics IRIX 6.2, 64bit CPUs ..." --- 298,304 ---- irix62_32: @echo "Building for Silicon Graphics IRIX 6.2, 32bit CPUs ..." ! @(cd src ; $(MAKE) CC="$(CC)" LDFLAGS="$(LDFLAGS) -mips2" LIBS="-lelf $(GLIBS)" CFLAGS="$(CFLAGS) -mips2 -DIRIX -DIRIX62 $(GDEFS)" MAKE=$(MAKE) KSRC=irix5 PREFIX="$(PREFIX)" $(PREFIX)identd) irix62_64: @echo "Building for Silicon Graphics IRIX 6.2, 64bit CPUs ..." diff -c --recursive --new-file pidentd-2.8.1/src/Makefile pidentd-2.8.1-libwrap/src/Makefile *** pidentd-2.8.1/src/Makefile Tue Jul 29 00:01:25 1997 --- pidentd-2.8.1-libwrap/src/Makefile Wed Jan 21 15:49:50 1998 *************** *** 18,24 **** mv $(PREFIX)identd .. idecrypt: idecrypt.o crypto.o ! $(CC) $(LDFLAGS) -o idecrypt idecrypt.o crypto.o mv idecrypt .. identd.o: identd.c identd.h error.h crypto.h Makefile --- 18,24 ---- mv $(PREFIX)identd .. idecrypt: idecrypt.o crypto.o ! $(CC) $(LDFLAGS) -o idecrypt idecrypt.o crypto.o $(LIBS) mv idecrypt .. identd.o: identd.c identd.h error.h crypto.h Makefile diff -c --recursive --new-file pidentd-2.8.1/src/identd.c pidentd-2.8.1-libwrap/src/identd.c *** pidentd-2.8.1/src/identd.c Thu Dec 11 16:01:28 1997 --- pidentd-2.8.1-libwrap/src/identd.c Fri Jan 23 18:46:47 1998 *************** *** 72,77 **** --- 72,85 ---- # include #endif + #ifdef LIBWRAP + #include + #include + int allow_severity = LOG_INFO; + int deny_severity = LOG_WARNING; + struct request_info tcp_wrapper_req; + #endif + #include "identd.h" #include "error.h" #include "paths.h" *************** *** 760,766 **** } faddr = sin.sin_addr; ! #ifdef STRONG_LOG if (syslog_flag) --- 768,801 ---- } faddr = sin.sin_addr; ! ! #ifdef LIBWRAP ! { ! /* ! ** Check using libwrap (part of tcp_wrappers) if we should allow ! ** or disallow, this request. We use access control rules ! ** (usually in /etc/hosts.deny) with 'identd' as a daemon name. ! */ ! ! request_init(&tcp_wrapper_req, ! RQ_DAEMON, "identd", /* daemon 'name' to use when ! looking up access control rules */ ! RQ_FILE, 0, /* file descriptor of socket */ ! NULL); ! fromhost(&tcp_wrapper_req); ! if (!hosts_access(&tcp_wrapper_req)) { ! /* refuse this request */ ! if (!syslog_flag) { ! openlog("identd", LOG_PID ! #ifdef LOG_DAEMON ! , syslog_facility ! #endif ! ); ! } ! refuse(&tcp_wrapper_req); ! } ! } ! #endif #ifdef STRONG_LOG if (syslog_flag) diff -c --recursive --new-file pidentd-2.8.1/src/parse.c pidentd-2.8.1-libwrap/src/parse.c *** pidentd-2.8.1/src/parse.c Tue Jul 29 00:01:28 1997 --- pidentd-2.8.1-libwrap/src/parse.c Fri Jan 23 18:49:04 1998 *************** *** 50,55 **** --- 50,61 ---- #include "error.h" #include "crypto.h" + #if defined(LIBWRAP) && defined(INCLUDE_CRYPT) + #include + extern struct request_info tcp_wrapper_req; + #endif + + extern void *malloc(); /* *************** *** 154,167 **** --- 160,189 ---- return (rcode == 0); } + + #ifdef INCLUDE_CRYPT /* ** Checks address of incoming call against network/mask pairs of trusted ** networks to determine whether to crypt response or not. + ** + ** If using libwrap, use 'identd-cleartext' as a daemon name in + ** access control rules (in /etc/hosts.deny), to specify which hosts/domains + ** we trust enough to give cleartext authentication. + ** Note 'identd' controls access to the ident service and 'ident-cleartext' + ** only whether the authentication is sent encrypted or not. */ int check_crypt(faddr) struct in_addr *faddr; { + #ifdef LIBWRAP + /* just change 'daemon name' in request structure */ + request_set(&tcp_wrapper_req, + RQ_DAEMON, "identd-cleartext", + NULL); + /* check if 'identd-cleartex' rules permit cleartext authentication */ + if (hosts_access(&tcp_wrapper_req)) return 0; + #else int i; extern int netcnt; extern u_long localnet[], localmask[]; *************** *** 170,175 **** --- 192,198 ---- if ((faddr->s_addr & localmask[i]) == localnet[i]) return 0; } + #endif return 1; } #endif