SUMMARY: pidentd 3.0.18 on Solaris 10 with DES encryption

From: Peter W. Osel <pwo_at_Infineon.COM>
Date: Sat Feb 19 2005 - 16:47:19 EST
How to compile pidentd 3.0.18 on Solaris GA with DES encryption support
and
How to send unencrypted identd infor to localhosts, and encrypted identd
	informationt o remote systems using tcp_wrappers

donwload pidentd 3.0.18
ftp://ftp.lysator.liu.se/pub/ident/servers/

apply patch to k_sunos510.c
http://sunportal.sunmanagers.org/pipermail/summaries/2005-February/006132.html

disable IPv6 by removing "-DHAVE_IPV6=1" from the CPPFLAGS in the
configure script:  (It is not sufficient to use -DHAVE_IPV6=0, as
the include file sockaddr.h uses #ifdef HAVE_IPV6, and -DHAVE_IPV6=0
still defines it)

*** pidentd-3.0.18/configure.FCS        Sun Jun 13 00:38:42 2004
--- pidentd-3.0.18/configure    Sat Feb 19 11:52:20 2005
***************
*** 2379,2385 ****
                            ;;
                        *10)
                            host_os=sunos510
!                           CPPFLAGS="$CPPFLAGS -DHAVE_IPV6=1"
                            ;;
                esac
                if test "`isainfo -k`" = "sparcv9"; then
--- 2379,2385 ----
                            ;;
                        *10)
                            host_os=sunos510
!                           CPPFLAGS="$CPPFLAGS"
                            ;;
                esac
                if test "`isainfo -k`" = "sparcv9"; then


Setup some environment variables (I am using SUNWspro version 10
to compile) and run configure, then make:

# setenv PATH /usr/ccs/bin:/opt/SUNWspro/bin:$PATH
# setenv CC cc
# setenv CFLAGS -fast
# setenv LDFLAGS "-s -L/usr/sfw/lib/64 -R/usr/sfw/lib/64"
# unsetenv LD_LIBRARY_PATH
# ./configure --prefix="" --with-threads=yes --with-des=yes --with-des-includes=/usr/sfw/include --with-des-libraries=/usr/sfw/lib/64
# make


voila, you should have a identd supporting encyption....

# ls -l pidentd-3.0.18/src/{identd,ibench,idecrypt,ikeygen}
-rwxr-xr-x 1 locadm locadm 12256 Feb 19 11:55 pidentd-3.0.18/src/ibench
-rwxr-xr-x 1 locadm locadm 27776 Feb 19 11:55 pidentd-3.0.18/src/idecrypt
-rwxr-xr-x 1 locadm locadm 86512 Feb 19 11:55 pidentd-3.0.18/src/identd
-rwxr-xr-x 1 locadm locadm 10728 Feb 19 11:55 pidentd-3.0.18/src/ikeygen

# ldd pidentd-3.0.18/src/identd
        libpthread.so.1 =>       /lib/64/libpthread.so.1
        libcrypto.so.0.9.7 =>    /usr/sfw/lib/64/libcrypto.so.0.9.7
        libkvm.so.1 =>   /usr/lib/64/libkvm.so.1
        libelf.so.1 =>   /lib/64/libelf.so.1
        libnsl.so.1 =>   /lib/64/libnsl.so.1
        libsocket.so.1 =>        /lib/64/libsocket.so.1
        libc.so.1 =>     /lib/64/libc.so.1
        libmp.so.2 =>    /lib/64/libmp.so.2
        libmd5.so.1 =>   /lib/64/libmd5.so.1
        libscf.so.1 =>   /lib/64/libscf.so.1
        libdoor.so.1 =>  /lib/64/libdoor.so.1
        libuutil.so.1 =>         /lib/64/libuutil.so.1
        libm.so.2 =>     /lib/64/libm.so.2
        /platform/SUNW,Sun-Blade-1000/lib/sparcv9/libc_psr.so.1
        /platform/SUNW,Sun-Blade-1000/lib/sparcv9/libmd5_psr.so.1


I install identd as /usr/sbin/in.identd:
-r-xr-xr-x 1 root bin 86512 Feb 19 11:56 /usr/sbin/in.identd


Added a line to /etc/inet/inetd.conf:
ident	stream	tcp	nowait	root	/usr/sbin/in.identd	in.identd -i -E

And imported the new line:
# inetconv -f
100235/1 -> /var/svc/manifest/network/rpc/100235_1-rpc_ticotsord.xml
Importing 100235_1-rpc_ticotsord.xml ...Done
100083/1 -> /var/svc/manifest/network/rpc/100083_1-rpc_tcp.xml
Importing 100083_1-rpc_tcp.xml ...Done
100068/2-5 -> /var/svc/manifest/network/rpc/100068_2-5-rpc_udp.xml
Importing 100068_2-5-rpc_udp.xml ...Done
ident -> /var/svc/manifest/network/ident-tcp.xml
Importing ident-tcp.xml ...Done

Generated a key in /etc/identd.key
# pidentd-3.0.18/src/ikeygen

Verfify that ident service is listening

# netstat -an |grep 113
      *.113                *.*                0      0 49152      0 LISTEN

Quick test:
# telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
33201,113
33201 , 113 : USERID : OTHER :[1UTLQodFC6rk9PV9xhMBzXb+WIfMZl6n]
Connection to localhost closed by foreign host.

33201 is the port number of the connection, find it with netstat run
while the connection is established...

# netstat -an |grep 113
      *.113                *.*                0      0 49152      0 LISTEN
127.0.0.1.33201      127.0.0.1.113        49152      0 49152      0 ESTABLISHED
127.0.0.1.113        127.0.0.1.33201      49152      0 49152      0 ESTABLISHED


A big thank you to Jim Seymour and Casper Dik for helping me to find the
right way to make this work!

Cheers
	--pwo


P.S.: we use tcp_wrappers to run identd with encryption for remote
connections, and without encryption for the local domain. I still
have to test this setup with Solaris 10 .... but basically this is
how it works:

add to inetd.conf the call without encryption:

/etc/inet/inetd.conf
ident   stream  tcp     nowait  root    /usr/sbin/in.identd     in.identd -i

use inetconv -f to import the line

Add to /etc/hosts.allow:
in.identd	: LOCAL, .YourLocalDomain

Add to /etc/hosts.deny:
in.identd	: ALL : twist /usr/sbin/in.identd -i -E

Enable tcp_wrappers for inetd services:

# inetadm -p |grep -i tcp_wrappers
# inetadm -M tcp_wrappers=TRUE
# inetadm -p |grep -i tcp_wrappers

Now local clients should see an output similar to this:
# telnet localhost 113
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
33220,113
33220 , 113 : USERID : UNIX :locadm
Connection to localhost closed by foreign host.

And remote clients will see:
# telnet solris10-test-system 113
Trying 10.10.10.10...
Connected to solris10-test-system.
Escape character is '^]'.
113,59519
113 , 59519 : USERID : OTHER :[dEXYGVB+MZTOQRz5c6SauaW3hvn21hlo]
Connection closed by foreign host.



--
Peter W. Osel				Email:	pwo@Infineon.COM
Principal - Development Systems		Phone:	+1.408.501.6321
Infineon Technologies			Cell:	+1.408.348.6735
North America Corp.			Cell:	+49.160.475.8577 (outside US)
1730 North First Street			Fax:	+1.408.501.2410
San Jose, CA 95112, USA			WWW:	http://pwo.de/

pgp key fingerprint = 79 2D DD 49 C0 AA D8 CF 2C F9 A5 6A BA 37 0E 28
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Sat Feb 19 16:47:08 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:43 EST