#!/usr/bin/php #http://blog.dataforce.org.uk/2010/03/Ident-Server <?php /** * Simple PHP-Based inetd ident server, version 0.1. * Copyright (c) 2010 - Shane "Dataforce" Mc Cormack * This code is licensed under the MIT License, of which a copy can be found * at http://www.opensource.org/licenses/mit-license.php * * The latest version of the code can be found at * http://blog.dataforce.org.uk/index.php?p=news&id=135 * * This should be run from inetd, it will take input on stdin and write to stdout. * * By default users can spoof ident by having a .ident file in /home/<username>/.ident * If this is present, it will be read. * It should be a file with a format like so: * * <pid> <ident> * <local host>:<local port>:<target host>:<target port> <ident> * * The first line that matches is used, any bit can be a * and it will always match, * so "* user" is valid. In future more sophisticated matches will be permitted * (eg 127.*) but for now its either all or nothing. * * Its worth noting that <target host> is the host that requests the ident, so if this * is likely to be different than the host that was connected to, then "STRICT_HOST" will * need to be set to false. * * At the moment <local host> is ignored, in future versions this might be changed, so * it is still required. * * Lines with a ':' in them are assumed to be of the second format, and must contain * all 4 sections or they will be ignored. * * Lines starting with a # are ignored. * * There are some special values that can be used as idents: * ! = Send an error instead. * * = Send the default ident. * ? = Send a random ident (In future a 3rd parameter will specify the format, * # for a number, @ for a letter, ? for either, but this is not implemented yet) * * In future there will also be support for /home/user/.ident.d/ directories, where * every file will be read for the ident response untill one matches. * This will allow multiple processes to create files rather than needing to * lock and edit .ident */ // Allow spoofing idents. define('ALLOW_SPOOF', true); // Requesting host must be the same as the host that was connected to. define('STRICT_HOST', true); // Error to send when '!' is used as an ident. define('HIDE_ERROR', 'UNKNOWN-ERROR'); openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON); $result = 'ERROR : UNKNOWN-ERROR' . "\n"; $host = $_SERVER['REMOTE_HOST']; syslog(LOG_INFO, 'Connection from: '.$host); // Red in the line from the socket. $fh = @fopen('php://stdin', 'r'); if ($fh) { $input = @fgets($fh); $line = trim($input); if ($input !== FALSE && !empty($line)) { $result = trim($input) . ' : ' . $result; // Get the data from it. $bits = explode(',', $line); $source = trim($bits[0]); $dest = isset($bits[1]) ? trim($bits[1]) : ''; // Check if it is valid if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) { // Now actually look for this! $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest"; $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`; $bits = explode('/', $output); $pid = $bits[0]; if (preg_match('/^[0-9]+$/', $pid)) { $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`; $senduser = trim($user); // Look for special ident file: /home/user/.ident this is an ini-format file. $file = '/home/'.trim($user).'/.ident'; if (file_exists($file)) { $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT); foreach ($config as $line) { // Ignore comments. $line = trim($line); if (substr($line, 1) == '#') { continue; } // Make sure line is valid. $bits = explode(' ', $line); if (count($bits) == 1) { continue; } // Check type of line if (strpos($bits[0], ':') !== FALSE) { // LocalHost:LocalPort:RemoteHost:RemotePort $match = explode(':', $bits[0]); if (count($match) != 4) { continue; } if (($match[1] == '*' || $match[1] == $source) && ($match[2] == '*' || $match[2] == $host) && ($match[3] == '*' || $match[3] == $dest)) { syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); $senduser = $bits[1]; break; } } else if ($bits[0] == '*' || $bits[0] == $pid) { syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); $senduser = $bits[1]; } } if ($senduser == "*") { $senduser = trim(user); } else if ($senduser == "?") { $senduser = 'user'.rand(1000,9999); } } if ($senduser != "!") { $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser); } else { $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR; } } } } } echo $result; syslog(LOG_INFO, 'Result: '.$result); closelog(); exit(0); ?>