Thread: restricting identd to just the loopback adapter.
restricting identd to just the loopback adapter.
From
jerry.nospam@theashergroup.com (Jerry Asher)
Date:
I have installed running pg 7.2, and it apparently would like to have an identd server to help it establish who is who. I installed pidentd from the red hat 8.0 distribution and started it up but, but looking over the conf files, there is apparently no way to restrict identd to listening/binding only to the localhost adapter. Can you folks help? How do I make identd bind only to the loopback adapter? Thank you, Jerry Asher
On Sun, Jan 26, 2003 at 21:48:33 -0800, Jerry Asher <jerry.nospam@theashergroup.com> wrote: > I have installed running pg 7.2, and it apparently would like to have > an identd server to help it establish who is who. First off, are the users logging into the same machine that the database server is running on? If so, than you don't need to run an ident server, you can use domain sockets for connections and the getpeeruid function will be used to do ident authentication. > I installed pidentd from the red hat 8.0 distribution and started it > up but, but looking over the conf files, there is apparently no way to > restrict identd to listening/binding only to the localhost adapter. You can use iptables to do this. Block tcp traffic to the identd port that isn't coming from loopback (though this implies that you have the situation above and shouldn't be using identd) or if the postgres server is on another machine, restrict traffic based on IP address.
On Sun, Jan 26, 2003 at 09:48:33PM -0800, Jerry Asher wrote: > I installed pidentd from the red hat 8.0 distribution and started it > up but, but looking over the conf files, there is apparently no way to > restrict identd to listening/binding only to the localhost adapter. The sgi_fam service contains an example, and it's detailed in the man page xinetd.conf(5). The option you're wanting is "bind". The syntax being "bind = 127.0.0.1" in the service description stanza. -- David Jericho Senior Systems Administrator, Bytecomm Pty Ltd -- Scanned and found clear of viruses by EntireScan. http://www.entirescan.com/
David Jericho wrote: > On Sun, Jan 26, 2003 at 09:48:33PM -0800, Jerry Asher wrote: > > >I installed pidentd from the red hat 8.0 distribution and started it > >up but, but looking over the conf files, there is apparently no way to > >restrict identd to listening/binding only to the localhost adapter. > > > The sgi_fam service contains an example, and it's detailed in the man > page xinetd.conf(5). > > The option you're wanting is "bind". > > The syntax being "bind = 127.0.0.1" in the service description stanza. > Thanks David, That mirrors my latest thinking and I am looking at the xinetd man page now. Other info I've looked at on xinetd has not been helpful. In particular it is not at all clear that a style in a sysv init style is immediately amenable to being started from xinetd. ??? Thanks, Jerry Asher