S/Ident Installation Instructions

Written by Booker Bense <bbense@stanford.edu>
Currently maintained by Russ Allbery <rra@stanford.edu>


  1. Run "configure":

        $ ./configure

    You can specify an alternate destination to override the default with the --prefix option:

        $ ./configure --prefix=/usr/local/gnu

    or some path that is more appropriate for your site. The default prefix value is /usr/local, with binaries in subdirectory sbin, manual pages in subdirectory man, libraries in subdirectory lib, and include files in subdirectory include.

    To specify the location of the Kerberos header files and libraries, use the --with-kerberos=DIR option. DIR should be a directory with subdirectories include and lib, holding the Kerberos include files and libraries respectively.

    Try "./configure --help" for further information on its usage and see the CONFIGURE INFORMATION section below.

    The configure script attempts to identify your system and use the correct source code to interogate the kernel. If it cannot match up a kernel file to your OS (you will see warning message from the configure script), look in the directory


    There are many more files in there than I have access to machines to test and configure. If you find one that looks right for your system link it to


    If this works for you please email me the name of the file you chose and the config.status file generated by your system.

    If you wish to only build the requester library and not the sidentd responder, give the --disable-responder argument to configure.

  2. Look at the macro SERVER_PORT in responder/identd.h.

    This macro defines the set of ports on which your system provides services to other machines. This macro defines the ports that are automatically rejected when you run the responder with the -C flag (i.e. only respond to S/Ident requests that look like "client" ports). You may wish to use this to restrict the ability of "random" machines on the network to gain information about servers running on your machine. The default macro rejects anything with a port number in the reserved port range or equal to the standard X Window server port.

    To get the most complete converage possible you should run

        netstat -a -f inet

    on the machine and block any tcp ports on which you run servers. Lines like

    tcp        0      0  *.6000                 *.*                    LISTEN

    signify that you are running a tcp based server on port 6000.

  3. Try to build it:

        $ make

    This will (hopefully) make the needed S/Ident binaries within the responder directory and the S/Ident library in the requester directory. There are also some simple test programs in each of these directories.

    sident-test.c: A simple server to test the requester library. You can install it in inetd.conf as

        lookup stream tcp nowait root /usr/local/sbin/sident-test

    where "lookup" is some service port configured in /etc/services. It takes the srvtab and keytab paths on the command line and attempts to do an S/Ident callback for any incoming connection.

    itest.c: A simple test program in the responder source to test the kernel reading code for your system.

    If something fails for your system, and you want to submit a bug report, you may wish to include your "config.status" file, your host type, operating system and compiler information, make output, and anything else you think will be helpful.

  4. Install the binaries/documentation. You can do this by running:

        $ make install

    but you will also need to configure every system that should be running a responder. I suggest that you read


    before installing anything. The man page for sidentd documents how to correctly install it.


Here are the most commonly used options to the configure script. For a full list of options, run ./configure --help. For more detailed documentation about configure, please refer to the GNU Autoconf documentation.


The root of where to install the various pieces of S/Ident. The default is /usr/local. You can also use --includedir, --libdir, --mandir, and --sbindir to separately set the paths for each portion of the install.


Specifies the location of your Kerberos installation if it's not in the paths searched by default by your compiler. S/Ident will expect libraries in DIR/lib and include files in DIR/include.


Disable Kerberos v4 authentication support in both the responder and the requester library, only supporting GSSAPI authentication (and regular ident).


Statically link the S/Ident responder against the Kerberos libraries. This will allow the responder to run on systems that don't have the Kerberos libraries installed.


Only build (and install) the requester library. Don't build or install the sidentd responder daemon.


By default, both shared and static versions of the libsident requester library will be built. If you want to disable one or the other of those, use these flags.


Try to minimize the shared library dependencies encoded in the binaries. This omits from the link line all the libraries included solely because the Kerberos libraries depend on them and instead links the programs only against libraries whose APIs are called directly. This will only work with shared Kerberos libraries and will only work on platforms where shared libraries properly encode their own dependencies (such as Linux). It is intended primarily for building packages for Linux distributions to avoid encoding unnecessary shared library dependencies that make shared library migrations more difficult. If none of the above made any sense to you, don't bother with this flag.

The following environment variables override configure's default behaviour:


The compiler to use. If not set, tries to use gcc first, then cc. Note that the appropriate argument for 64-bit compiles will be automatically added if you are building the responder on Solaris and isalist indicates that you have a 64-bit kernel (-xarch=v9 for cc and -m64 for gcc).


The options to use when compiling. By default, configure tries to use "-g -O" as options, backing down to -g alone if that doesn't work.


The path to a krb5-config program to use to determine the link flags for Kerberos. By default, S/Ident looks for bin/krb5-config under the path given to --with-kerberos or krb5-config on the user's path if --with-kerberos is not given. This environment variable can be set to a specific path to force the use of that krb5-config script.

Converted to XHTML by faq2html version 1.33