2 files changed, 20 insertions, 5 deletions

diff --git a/usr.sbin/inetd/builtins.c b/usr.sbin/inetd/builtins.c
index b49ecba..fae9d17 100644
--- a/usr.sbin/inetd/builtins.c
+++ b/usr.sbin/inetd/builtins.c
@@ -469,8 +469,20 @@ ident_stream(s, sep)		/* Ident service (AKA "auth") */
 		goto printit;
 	}
 		
-	if (!rflag)	/* Send HIDDEN-USER immediately if not "real" */
-		iderror(lport, fport, s, -1);
+	/*
+	 * If not "real" (-r), send a HIDDEN-USER error for everything.
+	 * If -d is used to set a fallback username, this is used to
+	 * override it, and the fallback is returned instead.
+	 */
+	if (!rflag) {
+		if (fallback == NULL)
+			iderror(lport, fport, s, -1);
+		else {
+			cp = fallback;
+			goto printit;
+		}
+	}
+		
 	/*
 	 * We take the input and construct an array of two sockaddr_ins
 	 * which contain the local address information and foreign
diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index 38ed541..62b2726 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -436,11 +436,14 @@ Without options, the service will always return
 The available arguments to this service that alter its behavior are:
 .Bl -tag -width indent
 .It Fl d Ar fallback
-Instead of returning an error if getting the socket credentials or
+If the real ident service is enabled, return this user for every
+request.
+If the real ident service is disabled, then this flag, instead of
+returning an error if getting the socket credentials or
 looking up the user name fails, return a default
 .Ar fallback
-user name to the requesting ident client.  This is primarily useful
-when running this service on a NAT machine.
+user name to the requesting ident client.
+This is primarily useful when running this service on a NAT machine.
 .It Fl t Ar sec[.usec]
 Specify a timeout for the service.
 The default timeout is 10.0 seconds.