telnetd(1M)telnetd(1M)NAMEtelnetd - TELNET protocol server
SYNOPSIS
authmode] [bannerfile]]
DESCRIPTION
The daemon executes a server that supports the DARPA standard TELNET
virtual terminal protocol. The Internet daemon executes when it
receives a service request at the port listed in the services database
for using the protocol (see inetd(1M) and services(4)).
operates by allocating a Telnet pseudo-terminal device (see tels(7))
for a client, then creating a login process, which has the slave side
of the Telnet pseudo-terminal as and manipulates the master side of the
Telnet pseudo-terminal, implementing the TELNET protocol, and passing
characters between the client and login process.
NOTE: no longer uses pty(7) devices; instead it uses special
devices created for TELNET sessions only. For more information,
see tels(7).
When a TELNET session is started up, sends TELNET options to the client
side, indicating a willingness to do of characters, to and to receive
and (if kerberos is enabled) information from the remote client. If
the remote client is ready, the remote terminal type is propagated in
the environment of the created login process. The pseudo-terminal
allocated to the client is configured as a normal terminal for login,
with the exception of echoing characters (see tty(7)).
is willing to and
is willing to have the remote client and (if kerberos is
enabled).
The flow control option permits applications running on a remote host
to toggle the flow control on the local host. To toggle flow control
for a session programmatically, the application program must first call
the function to get the current settings. For example,
Then, the of the structure must have set(reset) to enable(disable) flow
control.
Finally, the function call can implement the change. For example,
To toggle the flow control interactively, the user can issue a command
using the input options to disable, or to enable flow control. See the
stty(1) manpage.
The terminal speed option permits applications running on a remote host
to obtain the terminal speed of the local host session using either
ioctl or stty.
The server also supports the TAC User ID (also known as the TAC Access
Control System, or TACACS User ID) option using which, users telneting
to two or more consenting hosts may avoid going through a second login
sequence. See the option below.
To start from the Internet daemon, the configuration file must contain
an entry as follows:
The above configuration applies only for the IPv4 environment. For to
work in the IPv6 environment, the configuration file must contain a
entry as follows:
NOTE: The entry has changed to to work in the IPv6 environment.
uses the same files as to verify participating systems and authorized
users, and (See hosts.equiv(4) and the for configuration details.)
Options
has the following options.
Specify a file containing a custom banner.
This option overrides the standard login banner.
For example, to use as the login banner, have start
with the following lines in provides line continua‐
tion):
To work in the IPv6 environment, the entry in would
be:
NOTE: has changed to for IPv6.
If bannerfile is not specified, does not print a
login banner.
Invoke with all the environment variables passed to
Set the time-out value for the initial option
negotiation in the file as:
This option informs how long it should wait before
timing out and exiting if it does not receive
either a positive or negative reply for any of the
initial option negotiations. The time-out value is
measured in seconds. This option is set with inte‐
ger values. The values range between 1 and
21474836. The default value is 120 seconds.
There should not be any space between the option
and the time-out value. For example,
To work in the IPv6 environment, the entry in would
be:
NOTE: has changed to for IPv6.
This option allows users to set the BUFFERSIZE value.
This option, when set, informs the number of user
bytes to concatenate before sending to TCP. This
option is set with integer values. There is no
specified default.
Enable the TAC User ID option.
The system administrator can enable the TAC User ID
option on servers designated as participating hosts
by having start with the option in
To enable the TAC User ID option for IPv6, users
must have start with the option in as shown below:
NOTE: has changed to for IPv6.
In order to make the TAC User ID option work as
specified, the system administrator must assign to
all authorized users of the option the same login
name and unique user ID (UUID) on every participat‐
ing system to which they are allowed TAC User ID
access. These same UUIDs should not be assigned to
non-authorized users.
Users cannot use the feature on systems where their
local and remote UUIDs differ, but they can always
use the normal login sequence. Also, there may be
a potential security breach where a user with one
UUID may be able to gain entry to participating
systems and accounts where that UUID is assigned to
someone else, unless the above restrictions are
followed.
A typical configuration may consist of one or more
secure front-end systems and a network of partici‐
pating hosts. Users who have successfully logged
onto the front-end system may directly to any par‐
ticipating system without being prompted for
another login.
Set the behavior for
to instruct to close the connection on the shell
command or whenever the client communicates with to
arrive upon 0 baud rate for
This option allows users to set the
value. This option, when set, informs how long it
should wait before timing out and flushing the con‐
catenated user data to TCP. Note that the value is
measured in clock ticks (10 ms) and not in seconds.
This option is set with integer values. There is
no specified default.
This option allows the erase character for the terminal to be echoed on
screen at the login prompt. The erase character
can be set using the command.
This option allows the users to disable the
socket option. When is invoked with this option,
small writes over may concatenate at the tcp level
so that larger tcp packets are sent to the client
at less frequent intervals.
NOTE: Using the option with the and options is not
recommended.
To configure to use the option, the entry in would be:
To work in the IPv6 environment using the option, the entry in would
be:
NOTE: has changed to for IPv6.
To configure to have a of 100 bytes and a of 100 ticks, the entry in
would be:
To work in the IPv6 environment, the entry in would be:
NOTE: has changed to for IPv6.
Kerberos-specific Options
In Kerberos mode, can start with the following lines in
or
The option is used to ensure that non-secure systems are denied access
to the server. It overrides any value specified with the option except
when authmode is See the sis(5) manpage.
The authmode option specifies what mode is to be used for Kerberos
authentication. See the sis(5) manpage. Values for authmode are:
Activates authentication debugging.
Default value.
Only allows connections when the remote user can pro‐
vide valid Kerberos authentication information and is
authorized to access the specified account.
Authentication information is not required.
If no or insufficient Kerberos authentication informa‐
tion is provided, the program provides the necessary
user verification. See the login(1) manpage.
The option instructs to use the normal authentication mode whenever the
telnet client communicates NULL type in the authentication option nego‐
tiation.
By default, the server provides remote execution facilities with
authentication based on Kerberos V5. See the sis(5) manpage.
DIAGNOSTICS
If any error is encountered by in establishing the connection, an error
message is returned through the connection, after which the connection
is closed and the server exits. Any errors generated by the login
process or its descendents are passed through as ordinary data.
The following diagnostic messages are displayed by
The server was unable to obtain a Telnet
pseudo-terminal
for use with the login process. Either all Telnet
pseudo-terminals were in use or the driver has not been
properly set up (see tels(7)).
Check the Telnet pseudo driver configuration of the host
where is executing.
was unable to fork a process to handle the
incoming connection.
Wait a period of time and try again. If this message
persists, the server's host may have runaway processes
that are using all the entries in the process table.
The login program could not be started via
for the reason indicated (see exec(2)).
WARNINGS
The terminal type name received from the remote client is converted to
lowercase.
never sends TELNET commands.
AUTHOR
was developed by the University of California, Berkeley.
SEE ALSOlogin(1), rlogin(1), stty(1), telnet(1), inetd(1M), inetsvcs_sec(1M),
exec(2), ioctl(2), hosts(4), hosts.equiv(4), inetd.conf(4),
inetd.sec(4), services(4), sis(5), pty(7), tels(7), tty(7).
DOD MIL_STD 1782.
RFC 854 for the TELNET protocol specification.
telnetd(1M)