1 '\" te 2 .\" Copyright 1989 AT&T 3 .\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH IN.TELNETD 1M "June 20, 2021" 8 .SH NAME 9 in.telnetd, telnetd \- DARPA TELNET protocol server 10 .SH SYNOPSIS 11 .nf 12 \fB/usr/sbin/in.telnetd\fR [\fB-a\fR \fIauthmode\fR] [\fB-EXUh\fR] [\fB-s\fR \fItos\fR] 13 [\fB-S\fR \fIkeytab\fR] [\fB-M\fR \fIrealm\fR] 14 .fi 15 16 .SH DESCRIPTION 17 \fBin.telnetd\fR is a server that supports the \fBDARPA\fR standard 18 \fBTELNET\fR virtual terminal protocol. \fBin.telnetd\fR is normally invoked in 19 the internet server (see \fBinetd\fR(1M)), for requests to connect to the 20 \fBTELNET\fR port as indicated by the \fB/etc/services\fR file (see 21 \fBservices\fR(4)). 22 .sp 23 .LP 24 \fBin.telnetd\fR operates by allocating a pseudo-terminal device for a client, 25 then creating a login process which has the slave side of the pseudo-terminal 26 as its standard input, output, and error. \fBin.telnetd\fR manipulates the 27 master side of the pseudo-terminal, implementing the \fBTELNET\fR protocol and 28 passing characters between the remote client and the login process. 29 .sp 30 .LP 31 When a \fBTELNET\fR session starts up, \fBin.telnetd\fR sends \fBTELNET\fR 32 options to the client side indicating a willingness to do \fIremote\fR 33 \fBecho\fR of characters, and to \fIsuppress\fR \fIgo\fR \fIahead\fR. The 34 pseudo-terminal allocated to the client is configured to operate in "cooked" 35 mode, and with \fBXTABS\fR, \fBICRNL\fR and \fBONLCR\fR enabled. See 36 \fBtermio\fR(7I). 37 .sp 38 .LP 39 \fBin.telnetd\fR is willing to do: \fIecho\fR, \fIbinary\fR, \fIsuppress\fR 40 \fIgo\fR \fIahead\fR, and \fItiming\fR \fImark\fR. \fBin.telnetd\fR is willing 41 to have the remote client do: \fIbinary\fR, \fIterminal\fR \fItype\fR, 42 \fIterminal\fR \fIsize\fR, \fIlogout\fR \fIoption\fR, and \fIsuppress\fR 43 \fIgo\fR \fIahead\fR. 44 .sp 45 .LP 46 \fBin.telnetd\fR also allows environment variables to be passed, provided that 47 the client negotiates this during the initial option negotiation. The 48 \fBDISPLAY\fR environment variable may be sent this way, either by the 49 \fBTELNET\fR general environment passing methods, or by means of the 50 \fBXDISPLOC\fR \fBTELNET\fR option. \fBDISPLAY\fR can be passed in the 51 environment option during the same negotiation where \fBXDISPLOC\fR is used. 52 Note that if you use both methods, use the same value for both. Otherwise, the 53 results may be unpredictable. 54 .sp 55 .LP 56 These options are specified in Internet standards \fIRFC 1096\fR, \fIRFC 57 1408\fR, \fIRFC 1510\fR, \fIRFC 1571\fR, \fIRFC 2941\fR, \fIRFC 2942\fR, \fIRFC 58 2946\fR, and \fIRFC 1572\fR. The following Informational draft is also 59 supported: \fIRFC 2952\fR. 60 .sp 61 .LP 62 The banner printed by \fBin.telnetd\fR is configurable. The default is (more or 63 less) equivalent to `\fBuname\fR \fB-sr\fR` and will be used if no banner is 64 set in \fB/etc/default/telnetd\fR. To set the banner, add a line of the form 65 .sp 66 .in +2 67 .nf 68 BANNER="..." 69 .fi 70 .in -2 71 72 .sp 73 .LP 74 to \fB/etc/default/telnetd\fR. Nonempty banner strings are fed to shells for 75 evaluation. The default banner may be obtained by 76 .sp 77 .in +2 78 .nf 79 BANNER="\e\er\e\en\e\er\e\en`uname -s` `uname -r`\e\er\e\en\e\er\e\en" 80 .fi 81 .in -2 82 83 .sp 84 .LP 85 and no banner will be printed if \fB/etc/default/telnetd\fR contains 86 .sp 87 .in +2 88 .nf 89 BANNER="" 90 .fi 91 .in -2 92 93 .SH OPTIONS 94 The following options are supported: 95 .sp 96 .ne 2 97 .na 98 \fB\fB-a\fR \fIauthmode\fR\fR 99 .ad 100 .RS 15n 101 This option may be used for specifying what mode should be used for 102 authentication. There are several valid values for \fIauthmode\fR: 103 .sp 104 .ne 2 105 .na 106 \fB\fBvalid\fR\fR 107 .ad 108 .RS 9n 109 Only allows connections when the remote user can provide valid authentication 110 information to identify the remote user, and is allowed access to the specified 111 account without providing a password. 112 .RE 113 114 .sp 115 .ne 2 116 .na 117 \fB\fBuser\fR\fR 118 .ad 119 .RS 9n 120 Only allows connections when the remote user can provide valid authentication 121 information to identify the remote user. The \fBlogin\fR(1) command will 122 provide any additional user verification needed if the remote user is not 123 allowed automatic access to the specified account. 124 .RE 125 126 .sp 127 .ne 2 128 .na 129 \fB\fBnone\fR\fR 130 .ad 131 .RS 9n 132 This is the default state. Authentication information is not required. If no or 133 insufficient authentication information is provided, then the \fBlogin\fR(1) 134 program provides the necessary user verification. 135 .RE 136 137 .sp 138 .ne 2 139 .na 140 \fB\fBoff\fR\fR 141 .ad 142 .RS 9n 143 This disables the authentication code. All user verification happens through 144 the \fBlogin\fR(1) program. 145 .RE 146 147 .RE 148 149 .sp 150 .ne 2 151 .na 152 \fB\fB-E\fR\fR 153 .ad 154 .RS 15n 155 Disables encryption support negotiation. 156 .RE 157 158 .sp 159 .ne 2 160 .na 161 \fB\fB-h\fR\fR 162 .ad 163 .RS 15n 164 Disables displaying host specific information before login has been completed. 165 .RE 166 167 .sp 168 .ne 2 169 .na 170 \fB\fB-M\fR \fIrealm\fR\fR 171 .ad 172 .RS 15n 173 Uses the indicated Kerberos V5 realm. By default, the daemon will determine its 174 realm from the settings in the \fBkrb5.conf\fR(4) file. 175 .RE 176 177 .sp 178 .ne 2 179 .na 180 \fB\fB-s\fR \fItos\fR\fR 181 .ad 182 .RS 15n 183 Sets the \fBIP\fR \fBTOS\fR option. 184 .RE 185 186 .sp 187 .ne 2 188 .na 189 \fB\fB-S\fR \fIkeytab\fR\fR 190 .ad 191 .RS 15n 192 Sets the \fBKRB5\fR keytab file to use. The \fB/etc/krb5/krb5.keytab\fR file is 193 used by default. 194 .RE 195 196 .sp 197 .ne 2 198 .na 199 \fB\fB-U\fR\fR 200 .ad 201 .RS 15n 202 Refuses connections that cannot be mapped to a name through the 203 \fBgetnameinfo\fR(3SOCKET) function. 204 .RE 205 206 .sp 207 .ne 2 208 .na 209 \fB\fB-X\fR\fR 210 .ad 211 .RS 15n 212 Disables Kerberos V5 authentication support negotiation. 213 .RE 214 215 .SH USAGE 216 \fBtelnetd\fR and \fBin.telnetd\fR are IPv6-enabled. See \fBip6\fR(7P). 217 .SH SECURITY 218 \fBin.telnetd\fR can authenticate using Kerberos V5 authentication, 219 \fBpam\fR(3PAM), or both. By default, the telnet server will accept valid 220 Kerberos V5 authentication credentials from a \fBtelnet\fR client that supports 221 Kerberos. \fBin.telnetd\fR can also support an encrypted session from such a 222 client if the client requests it. 223 .sp 224 .LP 225 The \fBtelnet\fR protocol only uses single DES for session 226 protection\(emclients request service tickets with single DES session keys. The 227 KDC must know that host service principals that offer the \fBtelnet\fR service 228 support single DES, which, in practice, means that such principals must have 229 single DES keys in the KDC database. 230 .sp 231 .LP 232 In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR 233 Kerberos principal must exist for each Fully Qualified Domain Name associated 234 with the \fBtelnetd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals 235 must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the 236 \fBtelnetd\fR server. An example principal might be: 237 .sp 238 .LP 239 \fBhost/bigmachine.eng.example.com\fR 240 .sp 241 .LP 242 See \fBkadmin\fR(1M) for instructions on adding a principal to a 243 \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos 244 authentication. 245 .sp 246 .LP 247 \fBin.telnetd\fR uses \fBpam\fR(3PAM) for authentication, account management, 248 session management, and password management. The \fBPAM\fR configuration 249 policy, listed through \fB/etc/pam.conf\fR, specifies the modules to be used 250 for \fBin.telnetd\fR. Here is a partial \fBpam.conf\fR file with entries for 251 the \fBtelnet\fR command using the UNIX authentication, account management, 252 session management, and password management modules. 253 .sp 254 .in +2 255 .nf 256 telnet auth requisite pam_authtok_get.so.1 257 telnet auth required pam_dhkeys.so.1 258 telnet auth required pam_unix_auth.so.1 259 260 telnet account requisite pam_roles.so.1 261 telnet account required pam_projects.so.1 262 telnet account required pam_unix_account.so.1 263 264 telnet session required pam_unix_session.so.1 265 266 telnet password required pam_dhkeys.so.1 267 telnet password requisite pam_authtok_get.so.1 268 telnet password requisite pam_authtok_check.so.1 269 telnet password required pam_authtok_store.so.1 270 .fi 271 .in -2 272 273 .sp 274 .LP 275 If there are no entries for the \fBtelnet\fR service, then the entries for the 276 "other" service will be used. If multiple authentication modules are listed, 277 then the user may be prompted for multiple passwords. 278 .sp 279 .LP 280 For a Kerberized telnet service, the correct \fBPAM\fR service name is 281 \fBktelnet\fR. 282 .SH FILES 283 .ne 2 284 .na 285 \fB\fB/etc/default/telnetd\fR\fR 286 .ad 287 .RS 24n 288 289 .RE 290 291 .SH SEE ALSO 292 \fBlogin\fR(1), \fBsvcs\fR(1), \fBtelnet\fR(1), 293 \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBkadmin\fR(1M), \fBsvcadm\fR(1M), 294 \fBpam\fR(3PAM), \fBgetnameinfo\fR(3SOCKET), \fBissue\fR(4), 295 \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBservices\fR(4), \fBattributes\fR(5), 296 \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 297 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), 298 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5), 299 \fBsmf\fR(5), \fBip6\fR(7P), \fBtermio\fR(7I) 300 .sp 301 .LP 302 \fI\fR 303 .sp 304 .LP 305 Alexander, S. \fIRFC 1572, TELNET Environment Option\fR. Network Information 306 Center, SRI International, Menlo Park, Calif., January 1994. 307 .sp 308 .LP 309 Borman, Dave. \fIRFC 1408, TELNET Environment Option\fR. Network Information 310 Center, SRI International, Menlo Park, Calif., January 1993. 311 .sp 312 .LP 313 Borman, Dave. \fIRFC 1571, TELNET Environment Option Interoperability 314 Issues\fR. Network Information Center, SRI International, Menlo Park, Calif., 315 January 1994. 316 .sp 317 .LP 318 Crispin, Mark. \fIRFC 727, TELNET Logout Option\fR. Network Information Center, 319 SRI International, Menlo Park, Calif., April 1977. 320 .sp 321 .LP 322 Marcy, G. \fIRFC 1096, TELNET X Display Location Option\fR. Network Information 323 Center, SRI International, Menlo Park, Calif., March 1989. 324 .sp 325 .LP 326 Postel, Jon, and Joyce Reynolds. \fIRFC 854, TELNET Protocol Specification\fR. 327 Network Information Center, SRI International, Menlo Park, Calif., May 1983. 328 .sp 329 .LP 330 Waitzman, D. \fIRFC 1073, TELNET Window Size Option\fR. Network Information 331 Center, SRI International, Menlo Park, Calif., October 1988. 332 .sp 333 .LP 334 Kohl, J., Neuman, C., \fIThe Kerberos Network Authentication Service (V5), RFC 335 1510\fR. September 1993. 336 .sp 337 .LP 338 Ts'o, T. and J. Altman, \fITelnet Authentication Option, RFC 2941\fR. September 339 2000. 340 .sp 341 .LP 342 Ts'o, T., \fITelnet Authentication: Kerberos Version 5, RFC 2942\fR. September 343 2000. 344 .sp 345 .LP 346 Ts'o, T., \fITelnet Data Encryption Option, RFC 2946\fR. September 2000. 347 .sp 348 .LP 349 Ts'o, T., \fITelnet Encryption: DES 64 bit Cipher Feedback, RFC 2952\fR. 350 September 2000. 351 .SH NOTES 352 Some \fBTELNET\fR commands are only partially implemented. 353 .sp 354 .LP 355 Binary mode has no common interpretation except between similar operating 356 systems. 357 .sp 358 .LP 359 The terminal type name received from the remote client is converted to lower 360 case. 361 .sp 362 .LP 363 The \fIpacket\fR interface to the pseudo-terminal should be used for more 364 intelligent flushing of input and output queues. 365 .sp 366 .LP 367 \fBin.telnetd\fR never sends \fBTELNET\fR \fIgo\fR \fIahead\fR commands. 368 .sp 369 .LP 370 The \fBpam_unix\fR(5) module is no longer supported.. Similar functionality is 371 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 372 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), 373 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and 374 \fBpam_unix_session\fR(5). 375 .sp 376 .LP 377 The \fBin.telnetd\fR service is managed by the service management facility, 378 \fBsmf\fR(5), under the service identifier: 379 .sp 380 .in +2 381 .nf 382 svc:/network/telnet 383 .fi 384 .in -2 385 .sp 386 387 .sp 388 .LP 389 Administrative actions on this service, such as enabling, disabling, or 390 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for 391 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use 392 \fBinetadm\fR(1M) to make configuration changes and to view configuration 393 information for this service. The service's status can be queried using the 394 \fBsvcs\fR(1) command.