1 '\" te 2 .\" Copyright 1989 AT&T 3 .\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH IN.TELNETD 1M "February 5, 2022" 8 .SH NAME 9 in.telnetd, telnetd \- DARPA TELNET protocol server 10 .SH SYNOPSIS 11 .nf 12 \fB/usr/sbin/in.telnetd\fR [\fB-a\fR \fIauthmode\fR] [\fB-EXUh\fR] [\fB-s\fR \fItos\fR] 13 [\fB-S\fR \fIkeytab\fR] [\fB-M\fR \fIrealm\fR] 14 .fi 15 16 .SH DESCRIPTION 17 \fBin.telnetd\fR is a server that supports the \fBDARPA\fR standard 18 \fBTELNET\fR virtual terminal protocol. \fBin.telnetd\fR is normally invoked in 19 the internet server (see \fBinetd\fR(1M)), for requests to connect to the 20 \fBTELNET\fR port as indicated by the \fB/etc/services\fR file (see 21 \fBservices\fR(4)). 22 .sp 23 .LP 24 \fBin.telnetd\fR operates by allocating a pseudo-terminal device for a client, 25 then creating a login process which has the subsidiary side of the 26 pseudo-terminal as its standard input, output, and error. \fBin.telnetd\fR 27 manipulates the manager side of the pseudo-terminal, implementing the 28 \fBTELNET\fR protocol and passing characters between the remote client and the 29 login process. 30 .sp 31 .LP 32 When a \fBTELNET\fR session starts up, \fBin.telnetd\fR sends \fBTELNET\fR 33 options to the client side indicating a willingness to do \fIremote\fR 34 \fBecho\fR of characters, and to \fIsuppress\fR \fIgo\fR \fIahead\fR. The 35 pseudo-terminal allocated to the client is configured to operate in "cooked" 36 mode, and with \fBXTABS\fR, \fBICRNL\fR and \fBONLCR\fR enabled. See 37 \fBtermio\fR(7I). 38 .sp 39 .LP 40 \fBin.telnetd\fR is willing to do: \fIecho\fR, \fIbinary\fR, \fIsuppress\fR 41 \fIgo\fR \fIahead\fR, and \fItiming\fR \fImark\fR. \fBin.telnetd\fR is willing 42 to have the remote client do: \fIbinary\fR, \fIterminal\fR \fItype\fR, 43 \fIterminal\fR \fIsize\fR, \fIlogout\fR \fIoption\fR, and \fIsuppress\fR 44 \fIgo\fR \fIahead\fR. 45 .sp 46 .LP 47 \fBin.telnetd\fR also allows environment variables to be passed, provided that 48 the client negotiates this during the initial option negotiation. The 49 \fBDISPLAY\fR environment variable may be sent this way, either by the 50 \fBTELNET\fR general environment passing methods, or by means of the 51 \fBXDISPLOC\fR \fBTELNET\fR option. \fBDISPLAY\fR can be passed in the 52 environment option during the same negotiation where \fBXDISPLOC\fR is used. 53 Note that if you use both methods, use the same value for both. Otherwise, the 54 results may be unpredictable. 55 .sp 56 .LP 57 These options are specified in Internet standards \fIRFC 1096\fR, \fIRFC 58 1408\fR, \fIRFC 1510\fR, \fIRFC 1571\fR, \fIRFC 2941\fR, \fIRFC 2942\fR, \fIRFC 59 2946\fR, and \fIRFC 1572\fR. The following Informational draft is also 60 supported: \fIRFC 2952\fR. 61 .sp 62 .LP 63 The banner printed by \fBin.telnetd\fR is configurable. The default is (more or 64 less) equivalent to `\fBuname\fR \fB-sr\fR` and will be used if no banner is 65 set in \fB/etc/default/telnetd\fR. To set the banner, add a line of the form 66 .sp 67 .in +2 68 .nf 69 BANNER="..." 70 .fi 71 .in -2 72 73 .sp 74 .LP 75 to \fB/etc/default/telnetd\fR. Nonempty banner strings are fed to shells for 76 evaluation. The default banner may be obtained by 77 .sp 78 .in +2 79 .nf 80 BANNER="\e\er\e\en\e\er\e\en`uname -s` `uname -r`\e\er\e\en\e\er\e\en" 81 .fi 82 .in -2 83 84 .sp 85 .LP 86 and no banner will be printed if \fB/etc/default/telnetd\fR contains 87 .sp 88 .in +2 89 .nf 90 BANNER="" 91 .fi 92 .in -2 93 94 .SH OPTIONS 95 The following options are supported: 96 .sp 97 .ne 2 98 .na 99 \fB\fB-a\fR \fIauthmode\fR\fR 100 .ad 101 .RS 15n 102 This option may be used for specifying what mode should be used for 103 authentication. There are several valid values for \fIauthmode\fR: 104 .sp 105 .ne 2 106 .na 107 \fB\fBvalid\fR\fR 108 .ad 109 .RS 9n 110 Only allows connections when the remote user can provide valid authentication 111 information to identify the remote user, and is allowed access to the specified 112 account without providing a password. 113 .RE 114 115 .sp 116 .ne 2 117 .na 118 \fB\fBuser\fR\fR 119 .ad 120 .RS 9n 121 Only allows connections when the remote user can provide valid authentication 122 information to identify the remote user. The \fBlogin\fR(1) command will 123 provide any additional user verification needed if the remote user is not 124 allowed automatic access to the specified account. 125 .RE 126 127 .sp 128 .ne 2 129 .na 130 \fB\fBnone\fR\fR 131 .ad 132 .RS 9n 133 This is the default state. Authentication information is not required. If no or 134 insufficient authentication information is provided, then the \fBlogin\fR(1) 135 program provides the necessary user verification. 136 .RE 137 138 .sp 139 .ne 2 140 .na 141 \fB\fBoff\fR\fR 142 .ad 143 .RS 9n 144 This disables the authentication code. All user verification happens through 145 the \fBlogin\fR(1) program. 146 .RE 147 148 .RE 149 150 .sp 151 .ne 2 152 .na 153 \fB\fB-E\fR\fR 154 .ad 155 .RS 15n 156 Disables encryption support negotiation. 157 .RE 158 159 .sp 160 .ne 2 161 .na 162 \fB\fB-h\fR\fR 163 .ad 164 .RS 15n 165 Disables displaying host specific information before login has been completed. 166 .RE 167 168 .sp 169 .ne 2 170 .na 171 \fB\fB-M\fR \fIrealm\fR\fR 172 .ad 173 .RS 15n 174 Uses the indicated Kerberos V5 realm. By default, the daemon will determine its 175 realm from the settings in the \fBkrb5.conf\fR(4) file. 176 .RE 177 178 .sp 179 .ne 2 180 .na 181 \fB\fB-s\fR \fItos\fR\fR 182 .ad 183 .RS 15n 184 Sets the \fBIP\fR \fBTOS\fR option. 185 .RE 186 187 .sp 188 .ne 2 189 .na 190 \fB\fB-S\fR \fIkeytab\fR\fR 191 .ad 192 .RS 15n 193 Sets the \fBKRB5\fR keytab file to use. The \fB/etc/krb5/krb5.keytab\fR file is 194 used by default. 195 .RE 196 197 .sp 198 .ne 2 199 .na 200 \fB\fB-U\fR\fR 201 .ad 202 .RS 15n 203 Refuses connections that cannot be mapped to a name through the 204 \fBgetnameinfo\fR(3SOCKET) function. 205 .RE 206 207 .sp 208 .ne 2 209 .na 210 \fB\fB-X\fR\fR 211 .ad 212 .RS 15n 213 Disables Kerberos V5 authentication support negotiation. 214 .RE 215 216 .SH USAGE 217 \fBtelnetd\fR and \fBin.telnetd\fR are IPv6-enabled. See \fBip6\fR(7P). 218 .SH SECURITY 219 \fBin.telnetd\fR can authenticate using Kerberos V5 authentication, 220 \fBpam\fR(3PAM), or both. By default, the telnet server will accept valid 221 Kerberos V5 authentication credentials from a \fBtelnet\fR client that supports 222 Kerberos. \fBin.telnetd\fR can also support an encrypted session from such a 223 client if the client requests it. 224 .sp 225 .LP 226 The \fBtelnet\fR protocol only uses single DES for session 227 protection\(emclients request service tickets with single DES session keys. The 228 KDC must know that host service principals that offer the \fBtelnet\fR service 229 support single DES, which, in practice, means that such principals must have 230 single DES keys in the KDC database. 231 .sp 232 .LP 233 In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR 234 Kerberos principal must exist for each Fully Qualified Domain Name associated 235 with the \fBtelnetd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals 236 must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the 237 \fBtelnetd\fR server. An example principal might be: 238 .sp 239 .LP 240 \fBhost/bigmachine.eng.example.com\fR 241 .sp 242 .LP 243 See \fBkadmin\fR(1M) for instructions on adding a principal to a 244 \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos 245 authentication. 246 .sp 247 .LP 248 \fBin.telnetd\fR uses \fBpam\fR(3PAM) for authentication, account management, 249 session management, and password management. The \fBPAM\fR configuration 250 policy, listed through \fB/etc/pam.conf\fR, specifies the modules to be used 251 for \fBin.telnetd\fR. Here is a partial \fBpam.conf\fR file with entries for 252 the \fBtelnet\fR command using the UNIX authentication, account management, 253 session management, and password management modules. 254 .sp 255 .in +2 256 .nf 257 telnet auth requisite pam_authtok_get.so.1 258 telnet auth required pam_dhkeys.so.1 259 telnet auth required pam_unix_auth.so.1 260 261 telnet account requisite pam_roles.so.1 262 telnet account required pam_projects.so.1 263 telnet account required pam_unix_account.so.1 264 265 telnet session required pam_unix_session.so.1 266 267 telnet password required pam_dhkeys.so.1 268 telnet password requisite pam_authtok_get.so.1 269 telnet password requisite pam_authtok_check.so.1 270 telnet password required pam_authtok_store.so.1 271 .fi 272 .in -2 273 274 .sp 275 .LP 276 If there are no entries for the \fBtelnet\fR service, then the entries for the 277 "other" service will be used. If multiple authentication modules are listed, 278 then the user may be prompted for multiple passwords. 279 .sp 280 .LP 281 For a Kerberized telnet service, the correct \fBPAM\fR service name is 282 \fBktelnet\fR. 283 .SH FILES 284 .ne 2 285 .na 286 \fB\fB/etc/default/telnetd\fR\fR 287 .ad 288 .RS 24n 289 290 .RE 291 292 .SH SEE ALSO 293 \fBlogin\fR(1), \fBsvcs\fR(1), \fBtelnet\fR(1), 294 \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBkadmin\fR(1M), \fBsvcadm\fR(1M), 295 \fBpam\fR(3PAM), \fBgetnameinfo\fR(3SOCKET), \fBissue\fR(4), 296 \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBservices\fR(4), \fBattributes\fR(5), 297 \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 298 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), 299 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5), 300 \fBsmf\fR(5), \fBip6\fR(7P), \fBtermio\fR(7I) 301 .sp 302 .LP 303 \fI\fR 304 .sp 305 .LP 306 Alexander, S. \fIRFC 1572, TELNET Environment Option\fR. Network Information 307 Center, SRI International, Menlo Park, Calif., January 1994. 308 .sp 309 .LP 310 Borman, Dave. \fIRFC 1408, TELNET Environment Option\fR. Network Information 311 Center, SRI International, Menlo Park, Calif., January 1993. 312 .sp 313 .LP 314 Borman, Dave. \fIRFC 1571, TELNET Environment Option Interoperability 315 Issues\fR. Network Information Center, SRI International, Menlo Park, Calif., 316 January 1994. 317 .sp 318 .LP 319 Crispin, Mark. \fIRFC 727, TELNET Logout Option\fR. Network Information Center, 320 SRI International, Menlo Park, Calif., April 1977. 321 .sp 322 .LP 323 Marcy, G. \fIRFC 1096, TELNET X Display Location Option\fR. Network Information 324 Center, SRI International, Menlo Park, Calif., March 1989. 325 .sp 326 .LP 327 Postel, Jon, and Joyce Reynolds. \fIRFC 854, TELNET Protocol Specification\fR. 328 Network Information Center, SRI International, Menlo Park, Calif., May 1983. 329 .sp 330 .LP 331 Waitzman, D. \fIRFC 1073, TELNET Window Size Option\fR. Network Information 332 Center, SRI International, Menlo Park, Calif., October 1988. 333 .sp 334 .LP 335 Kohl, J., Neuman, C., \fIThe Kerberos Network Authentication Service (V5), RFC 336 1510\fR. September 1993. 337 .sp 338 .LP 339 Ts'o, T. and J. Altman, \fITelnet Authentication Option, RFC 2941\fR. September 340 2000. 341 .sp 342 .LP 343 Ts'o, T., \fITelnet Authentication: Kerberos Version 5, RFC 2942\fR. September 344 2000. 345 .sp 346 .LP 347 Ts'o, T., \fITelnet Data Encryption Option, RFC 2946\fR. September 2000. 348 .sp 349 .LP 350 Ts'o, T., \fITelnet Encryption: DES 64 bit Cipher Feedback, RFC 2952\fR. 351 September 2000. 352 .SH NOTES 353 Some \fBTELNET\fR commands are only partially implemented. 354 .sp 355 .LP 356 Binary mode has no common interpretation except between similar operating 357 systems. 358 .sp 359 .LP 360 The terminal type name received from the remote client is converted to lower 361 case. 362 .sp 363 .LP 364 The \fIpacket\fR interface to the pseudo-terminal should be used for more 365 intelligent flushing of input and output queues. 366 .sp 367 .LP 368 \fBin.telnetd\fR never sends \fBTELNET\fR \fIgo\fR \fIahead\fR commands. 369 .sp 370 .LP 371 The \fBpam_unix\fR(5) module is no longer supported.. Similar functionality is 372 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 373 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), 374 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and 375 \fBpam_unix_session\fR(5). 376 .sp 377 .LP 378 The \fBin.telnetd\fR service is managed by the service management facility, 379 \fBsmf\fR(5), under the service identifier: 380 .sp 381 .in +2 382 .nf 383 svc:/network/telnet 384 .fi 385 .in -2 386 .sp 387 388 .sp 389 .LP 390 Administrative actions on this service, such as enabling, disabling, or 391 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for 392 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use 393 \fBinetadm\fR(1M) to make configuration changes and to view configuration 394 information for this service. The service's status can be queried using the 395 \fBsvcs\fR(1) command.