Print this page
14249 pseudo-terminal nomenclature should reflect POSIX
Change-Id: Ib4a3cef899ff4c71b09cb0dc6878863c5e8357bc
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/in.telnetd.1m
+++ new/usr/src/man/man1m/in.telnetd.1m
1 1 '\" te
2 2 .\" Copyright 1989 AT&T
3 3 .\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH IN.TELNETD 1M "June 20, 2021"
7 +.TH IN.TELNETD 1M "February 5, 2022"
8 8 .SH NAME
9 9 in.telnetd, telnetd \- DARPA TELNET protocol server
10 10 .SH SYNOPSIS
11 11 .nf
12 12 \fB/usr/sbin/in.telnetd\fR [\fB-a\fR \fIauthmode\fR] [\fB-EXUh\fR] [\fB-s\fR \fItos\fR]
13 13 [\fB-S\fR \fIkeytab\fR] [\fB-M\fR \fIrealm\fR]
14 14 .fi
15 15
16 16 .SH DESCRIPTION
17 17 \fBin.telnetd\fR is a server that supports the \fBDARPA\fR standard
18 18 \fBTELNET\fR virtual terminal protocol. \fBin.telnetd\fR is normally invoked in
19 19 the internet server (see \fBinetd\fR(1M)), for requests to connect to the
20 20 \fBTELNET\fR port as indicated by the \fB/etc/services\fR file (see
21 21 \fBservices\fR(4)).
22 22 .sp
23 23 .LP
24 24 \fBin.telnetd\fR operates by allocating a pseudo-terminal device for a client,
25 -then creating a login process which has the slave side of the pseudo-terminal
26 -as its standard input, output, and error. \fBin.telnetd\fR manipulates the
27 -master side of the pseudo-terminal, implementing the \fBTELNET\fR protocol and
28 -passing characters between the remote client and the login process.
25 +then creating a login process which has the subsidiary side of the
26 +pseudo-terminal as its standard input, output, and error. \fBin.telnetd\fR
27 +manipulates the manager side of the pseudo-terminal, implementing the
28 +\fBTELNET\fR protocol and passing characters between the remote client and the
29 +login process.
29 30 .sp
30 31 .LP
31 32 When a \fBTELNET\fR session starts up, \fBin.telnetd\fR sends \fBTELNET\fR
32 33 options to the client side indicating a willingness to do \fIremote\fR
33 34 \fBecho\fR of characters, and to \fIsuppress\fR \fIgo\fR \fIahead\fR. The
34 35 pseudo-terminal allocated to the client is configured to operate in "cooked"
35 36 mode, and with \fBXTABS\fR, \fBICRNL\fR and \fBONLCR\fR enabled. See
36 37 \fBtermio\fR(7I).
37 38 .sp
38 39 .LP
39 40 \fBin.telnetd\fR is willing to do: \fIecho\fR, \fIbinary\fR, \fIsuppress\fR
40 41 \fIgo\fR \fIahead\fR, and \fItiming\fR \fImark\fR. \fBin.telnetd\fR is willing
41 42 to have the remote client do: \fIbinary\fR, \fIterminal\fR \fItype\fR,
42 43 \fIterminal\fR \fIsize\fR, \fIlogout\fR \fIoption\fR, and \fIsuppress\fR
43 44 \fIgo\fR \fIahead\fR.
44 45 .sp
45 46 .LP
46 47 \fBin.telnetd\fR also allows environment variables to be passed, provided that
47 48 the client negotiates this during the initial option negotiation. The
48 49 \fBDISPLAY\fR environment variable may be sent this way, either by the
49 50 \fBTELNET\fR general environment passing methods, or by means of the
50 51 \fBXDISPLOC\fR \fBTELNET\fR option. \fBDISPLAY\fR can be passed in the
51 52 environment option during the same negotiation where \fBXDISPLOC\fR is used.
52 53 Note that if you use both methods, use the same value for both. Otherwise, the
53 54 results may be unpredictable.
54 55 .sp
55 56 .LP
56 57 These options are specified in Internet standards \fIRFC 1096\fR, \fIRFC
57 58 1408\fR, \fIRFC 1510\fR, \fIRFC 1571\fR, \fIRFC 2941\fR, \fIRFC 2942\fR, \fIRFC
58 59 2946\fR, and \fIRFC 1572\fR. The following Informational draft is also
59 60 supported: \fIRFC 2952\fR.
60 61 .sp
61 62 .LP
62 63 The banner printed by \fBin.telnetd\fR is configurable. The default is (more or
63 64 less) equivalent to `\fBuname\fR \fB-sr\fR` and will be used if no banner is
64 65 set in \fB/etc/default/telnetd\fR. To set the banner, add a line of the form
65 66 .sp
66 67 .in +2
67 68 .nf
68 69 BANNER="..."
69 70 .fi
70 71 .in -2
71 72
72 73 .sp
73 74 .LP
74 75 to \fB/etc/default/telnetd\fR. Nonempty banner strings are fed to shells for
75 76 evaluation. The default banner may be obtained by
76 77 .sp
77 78 .in +2
78 79 .nf
79 80 BANNER="\e\er\e\en\e\er\e\en`uname -s` `uname -r`\e\er\e\en\e\er\e\en"
80 81 .fi
81 82 .in -2
82 83
83 84 .sp
84 85 .LP
85 86 and no banner will be printed if \fB/etc/default/telnetd\fR contains
86 87 .sp
87 88 .in +2
88 89 .nf
89 90 BANNER=""
90 91 .fi
91 92 .in -2
92 93
93 94 .SH OPTIONS
94 95 The following options are supported:
95 96 .sp
96 97 .ne 2
97 98 .na
98 99 \fB\fB-a\fR \fIauthmode\fR\fR
99 100 .ad
100 101 .RS 15n
101 102 This option may be used for specifying what mode should be used for
102 103 authentication. There are several valid values for \fIauthmode\fR:
103 104 .sp
104 105 .ne 2
105 106 .na
106 107 \fB\fBvalid\fR\fR
107 108 .ad
108 109 .RS 9n
109 110 Only allows connections when the remote user can provide valid authentication
110 111 information to identify the remote user, and is allowed access to the specified
111 112 account without providing a password.
112 113 .RE
113 114
114 115 .sp
115 116 .ne 2
116 117 .na
117 118 \fB\fBuser\fR\fR
118 119 .ad
119 120 .RS 9n
120 121 Only allows connections when the remote user can provide valid authentication
121 122 information to identify the remote user. The \fBlogin\fR(1) command will
122 123 provide any additional user verification needed if the remote user is not
123 124 allowed automatic access to the specified account.
124 125 .RE
125 126
126 127 .sp
127 128 .ne 2
128 129 .na
129 130 \fB\fBnone\fR\fR
130 131 .ad
131 132 .RS 9n
132 133 This is the default state. Authentication information is not required. If no or
133 134 insufficient authentication information is provided, then the \fBlogin\fR(1)
134 135 program provides the necessary user verification.
135 136 .RE
136 137
137 138 .sp
138 139 .ne 2
139 140 .na
140 141 \fB\fBoff\fR\fR
141 142 .ad
142 143 .RS 9n
143 144 This disables the authentication code. All user verification happens through
144 145 the \fBlogin\fR(1) program.
145 146 .RE
146 147
147 148 .RE
148 149
149 150 .sp
150 151 .ne 2
151 152 .na
152 153 \fB\fB-E\fR\fR
153 154 .ad
154 155 .RS 15n
155 156 Disables encryption support negotiation.
156 157 .RE
157 158
158 159 .sp
159 160 .ne 2
160 161 .na
161 162 \fB\fB-h\fR\fR
162 163 .ad
163 164 .RS 15n
164 165 Disables displaying host specific information before login has been completed.
165 166 .RE
166 167
167 168 .sp
168 169 .ne 2
169 170 .na
170 171 \fB\fB-M\fR \fIrealm\fR\fR
171 172 .ad
172 173 .RS 15n
173 174 Uses the indicated Kerberos V5 realm. By default, the daemon will determine its
174 175 realm from the settings in the \fBkrb5.conf\fR(4) file.
175 176 .RE
176 177
177 178 .sp
178 179 .ne 2
179 180 .na
180 181 \fB\fB-s\fR \fItos\fR\fR
181 182 .ad
182 183 .RS 15n
183 184 Sets the \fBIP\fR \fBTOS\fR option.
184 185 .RE
185 186
186 187 .sp
187 188 .ne 2
188 189 .na
189 190 \fB\fB-S\fR \fIkeytab\fR\fR
190 191 .ad
191 192 .RS 15n
192 193 Sets the \fBKRB5\fR keytab file to use. The \fB/etc/krb5/krb5.keytab\fR file is
193 194 used by default.
194 195 .RE
195 196
196 197 .sp
197 198 .ne 2
198 199 .na
199 200 \fB\fB-U\fR\fR
200 201 .ad
201 202 .RS 15n
202 203 Refuses connections that cannot be mapped to a name through the
203 204 \fBgetnameinfo\fR(3SOCKET) function.
204 205 .RE
205 206
206 207 .sp
207 208 .ne 2
208 209 .na
209 210 \fB\fB-X\fR\fR
210 211 .ad
211 212 .RS 15n
212 213 Disables Kerberos V5 authentication support negotiation.
213 214 .RE
214 215
215 216 .SH USAGE
216 217 \fBtelnetd\fR and \fBin.telnetd\fR are IPv6-enabled. See \fBip6\fR(7P).
217 218 .SH SECURITY
218 219 \fBin.telnetd\fR can authenticate using Kerberos V5 authentication,
219 220 \fBpam\fR(3PAM), or both. By default, the telnet server will accept valid
220 221 Kerberos V5 authentication credentials from a \fBtelnet\fR client that supports
221 222 Kerberos. \fBin.telnetd\fR can also support an encrypted session from such a
222 223 client if the client requests it.
223 224 .sp
224 225 .LP
225 226 The \fBtelnet\fR protocol only uses single DES for session
226 227 protection\(emclients request service tickets with single DES session keys. The
227 228 KDC must know that host service principals that offer the \fBtelnet\fR service
228 229 support single DES, which, in practice, means that such principals must have
229 230 single DES keys in the KDC database.
230 231 .sp
231 232 .LP
232 233 In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR
233 234 Kerberos principal must exist for each Fully Qualified Domain Name associated
234 235 with the \fBtelnetd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals
235 236 must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the
236 237 \fBtelnetd\fR server. An example principal might be:
237 238 .sp
238 239 .LP
239 240 \fBhost/bigmachine.eng.example.com\fR
240 241 .sp
241 242 .LP
242 243 See \fBkadmin\fR(1M) for instructions on adding a principal to a
243 244 \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos
244 245 authentication.
245 246 .sp
246 247 .LP
247 248 \fBin.telnetd\fR uses \fBpam\fR(3PAM) for authentication, account management,
248 249 session management, and password management. The \fBPAM\fR configuration
249 250 policy, listed through \fB/etc/pam.conf\fR, specifies the modules to be used
250 251 for \fBin.telnetd\fR. Here is a partial \fBpam.conf\fR file with entries for
251 252 the \fBtelnet\fR command using the UNIX authentication, account management,
252 253 session management, and password management modules.
253 254 .sp
254 255 .in +2
255 256 .nf
256 257 telnet auth requisite pam_authtok_get.so.1
257 258 telnet auth required pam_dhkeys.so.1
258 259 telnet auth required pam_unix_auth.so.1
259 260
260 261 telnet account requisite pam_roles.so.1
261 262 telnet account required pam_projects.so.1
262 263 telnet account required pam_unix_account.so.1
263 264
264 265 telnet session required pam_unix_session.so.1
265 266
266 267 telnet password required pam_dhkeys.so.1
267 268 telnet password requisite pam_authtok_get.so.1
268 269 telnet password requisite pam_authtok_check.so.1
269 270 telnet password required pam_authtok_store.so.1
270 271 .fi
271 272 .in -2
272 273
273 274 .sp
274 275 .LP
275 276 If there are no entries for the \fBtelnet\fR service, then the entries for the
276 277 "other" service will be used. If multiple authentication modules are listed,
277 278 then the user may be prompted for multiple passwords.
278 279 .sp
279 280 .LP
280 281 For a Kerberized telnet service, the correct \fBPAM\fR service name is
281 282 \fBktelnet\fR.
282 283 .SH FILES
283 284 .ne 2
284 285 .na
285 286 \fB\fB/etc/default/telnetd\fR\fR
286 287 .ad
287 288 .RS 24n
288 289
289 290 .RE
290 291
291 292 .SH SEE ALSO
292 293 \fBlogin\fR(1), \fBsvcs\fR(1), \fBtelnet\fR(1),
293 294 \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBkadmin\fR(1M), \fBsvcadm\fR(1M),
294 295 \fBpam\fR(3PAM), \fBgetnameinfo\fR(3SOCKET), \fBissue\fR(4),
295 296 \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBservices\fR(4), \fBattributes\fR(5),
296 297 \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
297 298 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
298 299 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5),
299 300 \fBsmf\fR(5), \fBip6\fR(7P), \fBtermio\fR(7I)
300 301 .sp
301 302 .LP
302 303 \fI\fR
303 304 .sp
304 305 .LP
305 306 Alexander, S. \fIRFC 1572, TELNET Environment Option\fR. Network Information
306 307 Center, SRI International, Menlo Park, Calif., January 1994.
307 308 .sp
308 309 .LP
309 310 Borman, Dave. \fIRFC 1408, TELNET Environment Option\fR. Network Information
310 311 Center, SRI International, Menlo Park, Calif., January 1993.
311 312 .sp
312 313 .LP
313 314 Borman, Dave. \fIRFC 1571, TELNET Environment Option Interoperability
314 315 Issues\fR. Network Information Center, SRI International, Menlo Park, Calif.,
315 316 January 1994.
316 317 .sp
317 318 .LP
318 319 Crispin, Mark. \fIRFC 727, TELNET Logout Option\fR. Network Information Center,
319 320 SRI International, Menlo Park, Calif., April 1977.
320 321 .sp
321 322 .LP
322 323 Marcy, G. \fIRFC 1096, TELNET X Display Location Option\fR. Network Information
323 324 Center, SRI International, Menlo Park, Calif., March 1989.
324 325 .sp
325 326 .LP
326 327 Postel, Jon, and Joyce Reynolds. \fIRFC 854, TELNET Protocol Specification\fR.
327 328 Network Information Center, SRI International, Menlo Park, Calif., May 1983.
328 329 .sp
329 330 .LP
330 331 Waitzman, D. \fIRFC 1073, TELNET Window Size Option\fR. Network Information
331 332 Center, SRI International, Menlo Park, Calif., October 1988.
332 333 .sp
333 334 .LP
334 335 Kohl, J., Neuman, C., \fIThe Kerberos Network Authentication Service (V5), RFC
335 336 1510\fR. September 1993.
336 337 .sp
337 338 .LP
338 339 Ts'o, T. and J. Altman, \fITelnet Authentication Option, RFC 2941\fR. September
339 340 2000.
340 341 .sp
341 342 .LP
342 343 Ts'o, T., \fITelnet Authentication: Kerberos Version 5, RFC 2942\fR. September
343 344 2000.
344 345 .sp
345 346 .LP
346 347 Ts'o, T., \fITelnet Data Encryption Option, RFC 2946\fR. September 2000.
347 348 .sp
348 349 .LP
349 350 Ts'o, T., \fITelnet Encryption: DES 64 bit Cipher Feedback, RFC 2952\fR.
350 351 September 2000.
351 352 .SH NOTES
352 353 Some \fBTELNET\fR commands are only partially implemented.
353 354 .sp
354 355 .LP
355 356 Binary mode has no common interpretation except between similar operating
356 357 systems.
357 358 .sp
358 359 .LP
359 360 The terminal type name received from the remote client is converted to lower
360 361 case.
361 362 .sp
362 363 .LP
363 364 The \fIpacket\fR interface to the pseudo-terminal should be used for more
364 365 intelligent flushing of input and output queues.
365 366 .sp
366 367 .LP
367 368 \fBin.telnetd\fR never sends \fBTELNET\fR \fIgo\fR \fIahead\fR commands.
368 369 .sp
369 370 .LP
370 371 The \fBpam_unix\fR(5) module is no longer supported.. Similar functionality is
371 372 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
372 373 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
373 374 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
374 375 \fBpam_unix_session\fR(5).
375 376 .sp
376 377 .LP
377 378 The \fBin.telnetd\fR service is managed by the service management facility,
378 379 \fBsmf\fR(5), under the service identifier:
379 380 .sp
380 381 .in +2
381 382 .nf
382 383 svc:/network/telnet
383 384 .fi
384 385 .in -2
385 386 .sp
386 387
387 388 .sp
388 389 .LP
389 390 Administrative actions on this service, such as enabling, disabling, or
390 391 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for
391 392 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use
392 393 \fBinetadm\fR(1M) to make configuration changes and to view configuration
393 394 information for this service. The service's status can be queried using the
394 395 \fBsvcs\fR(1) command.
|
↓ open down ↓ |
356 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX