xref: /freebsd/crypto/heimdal/appl/telnet/telnetd/telnetd.8 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright (c) 1983, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\"    must display the following acknowledgement:
14.\"	This product includes software developed by the University of
15.\"	California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
33.\"
34.Dd June 1, 1994
35.Dt TELNETD 8
36.Os BSD 4.2
37.Sh NAME
38.Nm telnetd
39.Nd DARPA
40.Tn TELNET
41protocol server
42.Sh SYNOPSIS
43.Nm telnetd
44.Op Fl BUhkln
45.Op Fl D Ar debugmode
46.Op Fl S Ar tos
47.Op Fl X Ar authtype
48.Op Fl a Ar authmode
49.Op Fl r Ns Ar lowpty-highpty
50.Op Fl u Ar len
51.Op Fl debug
52.Op Fl L Ar /bin/login
53.Op Fl y
54.Op Ar port
55.Sh DESCRIPTION
56The
57.Nm telnetd
58command is a server which supports the
59.Tn DARPA
60standard
61.Tn TELNET
62virtual terminal protocol.
63.Nm Telnetd
64is normally invoked by the internet server (see
65.Xr inetd 8 )
66for requests to connect to the
67.Tn TELNET
68port as indicated by the
69.Pa /etc/services
70file (see
71.Xr services 5 ) .
72The
73.Fl debug
74option may be used to start up
75.Nm telnetd
76manually, instead of through
77.Xr inetd 8 .
78If started up this way,
79.Ar port
80may be specified to run
81.Nm telnetd
82on an alternate
83.Tn TCP
84port number.
85.Pp
86The
87.Nm telnetd
88command accepts the following options:
89.Bl -tag -width "-a authmode"
90.It Fl a Ar authmode
91This option may be used for specifying what mode should
92be used for authentication.
93Note that this option is only useful if
94.Nm telnetd
95has been compiled with support for the
96.Dv AUTHENTICATION
97option.
98There are several valid values for
99.Ar authmode :
100.Bl -tag -width debug
101.It debug
102Turns on authentication debugging code.
103.It user
104Only allow connections when the remote user
105can provide valid authentication information
106to identify the remote user,
107and is allowed access to the specified account
108without providing a password.
109.It valid
110Only allow connections when the remote user
111can provide valid authentication information
112to identify the remote user.
113The
114.Xr login 1
115command will provide any additional user verification
116needed if the remote user is not allowed automatic
117access to the specified account.
118.It other
119Only allow connections that supply some authentication information.
120This option is currently not supported
121by any of the existing authentication mechanisms,
122and is thus the same as specifying
123.Fl a
124.Cm valid .
125.It otp
126Only allow authenticated connections (as with
127.Fl a
128.Cm user )
129and also logins with one-time passwords (OTPs).  This option will call
130login with an option so that only OTPs are accepted.  The user can of
131course still type secret information at the prompt.
132.It none
133This is the default state.
134Authentication information is not required.
135If no or insufficient authentication information
136is provided, then the
137.Xr login 1
138program will provide the necessary user
139verification.
140.It off
141This disables the authentication code.
142All user verification will happen through the
143.Xr login 1
144program.
145.El
146.It Fl B
147Ignored.
148.It Fl D Ar debugmode
149This option may be used for debugging purposes.
150This allows
151.Nm telnetd
152to print out debugging information
153to the connection, allowing the user to see what
154.Nm telnetd
155is doing.
156There are several possible values for
157.Ar debugmode :
158.Bl -tag -width exercise
159.It Cm options
160Prints information about the negotiation of
161.Tn TELNET
162options.
163.It Cm report
164Prints the
165.Cm options
166information, plus some additional information
167about what processing is going on.
168.It Cm netdata
169Displays the data stream received by
170.Nm telnetd .
171.It Cm ptydata
172Displays data written to the pty.
173.It Cm exercise
174Has not been implemented yet.
175.El
176.It Fl h
177Disables the printing of host-specific information before
178login has been completed.
179.It Fl k
180.It Fl l
181Ignored.
182.It Fl n
183Disable
184.Dv TCP
185keep-alives.  Normally
186.Nm telnetd
187enables the
188.Tn TCP
189keep-alive mechanism to probe connections that
190have been idle for some period of time to determine
191if the client is still there, so that idle connections
192from machines that have crashed or can no longer
193be reached may be cleaned up.
194.It Fl r Ar lowpty-highpty
195This option is only enabled when
196.Nm telnetd
197is compiled for
198.Dv UNICOS .
199It specifies an inclusive range of pseudo-terminal devices to
200use.  If the system has sysconf variable
201.Dv _SC_CRAY_NPTY
202configured, the default pty search range is 0 to
203.Dv _SC_CRAY_NPTY ;
204otherwise, the default range is 0 to 128.  Either
205.Ar lowpty
206or
207.Ar highpty
208may be omitted to allow changing
209either end of the search range.  If
210.Ar lowpty
211is omitted, the - character is still required so that
212.Nm telnetd
213can differentiate
214.Ar highpty
215from
216.Ar lowpty .
217.It Fl S Ar tos
218.It Fl u Ar len
219This option is used to specify the size of the field
220in the
221.Dv utmp
222structure that holds the remote host name.
223If the resolved host name is longer than
224.Ar len ,
225the dotted decimal value will be used instead.
226This allows hosts with very long host names that
227overflow this field to still be uniquely identified.
228Specifying
229.Fl u0
230indicates that only dotted decimal addresses
231should be put into the
232.Pa utmp
233file.
234.It Fl U
235This option causes
236.Nm telnetd
237to refuse connections from addresses that
238cannot be mapped back into a symbolic name
239via the
240.Xr gethostbyaddr 3
241routine.
242.It Fl X Ar authtype
243This option is only valid if
244.Nm telnetd
245has been built with support for the authentication option.
246It disables the use of
247.Ar authtype
248authentication, and
249can be used to temporarily disable
250a specific authentication type without having to recompile
251.Nm telnetd .
252.It Fl L Ar pathname
253Specify pathname to an alternative login program.
254.It Fl y
255Makes
256.Nm
257not warn when a user is trying to login with a cleartext password.
258.El
259.Pp
260.Nm Telnetd
261operates by allocating a pseudo-terminal device (see
262.Xr pty 4 )
263for a client, then creating a login process which has
264the slave side of the pseudo-terminal as
265.Dv stdin ,
266.Dv stdout
267and
268.Dv stderr .
269.Nm Telnetd
270manipulates the master side of the pseudo-terminal,
271implementing the
272.Tn TELNET
273protocol and passing characters
274between the remote client and the login process.
275.Pp
276When a
277.Tn TELNET
278session is started up,
279.Nm telnetd
280sends
281.Tn TELNET
282options to the client side indicating
283a willingness to do the
284following
285.Tn TELNET
286options, which are described in more detail below:
287.Bd -literal -offset indent
288DO AUTHENTICATION
289WILL ENCRYPT
290DO TERMINAL TYPE
291DO TSPEED
292DO XDISPLOC
293DO NEW-ENVIRON
294DO ENVIRON
295WILL SUPPRESS GO AHEAD
296DO ECHO
297DO LINEMODE
298DO NAWS
299WILL STATUS
300DO LFLOW
301DO TIMING-MARK
302.Ed
303.Pp
304The pseudo-terminal allocated to the client is configured
305to operate in
306.Dq cooked
307mode, and with
308.Dv XTABS and
309.Dv CRMOD
310enabled (see
311.Xr tty 4 ) .
312.Pp
313.Nm Telnetd
314has support for enabling locally the following
315.Tn TELNET
316options:
317.Bl -tag -width "DO AUTHENTICATION"
318.It "WILL ECHO"
319When the
320.Dv LINEMODE
321option is enabled, a
322.Dv WILL ECHO
323or
324.Dv WONT ECHO
325will be sent to the client to indicate the
326current state of terminal echoing.
327When terminal echo is not desired, a
328.Dv WILL ECHO
329is sent to indicate that
330.Tn telnetd
331will take care of echoing any data that needs to be
332echoed to the terminal, and then nothing is echoed.
333When terminal echo is desired, a
334.Dv WONT ECHO
335is sent to indicate that
336.Tn telnetd
337will not be doing any terminal echoing, so the
338client should do any terminal echoing that is needed.
339.It "WILL BINARY"
340Indicates that the client is willing to send a
3418 bits of data, rather than the normal 7 bits
342of the Network Virtual Terminal.
343.It "WILL SGA"
344Indicates that it will not be sending
345.Dv IAC GA ,
346go ahead, commands.
347.It "WILL STATUS"
348Indicates a willingness to send the client, upon
349request, of the current status of all
350.Tn TELNET
351options.
352.It "WILL TIMING-MARK"
353Whenever a
354.Dv DO TIMING-MARK
355command is received, it is always responded
356to with a
357.Dv WILL TIMING-MARK
358.It "WILL LOGOUT"
359When a
360.Dv DO LOGOUT
361is received, a
362.Dv WILL LOGOUT
363is sent in response, and the
364.Tn TELNET
365session is shut down.
366.It "WILL ENCRYPT"
367Only sent if
368.Nm telnetd
369is compiled with support for data encryption, and
370indicates a willingness to decrypt
371the data stream.
372.El
373.Pp
374.Nm Telnetd
375has support for enabling remotely the following
376.Tn TELNET
377options:
378.Bl -tag -width "DO AUTHENTICATION"
379.It "DO BINARY"
380Sent to indicate that
381.Tn telnetd
382is willing to receive an 8 bit data stream.
383.It "DO LFLOW"
384Requests that the client handle flow control
385characters remotely.
386.It "DO ECHO"
387This is not really supported, but is sent to identify a 4.2BSD
388.Xr telnet 1
389client, which will improperly respond with
390.Dv WILL ECHO .
391If a
392.Dv WILL ECHO
393is received, a
394.Dv DONT ECHO
395will be sent in response.
396.It "DO TERMINAL-TYPE"
397Indicates a desire to be able to request the
398name of the type of terminal that is attached
399to the client side of the connection.
400.It "DO SGA"
401Indicates that it does not need to receive
402.Dv IAC GA ,
403the go ahead command.
404.It "DO NAWS"
405Requests that the client inform the server when
406the window (display) size changes.
407.It "DO TERMINAL-SPEED"
408Indicates a desire to be able to request information
409about the speed of the serial line to which
410the client is attached.
411.It "DO XDISPLOC"
412Indicates a desire to be able to request the name
413of the X windows display that is associated with
414the telnet client.
415.It "DO NEW-ENVIRON"
416Indicates a desire to be able to request environment
417variable information, as described in RFC 1572.
418.It "DO ENVIRON"
419Indicates a desire to be able to request environment
420variable information, as described in RFC 1408.
421.It "DO LINEMODE"
422Only sent if
423.Nm telnetd
424is compiled with support for linemode, and
425requests that the client do line by line processing.
426.It "DO TIMING-MARK"
427Only sent if
428.Nm telnetd
429is compiled with support for both linemode and
430kludge linemode, and the client responded with
431.Dv WONT LINEMODE .
432If the client responds with
433.Dv WILL TM ,
434the it is assumed that the client supports
435kludge linemode.
436Note that the
437.Op Fl k
438option can be used to disable this.
439.It "DO AUTHENTICATION"
440Only sent if
441.Nm telnetd
442is compiled with support for authentication, and
443indicates a willingness to receive authentication
444information for automatic login.
445.It "DO ENCRYPT"
446Only sent if
447.Nm telnetd
448is compiled with support for data encryption, and
449indicates a willingness to decrypt
450the data stream.
451.El
452.Sh FILES
453.Bl -tag -width /etc/services -compact
454.It Pa /etc/services
455.It Pa /etc/inittab
456(UNICOS systems only)
457.It Pa /etc/iptos
458(if supported)
459.El
460.Sh "SEE ALSO"
461.Xr telnet 1 ,
462.Xr login 1
463.Sh STANDARDS
464.Bl -tag -compact -width RFC-1572
465.It Cm RFC-854
466.Tn TELNET
467PROTOCOL SPECIFICATION
468.It Cm RFC-855
469TELNET OPTION SPECIFICATIONS
470.It Cm RFC-856
471TELNET BINARY TRANSMISSION
472.It Cm RFC-857
473TELNET ECHO OPTION
474.It Cm RFC-858
475TELNET SUPPRESS GO AHEAD OPTION
476.It Cm RFC-859
477TELNET STATUS OPTION
478.It Cm RFC-860
479TELNET TIMING MARK OPTION
480.It Cm RFC-861
481TELNET EXTENDED OPTIONS - LIST OPTION
482.It Cm RFC-885
483TELNET END OF RECORD OPTION
484.It Cm RFC-1073
485Telnet Window Size Option
486.It Cm RFC-1079
487Telnet Terminal Speed Option
488.It Cm RFC-1091
489Telnet Terminal-Type Option
490.It Cm RFC-1096
491Telnet X Display Location Option
492.It Cm RFC-1123
493Requirements for Internet Hosts -- Application and Support
494.It Cm RFC-1184
495Telnet Linemode Option
496.It Cm RFC-1372
497Telnet Remote Flow Control Option
498.It Cm RFC-1416
499Telnet Authentication Option
500.It Cm RFC-1411
501Telnet Authentication: Kerberos Version 4
502.It Cm RFC-1412
503Telnet Authentication: SPX
504.It Cm RFC-1571
505Telnet Environment Option Interoperability Issues
506.It Cm RFC-1572
507Telnet Environment Option
508.El
509.Sh BUGS
510Some
511.Tn TELNET
512commands are only partially implemented.
513.Pp
514Because of bugs in the original 4.2 BSD
515.Xr telnet 1 ,
516.Nm telnetd
517performs some dubious protocol exchanges to try to discover if the remote
518client is, in fact, a 4.2 BSD
519.Xr telnet 1 .
520.Pp
521Binary mode
522has no common interpretation except between similar operating systems
523(Unix in this case).
524.Pp
525The terminal type name received from the remote client is converted to
526lower case.
527.Pp
528.Nm Telnetd
529never sends
530.Tn TELNET
531.Dv IAC GA
532(go ahead) commands.
533