xref: /freebsd/crypto/heimdal/appl/telnet/telnetd/telnetd.8 (revision af23369a6deaaeb612ab266eb88b8bb8d560c322)
1.\" Copyright (c) 1983, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\"    must display the following acknowledgement:
14.\"	This product includes software developed by the University of
15.\"	California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
33.\"
34.Dd September 19, 2006
35.Dt TELNETD 8
36.Os BSD 4.2
37.Sh NAME
38.Nm telnetd
39.Nd DARPA
40.Tn TELNET
41protocol server
42.Sh SYNOPSIS
43.Nm telnetd
44.Op Fl BeUhkln
45.Op Fl D Ar debugmode
46.Op Fl S Ar tos
47.Op Fl X Ar authtype
48.Op Fl a Ar authmode
49.Op Fl r Ns Ar lowpty-highpty
50.Op Fl u Ar len
51.Op Fl debug
52.Op Fl L Ar /bin/login
53.Op Fl y
54.Op Ar port
55.Sh DESCRIPTION
56The
57.Nm telnetd
58command is a server which supports the
59.Tn DARPA
60standard
61.Tn TELNET
62virtual terminal protocol.
63.Nm Telnetd
64is normally invoked by the internet server (see
65.Xr inetd 8 )
66for requests to connect to the
67.Tn TELNET
68port as indicated by the
69.Pa /etc/services
70file (see
71.Xr services 5 ) .
72The
73.Fl debug
74option may be used to start up
75.Nm telnetd
76manually, instead of through
77.Xr inetd 8 .
78If started up this way,
79.Ar port
80may be specified to run
81.Nm telnetd
82on an alternate
83.Tn TCP
84port number.
85.Pp
86The
87.Nm telnetd
88command accepts the following options:
89.Bl -tag -width "-a authmode"
90.It Fl a Ar authmode
91This option may be used for specifying what mode should
92be used for authentication.
93Note that this option is only useful if
94.Nm telnetd
95has been compiled with support for the
96.Dv AUTHENTICATION
97option.
98There are several valid values for
99.Ar authmode :
100.Bl -tag -width debug
101.It debug
102Turns on authentication debugging code.
103.It user
104Only allow connections when the remote user
105can provide valid authentication information
106to identify the remote user,
107and is allowed access to the specified account
108without providing a password.
109.It valid
110Only allow connections when the remote user
111can provide valid authentication information
112to identify the remote user.
113The
114.Xr login 1
115command will provide any additional user verification
116needed if the remote user is not allowed automatic
117access to the specified account.
118.It other
119Only allow connections that supply some authentication information.
120This option is currently not supported
121by any of the existing authentication mechanisms,
122and is thus the same as specifying
123.Fl a
124.Cm valid .
125.It otp
126Only allow authenticated connections (as with
127.Fl a
128.Cm user )
129and also logins with one-time passwords (OTPs).  This option will call
130login with an option so that only OTPs are accepted.  The user can of
131course still type secret information at the prompt.
132.It none
133This is the default state.
134Authentication information is not required.
135If no or insufficient authentication information
136is provided, then the
137.Xr login 1
138program will provide the necessary user
139verification.
140.It off
141This disables the authentication code.
142All user verification will happen through the
143.Xr login 1
144program.
145.El
146.It Fl B
147Ignored.
148.It Fl D Ar debugmode
149This option may be used for debugging purposes.
150This allows
151.Nm telnetd
152to print out debugging information
153to the connection, allowing the user to see what
154.Nm telnetd
155is doing.
156There are several possible values for
157.Ar debugmode :
158.Bl -tag -width exercise
159.It Cm options
160Prints information about the negotiation of
161.Tn TELNET
162options.
163.It Cm report
164Prints the
165.Cm options
166information, plus some additional information
167about what processing is going on.
168.It Cm netdata
169Displays the data stream received by
170.Nm telnetd .
171.It Cm ptydata
172Displays data written to the pty.
173.It Cm exercise
174Has not been implemented yet.
175.El
176.It Fl e
177require encryption to be turned on (in both direction) by the client
178and disconnects if the client tries to turn the encryption off (in
179either direction).
180.It Fl h
181Disables the printing of host-specific information before
182login has been completed.
183.It Fl k
184.It Fl l
185Ignored.
186.It Fl n
187Disable
188.Dv TCP
189keep-alives.  Normally
190.Nm telnetd
191enables the
192.Tn TCP
193keep-alive mechanism to probe connections that
194have been idle for some period of time to determine
195if the client is still there, so that idle connections
196from machines that have crashed or can no longer
197be reached may be cleaned up.
198.It Fl r Ar lowpty-highpty
199This option is only enabled when
200.Nm telnetd
201is compiled for
202.Dv UNICOS .
203It specifies an inclusive range of pseudo-terminal devices to
204use.  If the system has sysconf variable
205.Dv _SC_CRAY_NPTY
206configured, the default pty search range is 0 to
207.Dv _SC_CRAY_NPTY ;
208otherwise, the default range is 0 to 128.  Either
209.Ar lowpty
210or
211.Ar highpty
212may be omitted to allow changing
213either end of the search range.  If
214.Ar lowpty
215is omitted, the - character is still required so that
216.Nm telnetd
217can differentiate
218.Ar highpty
219from
220.Ar lowpty .
221.It Fl S Ar tos
222.It Fl u Ar len
223This option is used to specify the size of the field
224in the
225.Dv utmp
226structure that holds the remote host name.
227If the resolved host name is longer than
228.Ar len ,
229the dotted decimal value will be used instead.
230This allows hosts with very long host names that
231overflow this field to still be uniquely identified.
232Specifying
233.Fl u0
234indicates that only dotted decimal addresses
235should be put into the
236.Pa utmp
237file.
238.It Fl U
239This option causes
240.Nm telnetd
241to refuse connections from addresses that
242cannot be mapped back into a symbolic name
243via the
244.Xr gethostbyaddr 3
245routine.
246.It Fl X Ar authtype
247This option is only valid if
248.Nm telnetd
249has been built with support for the authentication option.
250It disables the use of
251.Ar authtype
252authentication, and
253can be used to temporarily disable
254a specific authentication type without having to recompile
255.Nm telnetd .
256.It Fl L Ar pathname
257Specify pathname to an alternative login program.
258.It Fl y
259Makes
260.Nm
261not warn when a user is trying to login with a cleartext password.
262.El
263.Pp
264.Nm Telnetd
265operates by allocating a pseudo-terminal device (see
266.Xr pty 4 )
267for a client, then creating a login process which has
268the slave side of the pseudo-terminal as
269.Dv stdin ,
270.Dv stdout
271and
272.Dv stderr .
273.Nm Telnetd
274manipulates the master side of the pseudo-terminal,
275implementing the
276.Tn TELNET
277protocol and passing characters
278between the remote client and the login process.
279.Pp
280When a
281.Tn TELNET
282session is started up,
283.Nm telnetd
284sends
285.Tn TELNET
286options to the client side indicating
287a willingness to do the
288following
289.Tn TELNET
290options, which are described in more detail below:
291.Bd -literal -offset indent
292DO AUTHENTICATION
293WILL ENCRYPT
294DO TERMINAL TYPE
295DO TSPEED
296DO XDISPLOC
297DO NEW-ENVIRON
298DO ENVIRON
299WILL SUPPRESS GO AHEAD
300DO ECHO
301DO LINEMODE
302DO NAWS
303WILL STATUS
304DO LFLOW
305DO TIMING-MARK
306.Ed
307.Pp
308The pseudo-terminal allocated to the client is configured
309to operate in
310.Dq cooked
311mode, and with
312.Dv XTABS and
313.Dv CRMOD
314enabled (see
315.Xr tty 4 ) .
316.Pp
317.Nm Telnetd
318has support for enabling locally the following
319.Tn TELNET
320options:
321.Bl -tag -width "DO AUTHENTICATION"
322.It "WILL ECHO"
323When the
324.Dv LINEMODE
325option is enabled, a
326.Dv WILL ECHO
327or
328.Dv WONT ECHO
329will be sent to the client to indicate the
330current state of terminal echoing.
331When terminal echo is not desired, a
332.Dv WILL ECHO
333is sent to indicate that
334.Tn telnetd
335will take care of echoing any data that needs to be
336echoed to the terminal, and then nothing is echoed.
337When terminal echo is desired, a
338.Dv WONT ECHO
339is sent to indicate that
340.Tn telnetd
341will not be doing any terminal echoing, so the
342client should do any terminal echoing that is needed.
343.It "WILL BINARY"
344Indicates that the client is willing to send a
3458 bits of data, rather than the normal 7 bits
346of the Network Virtual Terminal.
347.It "WILL SGA"
348Indicates that it will not be sending
349.Dv IAC GA ,
350go ahead, commands.
351.It "WILL STATUS"
352Indicates a willingness to send the client, upon
353request, of the current status of all
354.Tn TELNET
355options.
356.It "WILL TIMING-MARK"
357Whenever a
358.Dv DO TIMING-MARK
359command is received, it is always responded
360to with a
361.Dv WILL TIMING-MARK
362.It "WILL LOGOUT"
363When a
364.Dv DO LOGOUT
365is received, a
366.Dv WILL LOGOUT
367is sent in response, and the
368.Tn TELNET
369session is shut down.
370.It "WILL ENCRYPT"
371Only sent if
372.Nm telnetd
373is compiled with support for data encryption, and
374indicates a willingness to decrypt
375the data stream.
376.El
377.Pp
378.Nm Telnetd
379has support for enabling remotely the following
380.Tn TELNET
381options:
382.Bl -tag -width "DO AUTHENTICATION"
383.It "DO BINARY"
384Sent to indicate that
385.Tn telnetd
386is willing to receive an 8 bit data stream.
387.It "DO LFLOW"
388Requests that the client handle flow control
389characters remotely.
390.It "DO ECHO"
391This is not really supported, but is sent to identify a 4.2BSD
392.Xr telnet 1
393client, which will improperly respond with
394.Dv WILL ECHO .
395If a
396.Dv WILL ECHO
397is received, a
398.Dv DONT ECHO
399will be sent in response.
400.It "DO TERMINAL-TYPE"
401Indicates a desire to be able to request the
402name of the type of terminal that is attached
403to the client side of the connection.
404.It "DO SGA"
405Indicates that it does not need to receive
406.Dv IAC GA ,
407the go ahead command.
408.It "DO NAWS"
409Requests that the client inform the server when
410the window (display) size changes.
411.It "DO TERMINAL-SPEED"
412Indicates a desire to be able to request information
413about the speed of the serial line to which
414the client is attached.
415.It "DO XDISPLOC"
416Indicates a desire to be able to request the name
417of the X windows display that is associated with
418the telnet client.
419.It "DO NEW-ENVIRON"
420Indicates a desire to be able to request environment
421variable information, as described in RFC 1572.
422.It "DO ENVIRON"
423Indicates a desire to be able to request environment
424variable information, as described in RFC 1408.
425.It "DO LINEMODE"
426Only sent if
427.Nm telnetd
428is compiled with support for linemode, and
429requests that the client do line by line processing.
430.It "DO TIMING-MARK"
431Only sent if
432.Nm telnetd
433is compiled with support for both linemode and
434kludge linemode, and the client responded with
435.Dv WONT LINEMODE .
436If the client responds with
437.Dv WILL TM ,
438the it is assumed that the client supports
439kludge linemode.
440Note that the
441.Op Fl k
442option can be used to disable this.
443.It "DO AUTHENTICATION"
444Only sent if
445.Nm telnetd
446is compiled with support for authentication, and
447indicates a willingness to receive authentication
448information for automatic login.
449.It "DO ENCRYPT"
450Only sent if
451.Nm telnetd
452is compiled with support for data encryption, and
453indicates a willingness to decrypt
454the data stream.
455.El
456.Sh FILES
457.Bl -tag -width /etc/services -compact
458.It Pa /etc/services
459.It Pa /etc/inittab
460(UNICOS systems only)
461.It Pa /etc/iptos
462(if supported)
463.El
464.Sh "SEE ALSO"
465.Xr telnet 1 ,
466.Xr login 1
467.Sh STANDARDS
468.Bl -tag -compact -width RFC-1572
469.It Cm RFC-854
470.Tn TELNET
471PROTOCOL SPECIFICATION
472.It Cm RFC-855
473TELNET OPTION SPECIFICATIONS
474.It Cm RFC-856
475TELNET BINARY TRANSMISSION
476.It Cm RFC-857
477TELNET ECHO OPTION
478.It Cm RFC-858
479TELNET SUPPRESS GO AHEAD OPTION
480.It Cm RFC-859
481TELNET STATUS OPTION
482.It Cm RFC-860
483TELNET TIMING MARK OPTION
484.It Cm RFC-861
485TELNET EXTENDED OPTIONS - LIST OPTION
486.It Cm RFC-885
487TELNET END OF RECORD OPTION
488.It Cm RFC-1073
489Telnet Window Size Option
490.It Cm RFC-1079
491Telnet Terminal Speed Option
492.It Cm RFC-1091
493Telnet Terminal-Type Option
494.It Cm RFC-1096
495Telnet X Display Location Option
496.It Cm RFC-1123
497Requirements for Internet Hosts -- Application and Support
498.It Cm RFC-1184
499Telnet Linemode Option
500.It Cm RFC-1372
501Telnet Remote Flow Control Option
502.It Cm RFC-1416
503Telnet Authentication Option
504.It Cm RFC-1411
505Telnet Authentication: Kerberos Version 4
506.It Cm RFC-1412
507Telnet Authentication: SPX
508.It Cm RFC-1571
509Telnet Environment Option Interoperability Issues
510.It Cm RFC-1572
511Telnet Environment Option
512.El
513.Sh BUGS
514Some
515.Tn TELNET
516commands are only partially implemented.
517.Pp
518Because of bugs in the original 4.2 BSD
519.Xr telnet 1 ,
520.Nm telnetd
521performs some dubious protocol exchanges to try to discover if the remote
522client is, in fact, a 4.2 BSD
523.Xr telnet 1 .
524.Pp
525Binary mode
526has no common interpretation except between similar operating systems
527(Unix in this case).
528.Pp
529The terminal type name received from the remote client is converted to
530lower case.
531.Pp
532.Nm Telnetd
533never sends
534.Tn TELNET
535.Dv IAC GA
536(go ahead) commands.
537