1.\" $NetBSD: telnetd.8,v 1.10 1997/10/20 02:19:24 enami Exp $ 2.\" 3.\" Copyright (c) 1983, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the University of 17.\" California, Berkeley and its contributors. 18.\" 4. Neither the name of the University nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" from: @(#)telnetd.8 8.3 (Berkeley) 3/1/94 35.\" 36.Dd March 1, 1994 37.Dt TELNETD 8 38.Os BSD 4.2 39.Sh NAME 40.Nm telnetd 41.Nd DARPA 42.Tn TELNET 43protocol server 44.Sh SYNOPSIS 45.Nm /usr/libexec/telnetd 46.Op Fl Uhlkns 47.Op Fl D Ar debugmode 48.Op Fl I Ns Ar initid 49.Op Fl S Ar tos 50.Op Fl X Ar authtype 51.Op Fl a Ar authmode 52.Op Fl edebug 53.Op Fl g Ar gettyent 54.Op Fl r Ns Ar lowpty-highpty 55.Op Fl u Ar len 56.Op Fl debug Op Ar port 57.Sh DESCRIPTION 58The 59.Nm 60command is a server which supports the 61.Tn DARPA 62standard 63.Tn TELNET 64virtual terminal protocol. 65.Nm 66is normally invoked by the internet server (see 67.Xr inetd 8 ) 68for requests to connect to the 69.Tn TELNET 70port as indicated by the 71.Pa /etc/services 72file (see 73.Xr services 5 ) . 74The 75.Fl debug 76option may be used to start up 77.Nm 78manually, instead of through 79.Xr inetd 8 . 80If started up this way, 81.Ar port 82may be specified to run 83.Nm 84on an alternate 85.Tn TCP 86port number. 87.Pp 88The 89.Nm 90command accepts the following options: 91.Bl -tag -width "-a authmode" 92.It Fl a Ar authmode 93This option may be used for specifying what mode should 94be used for authentication. 95Note that this option is only useful if 96.Nm 97has been compiled with support for the 98.Dv AUTHENTICATION 99option. 100There are several valid values for 101.Ar authmode: 102.Bl -tag -width debug 103.It debug 104Turns on authentication debugging code. 105.It user 106Only allow connections when the remote user 107can provide valid authentication information 108to identify the remote user, 109and is allowed access to the specified account 110without providing a password. 111.It valid 112Only allow connections when the remote user 113can provide valid authentication information 114to identify the remote user. 115The 116.Xr login 1 117command will provide any additional user verification 118needed if the remote user is not allowed automatic 119access to the specified account. 120.It other 121Only allow connections that supply some authentication information. 122This option is currently not supported 123by any of the existing authentication mechanisms, 124and is thus the same as specifying 125.Fl a 126.Cm valid . 127.It none 128This is the default state. 129Authentication information is not required. 130If no or insufficient authentication information 131is provided, then the 132.Xr login 1 133program will provide the necessary user 134verification. 135.It off 136This disables the authentication code. 137All user verification will happen through the 138.Xr login 1 139program. 140.El 141.It Fl D Ar debugmode 142This option may be used for debugging purposes. 143This allows 144.Nm 145to print out debugging information 146to the connection, allowing the user to see what 147.Nm 148is doing. 149There are several possible values for 150.Ar debugmode: 151.Bl -tag -width exercise 152.It Cm options 153Prints information about the negotiation of 154.Tn TELNET 155options. 156.It Cm report 157Prints the 158.Cm options 159information, plus some additional information 160about what processing is going on. 161.It Cm netdata 162Displays the data stream received by 163.Nm "" . 164.It Cm ptydata 165Displays data written to the pty. 166.It Cm exercise 167Has not been implemented yet. 168.El 169.It Fl debug 170Enables debugging on each socket created by 171.Nm 172(see 173.Dv SO_DEBUG 174in 175.Xr socket 2 ) . 176.It Fl edebug 177If 178.Nm 179has been compiled with support for data encryption, then the 180.Fl edebug 181option may be used to enable encryption debugging code. 182.It Fl g Ar gettyent 183Specifies which entry from 184.Pa /etc/gettytab 185should be used to get banner strings, login program and 186other information. The default entry is 187.Dv default. 188.It Fl h 189Disables the printing of host-specific information before 190login has been completed. 191.It Fl I Ar initid 192This option is only applicable to 193.Tn UNICOS 194systems prior to 7.0. 195It specifies the 196.Dv ID 197from 198.Pa /etc/inittab 199to use when init starts login sessions. The default 200.Dv ID 201is 202.Dv fe. 203.It Fl k 204This option is only useful if 205.Nm 206has been compiled with both linemode and kludge linemode 207support. If the 208.Fl k 209option is specified, then if the remote client does not 210support the 211.Dv LINEMODE 212option, then 213.Nm 214will operate in character at a time mode. 215It will still support kludge linemode, but will only 216go into kludge linemode if the remote client requests 217it. 218(This is done by by the client sending 219.Dv DONT SUPPRESS-GO-AHEAD 220and 221.Dv DONT ECHO . ) 222The 223.Fl k 224option is most useful when there are remote clients 225that do not support kludge linemode, but pass the heuristic 226(if they respond with 227.Dv WILL TIMING-MARK 228in response to a 229.Dv DO TIMING-MARK) 230for kludge linemode support. 231.It Fl l 232Specifies line mode. Tries to force clients to use line- 233at-a-time mode. 234If the 235.Dv LINEMODE 236option is not supported, it will go 237into kludge linemode. 238.It Fl n 239Disable 240.Dv TCP 241keep-alives. Normally 242.Nm 243enables the 244.Tn TCP 245keep-alive mechanism to probe connections that 246have been idle for some period of time to determine 247if the client is still there, so that idle connections 248from machines that have crashed or can no longer 249be reached may be cleaned up. 250.It Fl r Ar lowpty-highpty 251This option is only enabled when 252.Nm 253is compiled for 254.Dv UNICOS. 255It specifies an inclusive range of pseudo-terminal devices to 256use. If the system has sysconf variable 257.Dv _SC_CRAY_NPTY 258configured, the default pty search range is 0 to 259.Dv _SC_CRAY_NPTY; 260otherwise, the default range is 0 to 128. Either 261.Ar lowpty 262or 263.Ar highpty 264may be omitted to allow changing 265either end of the search range. If 266.Ar lowpty 267is omitted, the - character is still required so that 268.Nm 269can differentiate 270.Ar highpty 271from 272.Ar lowpty . 273.It Fl s 274This option is only enabled if 275.Nm 276is compiled with support for 277.Tn SecurID 278cards. 279It causes the 280.Fl s 281option to be passed on to 282.Xr login 1 , 283and thus is only useful if 284.Xr login 1 285supports the 286.Fl s 287flag to indicate that only 288.Tn SecurID 289validated logins are allowed, and is 290usually useful for controlling remote logins 291from outside of a firewall. 292.It Fl S Ar tos 293.It Fl u Ar len 294This option is used to specify the size of the field 295in the 296.Dv utmp 297structure that holds the remote host name. 298If the resolved host name is longer than 299.Ar len , 300the dotted decimal value will be used instead. 301This allows hosts with very long host names that 302overflow this field to still be uniquely identified. 303Specifying 304.Fl u0 305indicates that only dotted decimal addresses 306should be put into the 307.Pa utmp 308file. 309.It Fl U 310This option causes 311.Nm 312to refuse connections from addresses that 313cannot be mapped back into a symbolic name 314via the 315.Xr gethostbyaddr 3 316routine. 317.It Fl X Ar authtype 318This option is only valid if 319.Nm 320has been built with support for the authentication option. 321It disables the use of 322.Ar authtype 323authentication, and 324can be used to temporarily disable 325a specific authentication type without having to recompile 326.Nm "" . 327.El 328.Pp 329.Nm 330operates by allocating a pseudo-terminal device (see 331.Xr pty 4 ) 332for a client, then creating a login process which has 333the slave side of the pseudo-terminal as 334.Dv stdin , 335.Dv stdout 336and 337.Dv stderr . 338.Nm 339manipulates the master side of the pseudo-terminal, 340implementing the 341.Tn TELNET 342protocol and passing characters 343between the remote client and the login process. 344.Pp 345When a 346.Tn TELNET 347session is started up, 348.Nm 349sends 350.Tn TELNET 351options to the client side indicating 352a willingness to do the 353following 354.Tn TELNET 355options, which are described in more detail below: 356.Bd -literal -offset indent 357DO AUTHENTICATION 358WILL ENCRYPT 359DO TERMINAL TYPE 360DO TSPEED 361DO XDISPLOC 362DO NEW-ENVIRON 363DO ENVIRON 364WILL SUPPRESS GO AHEAD 365DO ECHO 366DO LINEMODE 367DO NAWS 368WILL STATUS 369DO LFLOW 370DO TIMING-MARK 371.Ed 372.Pp 373The pseudo-terminal allocated to the client is configured 374to operate in \*(lqcooked\*(rq mode, and with 375.Dv XTABS and 376.Dv CRMOD 377enabled (see 378.Xr tty 4 ) . 379.Pp 380.Nm 381has support for enabling locally the following 382.Tn TELNET 383options: 384.Bl -tag -width "DO AUTHENTICATION" 385.It "WILL ECHO" 386When the 387.Dv LINEMODE 388option is enabled, a 389.Dv WILL ECHO 390or 391.Dv WONT ECHO 392will be sent to the client to indicate the 393current state of terminal echoing. 394When terminal echo is not desired, a 395.Dv WILL ECHO 396is sent to indicate that 397.Tn telnetd 398will take care of echoing any data that needs to be 399echoed to the terminal, and then nothing is echoed. 400When terminal echo is desired, a 401.Dv WONT ECHO 402is sent to indicate that 403.Tn telnetd 404will not be doing any terminal echoing, so the 405client should do any terminal echoing that is needed. 406.It "WILL BINARY" 407Indicates that the client is willing to send a 4088 bits of data, rather than the normal 7 bits 409of the Network Virtual Terminal. 410.It "WILL SGA" 411Indicates that it will not be sending 412.Dv IAC GA, 413go ahead, commands. 414.It "WILL STATUS" 415Indicates a willingness to send the client, upon 416request, of the current status of all 417.Tn TELNET 418options. 419.It "WILL TIMING-MARK" 420Whenever a 421.Dv DO TIMING-MARK 422command is received, it is always responded 423to with a 424.Dv WILL TIMING-MARK 425.It "WILL LOGOUT" 426When a 427.Dv DO LOGOUT 428is received, a 429.Dv WILL LOGOUT 430is sent in response, and the 431.Tn TELNET 432session is shut down. 433.It "WILL ENCRYPT" 434Only sent if 435.Nm 436is compiled with support for data encryption, and 437indicates a willingness to decrypt 438the data stream. 439.El 440.Pp 441.Nm 442has support for enabling remotely the following 443.Tn TELNET 444options: 445.Bl -tag -width "DO AUTHENTICATION" 446.It "DO BINARY" 447Sent to indicate that 448.Tn telnetd 449is willing to receive an 8 bit data stream. 450.It "DO LFLOW" 451Requests that the client handle flow control 452characters remotely. 453.It "DO ECHO" 454This is not really supported, but is sent to identify a 4.2BSD 455.Xr telnet 1 456client, which will improperly respond with 457.Dv WILL ECHO. 458If a 459.Dv WILL ECHO 460is received, a 461.Dv DONT ECHO 462will be sent in response. 463.It "DO TERMINAL-TYPE" 464Indicates a desire to be able to request the 465name of the type of terminal that is attached 466to the client side of the connection. 467.It "DO SGA" 468Indicates that it does not need to receive 469.Dv IAC GA, 470the go ahead command. 471.It "DO NAWS" 472Requests that the client inform the server when 473the window (display) size changes. 474.It "DO TERMINAL-SPEED" 475Indicates a desire to be able to request information 476about the speed of the serial line to which 477the client is attached. 478.It "DO XDISPLOC" 479Indicates a desire to be able to request the name 480of the X windows display that is associated with 481the telnet client. 482.It "DO NEW-ENVIRON" 483Indicates a desire to be able to request environment 484variable information, as described in RFC 1572. 485.It "DO ENVIRON" 486Indicates a desire to be able to request environment 487variable information, as described in RFC 1408. 488.It "DO LINEMODE" 489Only sent if 490.Nm 491is compiled with support for linemode, and 492requests that the client do line by line processing. 493.It "DO TIMING-MARK" 494Only sent if 495.Nm 496is compiled with support for both linemode and 497kludge linemode, and the client responded with 498.Dv WONT LINEMODE. 499If the client responds with 500.Dv WILL TM, 501the it is assumed that the client supports 502kludge linemode. 503Note that the 504.Op Fl k 505option can be used to disable this. 506.It "DO AUTHENTICATION" 507Only sent if 508.Nm 509is compiled with support for authentication, and 510indicates a willingness to receive authentication 511information for automatic login. 512.It "DO ENCRYPT" 513Only sent if 514.Nm 515is compiled with support for data encryption, and 516indicates a willingness to decrypt 517the data stream. 518.Sh ENVIRONMENT 519.Sh FILES 520.Pa /etc/services 521.br 522.Pa /etc/inittab 523(UNICOS systems only) 524.br 525.Pa /etc/iptos 526(if supported) 527.br 528.Sh "SEE ALSO" 529.Xr telnet 1 , 530.Xr login 1 , 531.Sh STANDARDS 532.Bl -tag -compact -width RFC-1572 533.It Cm RFC-854 534.Tn TELNET 535PROTOCOL SPECIFICATION 536.It Cm RFC-855 537TELNET OPTION SPECIFICATIONS 538.It Cm RFC-856 539TELNET BINARY TRANSMISSION 540.It Cm RFC-857 541TELNET ECHO OPTION 542.It Cm RFC-858 543TELNET SUPPRESS GO AHEAD OPTION 544.It Cm RFC-859 545TELNET STATUS OPTION 546.It Cm RFC-860 547TELNET TIMING MARK OPTION 548.It Cm RFC-861 549TELNET EXTENDED OPTIONS - LIST OPTION 550.It Cm RFC-885 551TELNET END OF RECORD OPTION 552.It Cm RFC-1073 553Telnet Window Size Option 554.It Cm RFC-1079 555Telnet Terminal Speed Option 556.It Cm RFC-1091 557Telnet Terminal-Type Option 558.It Cm RFC-1096 559Telnet X Display Location Option 560.It Cm RFC-1123 561Requirements for Internet Hosts -- Application and Support 562.It Cm RFC-1184 563Telnet Linemode Option 564.It Cm RFC-1372 565Telnet Remote Flow Control Option 566.It Cm RFC-1416 567Telnet Authentication Option 568.It Cm RFC-1411 569Telnet Authentication: Kerberos Version 4 570.It Cm RFC-1412 571Telnet Authentication: SPX 572.It Cm RFC-1571 573Telnet Environment Option Interoperability Issues 574.It Cm RFC-1572 575Telnet Environment Option 576.Sh BUGS 577Some 578.Tn TELNET 579commands are only partially implemented. 580.Pp 581Because of bugs in the original 4.2 BSD 582.Xr telnet 1 , 583.Nm 584performs some dubious protocol exchanges to try to discover if the remote 585client is, in fact, a 4.2 BSD 586.Xr telnet 1 . 587.Pp 588Binary mode 589has no common interpretation except between similar operating systems 590(Unix in this case). 591.Pp 592The terminal type name received from the remote client is converted to 593lower case. 594.Pp 595.Nm 596never sends 597.Tn TELNET 598.Dv IAC GA 599(go ahead) commands. 600