1.\" Copyright (c) 1983, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)telnetd.8 8.4 (Berkeley) 6/1/94 33.\" $FreeBSD: src/crypto/telnet/telnetd/telnetd.8,v 1.5.2.6 2002/04/13 10:59:09 markm Exp $ 34.\" $DragonFly: src/crypto/telnet/telnetd/telnetd.8,v 1.2 2003/06/17 04:24:37 dillon Exp $ 35.\" 36.Dd July 27, 2009 37.Dt TELNETD 8 38.Os 39.Sh NAME 40.Nm telnetd 41.Nd DARPA 42.Tn TELNET 43protocol server 44.Sh SYNOPSIS 45.Nm /usr/libexec/telnetd 46.\".Op Fl BUhlkn 47.Op Fl Uhlkn 48.Op Fl D Ar debugmode 49.Op Fl S Ar tos 50.Op Fl X Ar authtype 51.Op Fl a Ar authmode 52.Op Fl edebug 53.Op Fl p Ar loginprog 54.Op Fl u Ar len 55.Op Fl debug Op Ar port 56.Sh DESCRIPTION 57The 58.Nm 59command is a server which supports the 60.Tn DARPA 61standard 62.Tn TELNET 63virtual terminal protocol. 64.Nm Telnetd 65is normally invoked by the internet server (see 66.Xr inetd 8 ) 67for requests to connect to the 68.Tn TELNET 69port as indicated by the 70.Pa /etc/services 71file (see 72.Xr services 5 ) . 73The 74.Fl debug 75option may be used to start up 76.Nm 77manually, instead of through 78.Xr inetd 8 . 79If started up this way, 80.Ar port 81may be specified to run 82.Nm 83on an alternate 84.Tn TCP 85port number. 86.Pp 87The 88.Nm 89command accepts the following options: 90.Bl -tag -width indent 91.It Fl a Ar authmode 92This option may be used for specifying what mode should 93be used for authentication. 94Note that this option is only useful if 95.Nm 96has been compiled with support for the 97.Dv AUTHENTICATION 98option. 99There are several valid values for 100.Ar authmode : 101.Bl -tag -width debug 102.It Cm debug 103Turn on authentication debugging code. 104.It Cm user 105Only allow connections when the remote user 106can provide valid authentication information 107to identify the remote user, 108and is allowed access to the specified account 109without providing a password. 110.It Cm valid 111Only allow connections when the remote user 112can provide valid authentication information 113to identify the remote user. 114The 115.Xr login 1 116command will provide any additional user verification 117needed if the remote user is not allowed automatic 118access to the specified account. 119.It Cm other 120Only allow connections that supply some authentication information. 121This option is currently not supported 122by any of the existing authentication mechanisms, 123and is thus the same as specifying 124.Fl a 125.Cm valid . 126.It Cm none 127This is the default state. 128Authentication information is not required. 129If no or insufficient authentication information 130is provided, then the 131.Xr login 1 132program will provide the necessary user 133verification. 134.It Cm off 135Disable the authentication code. 136All user verification will happen through the 137.Xr login 1 138program. 139.El 140.\".It Fl B 141.\"Specify bftp server mode. 142.\"In this mode, 143.\".Nm 144.\"causes login to start a 145.\".Xr bftp 1 146.\"session rather than the user's normal shell. 147.\"In bftp daemon mode normal logins are not supported, and it must be used 148.\"on a port other than the normal 149.\".Tn TELNET 150.\"port. 151.It Fl D Ar debugmode 152This option may be used for debugging purposes. 153This allows 154.Nm 155to print out debugging information 156to the connection, allowing the user to see what 157.Nm 158is doing. 159There are several possible values for 160.Ar debugmode : 161.Bl -tag -width exercise 162.It Cm options 163Print information about the negotiation of 164.Tn TELNET 165options. 166.It Cm report 167Print the 168.Cm options 169information, plus some additional information 170about what processing is going on. 171.It Cm netdata 172Display the data stream received by 173.Nm . 174.It Cm ptydata 175Display data written to the pty. 176.It Cm exercise 177Has not been implemented yet. 178.El 179.It Fl debug 180Enable debugging on each socket created by 181.Nm 182(see 183.Dv SO_DEBUG 184in 185.Xr socket 2 ) . 186.It Fl edebug 187If 188.Nm 189has been compiled with support for data encryption, then the 190.Fl edebug 191option may be used to enable encryption debugging code. 192.It Fl h 193Disable the printing of host-specific information before 194login has been completed. 195.It Fl k 196This option is only useful if 197.Nm 198has been compiled with both linemode and kludge linemode 199support. 200If the 201.Fl k 202option is specified, then if the remote client does not 203support the 204.Dv LINEMODE 205option, then 206.Nm 207will operate in character at a time mode. 208It will still support kludge linemode, but will only 209go into kludge linemode if the remote client requests 210it. 211(This is done by the client sending 212.Dv DONT SUPPRESS-GO-AHEAD 213and 214.Dv DONT ECHO . ) 215The 216.Fl k 217option is most useful when there are remote clients 218that do not support kludge linemode, but pass the heuristic 219(if they respond with 220.Dv WILL TIMING-MARK 221in response to a 222.Dv DO TIMING-MARK ) 223for kludge linemode support. 224.It Fl l 225Specify line mode. 226Try to force clients to use line-at-a-time mode. 227If the 228.Dv LINEMODE 229option is not supported, it will go 230into kludge linemode. 231.It Fl n 232Disable 233.Dv TCP 234keep-alives. 235Normally 236.Nm 237enables the 238.Tn TCP 239keep-alive mechanism to probe connections that 240have been idle for some period of time to determine 241if the client is still there, so that idle connections 242from machines that have crashed or can no longer 243be reached may be cleaned up. 244.It Fl p Ar loginprog 245Specify an alternate 246.Xr login 1 247command to run to complete the login. 248The alternate command must 249understand the same command arguments as the standard login. 250.It Fl S Ar tos 251.It Fl u Ar len 252This option is used to specify the size of the field 253in the 254.Dv utmp 255structure that holds the remote host name. 256If the resolved host name is longer than 257.Ar len , 258the dotted decimal value will be used instead. 259This allows hosts with very long host names that 260overflow this field to still be uniquely identified. 261Specifying 262.Fl u0 263indicates that only dotted decimal addresses 264should be put into the 265.Pa utmp 266file. 267.It Fl U 268This option causes 269.Nm 270to refuse connections from addresses that 271cannot be mapped back into a symbolic name 272via the 273.Xr gethostbyaddr 3 274routine. 275.It Fl X Ar authtype 276This option is only valid if 277.Nm 278has been built with support for the authentication option. 279It disables the use of 280.Ar authtype 281authentication, and 282can be used to temporarily disable 283a specific authentication type without having to recompile 284.Nm . 285.El 286.Pp 287.Nm Telnetd 288operates by allocating a pseudo-terminal device (see 289.Xr pty 4 ) 290for a client, then creating a login process which has 291the slave side of the pseudo-terminal as 292.Dv stdin , 293.Dv stdout 294and 295.Dv stderr . 296.Nm Telnetd 297manipulates the master side of the pseudo-terminal, 298implementing the 299.Tn TELNET 300protocol and passing characters 301between the remote client and the login process. 302.Pp 303When a 304.Tn TELNET 305session is started up, 306.Nm 307sends 308.Tn TELNET 309options to the client side indicating 310a willingness to do the 311following 312.Tn TELNET 313options, which are described in more detail below: 314.Bd -literal -offset indent 315DO AUTHENTICATION 316WILL ENCRYPT 317DO TERMINAL TYPE 318DO TSPEED 319DO XDISPLOC 320DO NEW-ENVIRON 321DO ENVIRON 322WILL SUPPRESS GO AHEAD 323DO ECHO 324DO LINEMODE 325DO NAWS 326WILL STATUS 327DO LFLOW 328DO TIMING-MARK 329.Ed 330.Pp 331The pseudo-terminal allocated to the client is configured 332to operate in 333.Dq cooked 334mode, and with 335.Dv XTABS and 336.Dv CRMOD 337enabled (see 338.Xr tty 4 ) . 339.Pp 340.Nm Telnetd 341has support for enabling locally the following 342.Tn TELNET 343options: 344.Bl -tag -width "DO AUTHENTICATION" 345.It "WILL ECHO" 346When the 347.Dv LINEMODE 348option is enabled, a 349.Dv WILL ECHO 350or 351.Dv WONT ECHO 352will be sent to the client to indicate the 353current state of terminal echoing. 354When terminal echo is not desired, a 355.Dv WILL ECHO 356is sent to indicate that 357.Nm 358will take care of echoing any data that needs to be 359echoed to the terminal, and then nothing is echoed. 360When terminal echo is desired, a 361.Dv WONT ECHO 362is sent to indicate that 363.Nm 364will not be doing any terminal echoing, so the 365client should do any terminal echoing that is needed. 366.It "WILL BINARY" 367Indicate that the client is willing to send a 3688 bits of data, rather than the normal 7 bits 369of the Network Virtual Terminal. 370.It "WILL SGA" 371Indicate that it will not be sending 372.Dv IAC GA , 373go ahead, commands. 374.It "WILL STATUS" 375Indicate a willingness to send the client, upon 376request, of the current status of all 377.Tn TELNET 378options. 379.It "WILL TIMING-MARK" 380Whenever a 381.Dv DO TIMING-MARK 382command is received, it is always responded 383to with a 384.Dv WILL TIMING-MARK . 385.It "WILL LOGOUT" 386When a 387.Dv DO LOGOUT 388is received, a 389.Dv WILL LOGOUT 390is sent in response, and the 391.Tn TELNET 392session is shut down. 393.It "WILL ENCRYPT" 394Only sent if 395.Nm 396is compiled with support for data encryption, and 397indicates a willingness to decrypt 398the data stream. 399.El 400.Pp 401.Nm Telnetd 402has support for enabling remotely the following 403.Tn TELNET 404options: 405.Bl -tag -width "DO AUTHENTICATION" 406.It "DO BINARY" 407Sent to indicate that 408.Nm 409is willing to receive an 8 bit data stream. 410.It "DO LFLOW" 411Requests that the client handle flow control 412characters remotely. 413.It "DO ECHO" 414This is not really supported, but is sent to identify a 415.Bx 4.2 416.Xr telnet 1 417client, which will improperly respond with 418.Dv WILL ECHO . 419If a 420.Dv WILL ECHO 421is received, a 422.Dv DONT ECHO 423will be sent in response. 424.It "DO TERMINAL-TYPE" 425Indicate a desire to be able to request the 426name of the type of terminal that is attached 427to the client side of the connection. 428.It "DO SGA" 429Indicate that it does not need to receive 430.Dv IAC GA , 431the go ahead command. 432.It "DO NAWS" 433Requests that the client inform the server when 434the window (display) size changes. 435.It "DO TERMINAL-SPEED" 436Indicate a desire to be able to request information 437about the speed of the serial line to which 438the client is attached. 439.It "DO XDISPLOC" 440Indicate a desire to be able to request the name 441of the X Window System display that is associated with 442the telnet client. 443.It "DO NEW-ENVIRON" 444Indicate a desire to be able to request environment 445variable information, as described in RFC 1572. 446.It "DO ENVIRON" 447Indicate a desire to be able to request environment 448variable information, as described in RFC 1408. 449.It "DO LINEMODE" 450Only sent if 451.Nm 452is compiled with support for linemode, and 453requests that the client do line by line processing. 454.It "DO TIMING-MARK" 455Only sent if 456.Nm 457is compiled with support for both linemode and 458kludge linemode, and the client responded with 459.Dv WONT LINEMODE . 460If the client responds with 461.Dv WILL TM , 462the it is assumed that the client supports 463kludge linemode. 464Note that the 465.Op Fl k 466option can be used to disable this. 467.It "DO AUTHENTICATION" 468Only sent if 469.Nm 470is compiled with support for authentication, and 471indicates a willingness to receive authentication 472information for automatic login. 473.It "DO ENCRYPT" 474Only sent if 475.Nm 476is compiled with support for data encryption, and 477indicates a willingness to decrypt 478the data stream. 479.El 480.Sh NOTES 481By default 482.Nm 483will read the 484.Em \&he , 485.Em \&hn , 486and 487.Em \&im 488capabilities from 489.Pa /etc/gettytab 490and use that information (if present) to determine 491what to display before the login: prompt. 492You can also use a System V style 493.Pa /etc/issue 494file by using the 495.Em \&if 496capability, which will override 497.Em \&im . 498The information specified in either 499.Em \&im 500or 501.Em \&if 502will be displayed to both console and remote logins. 503.\" .Sh ENVIRONMENT 504.Sh FILES 505.Bl -tag -width ".Pa /etc/services" -compact 506.It Pa /etc/services 507.It Pa /etc/gettytab 508.It Pa /etc/iptos 509(if supported) 510.\".It Pa /usr/ucb/bftp 511.\"(if supported) 512.El 513.Sh "SEE ALSO" 514.\".Xr bftp 1 , 515.Xr login 1 , 516.Xr telnet 1 517(if supported), 518.Xr gettytab 5 519.Sh STANDARDS 520.Bl -tag -compact -width ".Cm RFC 1572" 521.It Cm RFC 854 522.Tn TELNET 523PROTOCOL SPECIFICATION 524.It Cm RFC 855 525TELNET OPTION SPECIFICATIONS 526.It Cm RFC 856 527TELNET BINARY TRANSMISSION 528.It Cm RFC 857 529TELNET ECHO OPTION 530.It Cm RFC 858 531TELNET SUPPRESS GO AHEAD OPTION 532.It Cm RFC 859 533TELNET STATUS OPTION 534.It Cm RFC 860 535TELNET TIMING MARK OPTION 536.It Cm RFC 861 537TELNET EXTENDED OPTIONS - LIST OPTION 538.It Cm RFC 885 539TELNET END OF RECORD OPTION 540.It Cm RFC 1073 541Telnet Window Size Option 542.It Cm RFC 1079 543Telnet Terminal Speed Option 544.It Cm RFC 1091 545Telnet Terminal-Type Option 546.It Cm RFC 1096 547Telnet X Display Location Option 548.It Cm RFC 1123 549Requirements for Internet Hosts -- Application and Support 550.It Cm RFC 1184 551Telnet Linemode Option 552.It Cm RFC 1372 553Telnet Remote Flow Control Option 554.It Cm RFC 1416 555Telnet Authentication Option 556.It Cm RFC 1411 557Telnet Authentication: Kerberos Version 4 558.It Cm RFC 1412 559Telnet Authentication: SPX 560.It Cm RFC 1571 561Telnet Environment Option Interoperability Issues 562.It Cm RFC 1572 563Telnet Environment Option 564.El 565.Sh HISTORY 566IPv6 support was added by WIDE/KAME project. 567.Sh BUGS 568Some 569.Tn TELNET 570commands are only partially implemented. 571.Pp 572Because of bugs in the original 573.Bx 4.2 574.Xr telnet 1 , 575.Nm 576performs some dubious protocol exchanges to try to discover if the remote 577client is, in fact, a 578.Bx 4.2 579.Xr telnet 1 . 580.Pp 581Binary mode 582has no common interpretation except between similar operating systems 583(Unix in this case). 584.Pp 585The terminal type name received from the remote client is converted to 586lower case. 587.Pp 588.Nm Telnetd 589never sends 590.Tn TELNET 591.Dv IAC GA 592(go ahead) commands. 593