1.\" Copyright (c) 1983, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)telnetd.8 8.4 (Berkeley) 6/1/94 29.\" $FreeBSD: src/crypto/telnet/telnetd/telnetd.8,v 1.5.2.6 2002/04/13 10:59:09 markm Exp $ 30.\" 31.Dd September 10, 2019 32.Dt TELNETD 8 33.Os 34.Sh NAME 35.Nm telnetd 36.Nd DARPA 37.Tn TELNET 38protocol server 39.Sh SYNOPSIS 40.Nm /usr/libexec/telnetd 41.\".Op Fl BUhlkn 42.Op Fl Uhlkn 43.Op Fl D Ar debugmode 44.Op Fl S Ar tos 45.Op Fl X Ar authtype 46.Op Fl a Ar authmode 47.Op Fl edebug 48.Op Fl p Ar loginprog 49.Op Fl u Ar len 50.Op Fl debug Op Ar port 51.Sh DESCRIPTION 52The 53.Nm 54command is a server which supports the 55.Tn DARPA 56standard 57.Tn TELNET 58virtual terminal protocol. 59.Nm Telnetd 60is normally invoked by the internet server (see 61.Xr inetd 8 ) 62for requests to connect to the 63.Tn TELNET 64port as indicated by the 65.Pa /etc/services 66file (see 67.Xr services 5 ) . 68The 69.Fl debug 70option may be used to start up 71.Nm 72manually, instead of through 73.Xr inetd 8 . 74If started up this way, 75.Ar port 76may be specified to run 77.Nm 78on an alternate 79.Tn TCP 80port number. 81.Pp 82The 83.Nm 84command accepts the following options: 85.Bl -tag -width indent 86.It Fl a Ar authmode 87This option may be used for specifying what mode should 88be used for authentication. 89Note that this option is only useful if 90.Nm 91has been compiled with support for the 92.Dv AUTHENTICATION 93option. 94There are several valid values for 95.Ar authmode : 96.Bl -tag -width debug 97.It Cm debug 98Turn on authentication debugging code. 99.It Cm user 100Only allow connections when the remote user 101can provide valid authentication information 102to identify the remote user, 103and is allowed access to the specified account 104without providing a password. 105.It Cm valid 106Only allow connections when the remote user 107can provide valid authentication information 108to identify the remote user. 109The 110.Xr login 1 111command will provide any additional user verification 112needed if the remote user is not allowed automatic 113access to the specified account. 114.It Cm other 115Only allow connections that supply some authentication information. 116This option is currently not supported 117by any of the existing authentication mechanisms, 118and is thus the same as specifying 119.Fl a 120.Cm valid . 121.It Cm none 122This is the default state. 123Authentication information is not required. 124If no or insufficient authentication information 125is provided, then the 126.Xr login 1 127program will provide the necessary user 128verification. 129.It Cm off 130Disable the authentication code. 131All user verification will happen through the 132.Xr login 1 133program. 134.El 135.\".It Fl B 136.\"Specify bftp server mode. 137.\"In this mode, 138.\".Nm 139.\"causes login to start a 140.\".Xr bftp 1 141.\"session rather than the user's normal shell. 142.\"In bftp daemon mode normal logins are not supported, and it must be used 143.\"on a port other than the normal 144.\".Tn TELNET 145.\"port. 146.It Fl D Ar debugmode 147This option may be used for debugging purposes. 148This allows 149.Nm 150to print out debugging information 151to the connection, allowing the user to see what 152.Nm 153is doing. 154There are several possible values for 155.Ar debugmode : 156.Bl -tag -width exercise 157.It Cm options 158Print information about the negotiation of 159.Tn TELNET 160options. 161.It Cm report 162Print the 163.Cm options 164information, plus some additional information 165about what processing is going on. 166.It Cm netdata 167Display the data stream received by 168.Nm . 169.It Cm ptydata 170Display data written to the pty. 171.It Cm exercise 172Has not been implemented yet. 173.El 174.It Fl debug 175Enable debugging on each socket created by 176.Nm 177(see 178.Dv SO_DEBUG 179in 180.Xr socket 2 ) . 181.It Fl edebug 182If 183.Nm 184has been compiled with support for data encryption, then the 185.Fl edebug 186option may be used to enable encryption debugging code. 187.It Fl h 188Disable the printing of host-specific information before 189login has been completed. 190.It Fl k 191This option is only useful if 192.Nm 193has been compiled with both linemode and kludge linemode 194support. 195If the 196.Fl k 197option is specified, then if the remote client does not 198support the 199.Dv LINEMODE 200option, then 201.Nm 202will operate in character at a time mode. 203It will still support kludge linemode, but will only 204go into kludge linemode if the remote client requests 205it. 206(This is done by the client sending 207.Dv DONT SUPPRESS-GO-AHEAD 208and 209.Dv DONT ECHO . ) 210The 211.Fl k 212option is most useful when there are remote clients 213that do not support kludge linemode, but pass the heuristic 214(if they respond with 215.Dv WILL TIMING-MARK 216in response to a 217.Dv DO TIMING-MARK ) 218for kludge linemode support. 219.It Fl l 220Specify line mode. 221Try to force clients to use line-at-a-time mode. 222If the 223.Dv LINEMODE 224option is not supported, it will go 225into kludge linemode. 226.It Fl n 227Disable 228.Dv TCP 229keep-alives. 230Normally 231.Nm 232enables the 233.Tn TCP 234keep-alive mechanism to probe connections that 235have been idle for some period of time to determine 236if the client is still there, so that idle connections 237from machines that have crashed or can no longer 238be reached may be cleaned up. 239.It Fl p Ar loginprog 240Specify an alternate 241.Xr login 1 242command to run to complete the login. 243The alternate command must 244understand the same command arguments as the standard login. 245.It Fl S Ar tos 246.It Fl u Ar len 247This option is provided for backward compatibility and has no effect. 248.It Fl U 249This option causes 250.Nm 251to refuse connections from addresses that 252cannot be mapped back into a symbolic name 253via the 254.Xr gethostbyaddr 3 255routine. 256.It Fl X Ar authtype 257This option is only valid if 258.Nm 259has been built with support for the authentication option. 260It disables the use of 261.Ar authtype 262authentication, and 263can be used to temporarily disable 264a specific authentication type without having to recompile 265.Nm . 266.El 267.Pp 268.Nm Telnetd 269operates by allocating a pseudo-terminal device (see 270.Xr pty 4 ) 271for a client, then creating a login process which has 272the slave side of the pseudo-terminal as 273.Dv stdin , 274.Dv stdout 275and 276.Dv stderr . 277.Nm Telnetd 278manipulates the master side of the pseudo-terminal, 279implementing the 280.Tn TELNET 281protocol and passing characters 282between the remote client and the login process. 283.Pp 284When a 285.Tn TELNET 286session is started up, 287.Nm 288sends 289.Tn TELNET 290options to the client side indicating 291a willingness to do the 292following 293.Tn TELNET 294options, which are described in more detail below: 295.Bd -literal -offset indent 296DO AUTHENTICATION 297WILL ENCRYPT 298DO TERMINAL TYPE 299DO TSPEED 300DO XDISPLOC 301DO NEW-ENVIRON 302DO ENVIRON 303WILL SUPPRESS GO AHEAD 304DO ECHO 305DO LINEMODE 306DO NAWS 307WILL STATUS 308DO LFLOW 309DO TIMING-MARK 310.Ed 311.Pp 312The pseudo-terminal allocated to the client is configured 313to operate in 314.Dq cooked 315mode, and with 316.Dv XTABS and 317.Dv CRMOD 318enabled (see 319.Xr tty 4 ) . 320.Pp 321.Nm Telnetd 322has support for enabling locally the following 323.Tn TELNET 324options: 325.Bl -tag -width "DO AUTHENTICATION" 326.It "WILL ECHO" 327When the 328.Dv LINEMODE 329option is enabled, a 330.Dv WILL ECHO 331or 332.Dv WONT ECHO 333will be sent to the client to indicate the 334current state of terminal echoing. 335When terminal echo is not desired, a 336.Dv WILL ECHO 337is sent to indicate that 338.Nm 339will take care of echoing any data that needs to be 340echoed to the terminal, and then nothing is echoed. 341When terminal echo is desired, a 342.Dv WONT ECHO 343is sent to indicate that 344.Nm 345will not be doing any terminal echoing, so the 346client should do any terminal echoing that is needed. 347.It "WILL BINARY" 348Indicate that the client is willing to send a 3498 bits of data, rather than the normal 7 bits 350of the Network Virtual Terminal. 351.It "WILL SGA" 352Indicate that it will not be sending 353.Dv IAC GA , 354go ahead, commands. 355.It "WILL STATUS" 356Indicate a willingness to send the client, upon 357request, of the current status of all 358.Tn TELNET 359options. 360.It "WILL TIMING-MARK" 361Whenever a 362.Dv DO TIMING-MARK 363command is received, it is always responded 364to with a 365.Dv WILL TIMING-MARK . 366.It "WILL LOGOUT" 367When a 368.Dv DO LOGOUT 369is received, a 370.Dv WILL LOGOUT 371is sent in response, and the 372.Tn TELNET 373session is shut down. 374.It "WILL ENCRYPT" 375Only sent if 376.Nm 377is compiled with support for data encryption, and 378indicates a willingness to decrypt 379the data stream. 380.El 381.Pp 382.Nm Telnetd 383has support for enabling remotely the following 384.Tn TELNET 385options: 386.Bl -tag -width "DO AUTHENTICATION" 387.It "DO BINARY" 388Sent to indicate that 389.Nm 390is willing to receive an 8 bit data stream. 391.It "DO LFLOW" 392Requests that the client handle flow control 393characters remotely. 394.It "DO ECHO" 395This is not really supported, but is sent to identify a 396.Bx 4.2 397.Xr telnet 1 398client, which will improperly respond with 399.Dv WILL ECHO . 400If a 401.Dv WILL ECHO 402is received, a 403.Dv DONT ECHO 404will be sent in response. 405.It "DO TERMINAL-TYPE" 406Indicate a desire to be able to request the 407name of the type of terminal that is attached 408to the client side of the connection. 409.It "DO SGA" 410Indicate that it does not need to receive 411.Dv IAC GA , 412the go ahead command. 413.It "DO NAWS" 414Requests that the client inform the server when 415the window (display) size changes. 416.It "DO TERMINAL-SPEED" 417Indicate a desire to be able to request information 418about the speed of the serial line to which 419the client is attached. 420.It "DO XDISPLOC" 421Indicate a desire to be able to request the name 422of the X Window System display that is associated with 423the telnet client. 424.It "DO NEW-ENVIRON" 425Indicate a desire to be able to request environment 426variable information, as described in RFC 1572. 427.It "DO ENVIRON" 428Indicate a desire to be able to request environment 429variable information, as described in RFC 1408. 430.It "DO LINEMODE" 431Only sent if 432.Nm 433is compiled with support for linemode, and 434requests that the client do line by line processing. 435.It "DO TIMING-MARK" 436Only sent if 437.Nm 438is compiled with support for both linemode and 439kludge linemode, and the client responded with 440.Dv WONT LINEMODE . 441If the client responds with 442.Dv WILL TM , 443the it is assumed that the client supports 444kludge linemode. 445Note that the 446.Op Fl k 447option can be used to disable this. 448.It "DO AUTHENTICATION" 449Only sent if 450.Nm 451is compiled with support for authentication, and 452indicates a willingness to receive authentication 453information for automatic login. 454.It "DO ENCRYPT" 455Only sent if 456.Nm 457is compiled with support for data encryption, and 458indicates a willingness to decrypt 459the data stream. 460.El 461.Sh NOTES 462By default 463.Nm 464will read the 465.Em \&he , 466.Em \&hn , 467and 468.Em \&im 469capabilities from 470.Pa /etc/gettytab 471and use that information (if present) to determine 472what to display before the login: prompt. 473You can also use a System V style 474.Pa /etc/issue 475file by using the 476.Em \&if 477capability, which will override 478.Em \&im . 479The information specified in either 480.Em \&im 481or 482.Em \&if 483will be displayed to both console and remote logins. 484.\" .Sh ENVIRONMENT 485.Sh FILES 486.Bl -tag -width ".Pa /etc/services" -compact 487.It Pa /etc/services 488.It Pa /etc/gettytab 489.It Pa /etc/iptos 490(if supported) 491.\".It Pa /usr/ucb/bftp 492.\"(if supported) 493.El 494.Sh "SEE ALSO" 495.\".Xr bftp 1 , 496.Xr login 1 , 497.Xr telnet 1 498(if supported), 499.Xr gettytab 5 500.Sh STANDARDS 501.Bl -tag -compact -width ".Cm RFC 1572" 502.It Cm RFC 854 503.Tn TELNET 504PROTOCOL SPECIFICATION 505.It Cm RFC 855 506TELNET OPTION SPECIFICATIONS 507.It Cm RFC 856 508TELNET BINARY TRANSMISSION 509.It Cm RFC 857 510TELNET ECHO OPTION 511.It Cm RFC 858 512TELNET SUPPRESS GO AHEAD OPTION 513.It Cm RFC 859 514TELNET STATUS OPTION 515.It Cm RFC 860 516TELNET TIMING MARK OPTION 517.It Cm RFC 861 518TELNET EXTENDED OPTIONS - LIST OPTION 519.It Cm RFC 885 520TELNET END OF RECORD OPTION 521.It Cm RFC 1073 522Telnet Window Size Option 523.It Cm RFC 1079 524Telnet Terminal Speed Option 525.It Cm RFC 1091 526Telnet Terminal-Type Option 527.It Cm RFC 1096 528Telnet X Display Location Option 529.It Cm RFC 1123 530Requirements for Internet Hosts -- Application and Support 531.It Cm RFC 1184 532Telnet Linemode Option 533.It Cm RFC 1372 534Telnet Remote Flow Control Option 535.It Cm RFC 1416 536Telnet Authentication Option 537.It Cm RFC 1411 538Telnet Authentication: Kerberos Version 4 539.It Cm RFC 1412 540Telnet Authentication: SPX 541.It Cm RFC 1571 542Telnet Environment Option Interoperability Issues 543.It Cm RFC 1572 544Telnet Environment Option 545.El 546.Sh HISTORY 547IPv6 support was added by WIDE/KAME project. 548.Sh BUGS 549Some 550.Tn TELNET 551commands are only partially implemented. 552.Pp 553Because of bugs in the original 554.Bx 4.2 555.Xr telnet 1 , 556.Nm 557performs some dubious protocol exchanges to try to discover if the remote 558client is, in fact, a 559.Bx 4.2 560.Xr telnet 1 . 561.Pp 562Binary mode 563has no common interpretation except between similar operating systems 564(Unix in this case). 565.Pp 566The terminal type name received from the remote client is converted to 567lower case. 568.Pp 569.Nm Telnetd 570never sends 571.Tn TELNET 572.Dv IAC GA 573(go ahead) commands. 574