1.\" Copyright (c) 1985, 1991, 1993, 1994 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94 33.\" $FreeBSD: src/usr.sbin/inetd/inetd.8,v 1.46.2.13 2003/03/12 22:08:14 trhodes Exp $ 34.\" $DragonFly: src/usr.sbin/inetd/inetd.8,v 1.3 2007/11/23 23:16:37 swildner Exp $ 35.\" 36.Dd February 7, 1996 37.Dt INETD 8 38.Os 39.Sh NAME 40.Nm inetd 41.Nd internet 42.Dq super-server 43.Sh SYNOPSIS 44.Nm 45.Op Fl d 46.Op Fl l 47.Op Fl w 48.Op Fl W 49.Op Fl c Ar maximum 50.Op Fl C Ar rate 51.Op Fl a Ar address | hostname 52.Op Fl p Ar filename 53.Op Fl R Ar rate 54.Op Fl s Ar maximum 55.Op Ar configuration file 56.Sh DESCRIPTION 57The 58.Nm 59utility should be run at boot time by 60.Pa /etc/rc 61(see 62.Xr rc 8 ) . 63It then listens for connections on certain 64internet sockets. When a connection is found on one 65of its sockets, it decides what service the socket 66corresponds to, and invokes a program to service the request. 67The server program is invoked with the service socket 68as its standard input, output and error descriptors. 69After the program is 70finished, 71.Nm 72continues to listen on the socket (except in some cases which 73will be described below). Essentially, 74.Nm 75allows running one daemon to invoke several others, 76reducing load on the system. 77.Pp 78The following options are available: 79.Bl -tag -width indent 80.It Fl d 81Turn on debugging. 82.It Fl l 83Turn on logging of successful connections. 84.It Fl w 85Turn on TCP Wrapping for external services. 86See the 87.Sx "IMPLEMENTATION NOTES" 88section for more information on TCP Wrappers support. 89.It Fl W 90Turn on TCP Wrapping for internal services which are built in to 91.Nm . 92.It Fl c Ar maximum 93Specify the default maximum number of 94simultaneous invocations of each service; 95the default is unlimited. 96May be overridden on a per-service basis with the "max-child" 97parameter. 98.It Fl C Ar rate 99Specify the default maximum number of times a service can be invoked 100from a single IP address in one minute; the default is unlimited. 101May be overridden on a per-service basis with the 102"max-connections-per-ip-per-minute" parameter. 103.It Fl R Ar rate 104Specify the maximum number of times a service can be invoked 105in one minute; the default is 256. 106A rate of 0 allows an unlimited number of invocations. 107.It Fl s Ar maximum 108Specify the default maximum number of 109simultaneous invocations of each service from a single IP address; 110the default is unlimited. 111May be overridden on a per-service basis with the "max-child-per-ip" 112parameter. 113.It Fl a 114Specify one specific IP address to bind to. 115Alternatively, a hostname can be specified, 116in which case the IPv4 or IPv6 address 117which corresponds to that hostname is used. 118Usually a hostname is specified when 119.Nm 120is run inside a 121.Xr jail 8 , 122in which case the hostname corresponds to the 123.Xr jail 8 124environment. 125.Pp 126When hostname specification is used 127and both IPv4 and IPv6 bindings are desired, 128one entry with the appropriate 129.Em protocol 130type for each binding 131is required for each service in 132.Pa /etc/inetd.conf . 133For example, 134a TCP-based service would need two entries, 135one using 136.Dq tcp4 137for the 138.Em protocol 139and the other using 140.Dq tcp6 . 141See the explanation of the 142.Pa /etc/inetd.conf 143.Em protocol 144field below. 145.It Fl p 146Specify an alternate file in which to store the process ID. 147.El 148.Pp 149Upon execution, 150.Nm 151reads its configuration information from a configuration 152file which, by default, is 153.Pa /etc/inetd.conf . 154There must be an entry for each field of the configuration 155file, with entries for each field separated by a tab or 156a space. Comments are denoted by a 157.Dq # 158at the beginning 159of a line. There must be an entry for each field. The 160fields of the configuration file are as follows: 161.Pp 162.Bd -unfilled -offset indent -compact 163service name 164socket type 165protocol 166{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] 167user[:group][/login-class] 168server program 169server program arguments 170.Ed 171.Pp 172To specify an 173.Tn "ONC RPC" Ns -based 174service, the entry would contain these fields: 175.Pp 176.Bd -unfilled -offset indent -compact 177service name/version 178socket type 179rpc/protocol 180user[:group][/login-class] 181server program 182server program arguments 183.Ed 184.Pp 185There are two types of services that 186.Nm 187can start: standard and TCPMUX. 188A standard service has a well-known port assigned to it; 189it may be a service that implements an official Internet standard or is a 190.Bx Ns -specific 191service. 192As described in 193.Tn RFC 1078 , 194TCPMUX services are nonstandard services that do not have a 195well-known port assigned to them. 196They are invoked from 197.Nm 198when a program connects to the 199.Dq tcpmux 200well-known port and specifies 201the service name. 202This feature is useful for adding locally-developed servers. 203TCPMUX requests are only accepted when the multiplexor service itself 204is enabled, above and beyond and specific TCPMUX-based servers; see the 205discussion of internal services below. 206.Pp 207The 208.Em service-name 209entry is the name of a valid service in 210the file 211.Pa /etc/services , 212or the specification of a 213.Ux 214domain socket (see below). 215For 216.Dq internal 217services (discussed below), the service 218name 219should 220be the official name of the service (that is, the first entry in 221.Pa /etc/services ) . 222When used to specify an 223.Tn "ONC RPC" Ns -based 224service, this field is a valid RPC service name in 225the file 226.Pa /etc/rpc . 227The part on the right of the 228.Dq / 229is the RPC version number. 230This 231can simply be a single numeric argument or a range of versions. 232A range is bounded by the low version to the high version - 233.Dq rusers/1-3 . 234For TCPMUX services, the value of the 235.Em service-name 236field consists of the string 237.Dq tcpmux 238followed by a slash and the 239locally-chosen service name. 240The service names listed in 241.Pa /etc/services 242and the name 243.Dq help 244are reserved. 245Try to choose unique names for your TCPMUX services by prefixing them with 246your organization's name and suffixing them with a version number. 247.Pp 248The 249.Em socket-type 250should be one of 251.Dq stream , 252.Dq dgram , 253.Dq raw , 254.Dq rdm , 255or 256.Dq seqpacket , 257depending on whether the socket is a stream, datagram, raw, 258reliably delivered message, or sequenced packet socket. 259TCPMUX services must use 260.Dq stream . 261.Pp 262The 263.Em protocol 264must be a valid protocol or 265.Dq unix . 266Examples are 267.Dq tcp 268or 269.Dq udp , 270both of which imply IPv4 for backward compatibility. 271The names 272.Dq tcp4 273and 274.Dq udp4 275specify IPv4 only. 276The names 277.Dq tcp6 278and 279.Dq udp6 280specify IPv6 only. 281The names 282.Dq tcp46 283and 284.Dq udp46 285specify that the entry accepts both IPv4 and IPv6 connections 286via a wildcard 287.Dv AF_INET6 288socket. 289If it is desired that the service is reachable via T/TCP, one should 290specify 291.Dq tcp/ttcp , 292which implies IPv4 for backward compatibility. 293The name 294.Dq tcp4/ttcp 295specifies IPv4 only, while 296.Dq tcp6/ttcp 297specifies IPv6 only. 298The name 299.Dq tcp46/ttcp 300specify that the entry accepts both IPv6 and IPv6 connections 301via a wildcard 302.Dv AF_INET6 303socket. 304Rpc based services 305(for which only IPv4 is supported at this time) 306are specified with the 307.Dq rpc/tcp 308or 309.Dq rpc/udp 310service type. 311TCPMUX services must use 312.Dq tcp , 313.Dq tcp4 , 314.Dq tcp6 315or 316.Dq tcp46 . 317.Pp 318The 319.Em wait/nowait 320entry specifies whether the server that is invoked by 321.Nm 322will take over 323the socket associated with the service access point, and thus whether 324.Nm 325should wait for the server to exit before listening for new service 326requests. 327Datagram servers must use 328.Dq wait , 329as they are always invoked with the original datagram socket bound 330to the specified service address. 331These servers must read at least one datagram from the socket 332before exiting. 333If a datagram server connects 334to its peer, freeing the socket so 335.Nm 336can receive further messages on the socket, it is said to be 337a 338.Dq multi-threaded 339server; 340it should read one datagram from the socket and create a new socket 341connected to the peer. 342It should fork, and the parent should then exit 343to allow 344.Nm 345to check for new service requests to spawn new servers. 346Datagram servers which process all incoming datagrams 347on a socket and eventually time out are said to be 348.Dq single-threaded . 349.Xr Comsat 8 , 350.Pq Xr biff 1 351and 352.Xr talkd 8 353are both examples of the latter type of 354datagram server. 355.Xr Tftpd 8 356is an example of a multi-threaded datagram server. 357.Pp 358Servers using stream sockets generally are multi-threaded and 359use the 360.Dq nowait 361entry. 362Connection requests for these services are accepted by 363.Nm , 364and the server is given only the newly-accepted socket connected 365to a client of the service. 366Most stream-based services operate in this manner. 367Stream-based servers that use 368.Dq wait 369are started with the listening service socket, and must accept 370at least one connection request before exiting. 371Such a server would normally accept and process incoming connection 372requests until a timeout. 373TCPMUX services must use 374.Dq nowait . 375.Pp 376The maximum number of outstanding child processes (or 377.Dq threads ) 378for a 379.Dq nowait 380service may be explicitly specified by appending a 381.Dq / 382followed by the number to the 383.Dq nowait 384keyword. 385Normally 386(or if a value of zero is specified) there is no maximum. 387Otherwise, 388once the maximum is reached, further connection attempts will be 389queued up until an existing child process exits. 390This also works 391in the case of 392.Dq wait 393mode, although a value other than one (the 394default) might not make sense in some cases. 395You can also specify the maximum number of connections per minute 396for a given IP address by appending 397a 398.Dq / 399followed by the number to the maximum number of 400outstanding child processes. 401Once the maximum is reached, further 402connections from this IP address will be dropped until the end of the 403minute. 404In addition, you can specify the maximum number of simultaneous 405invocations of each service from a single IP address by appending a 406.Dq / 407followed by the number to the maximum number of outstanding child 408processes. Once the maximum is reached, further connections from this 409IP address will be dropped. 410.Pp 411The 412.Em user 413entry should contain the user name of the user as whom the server 414should run. This allows for servers to be given less permission 415than root. 416Optional 417.Em group 418part separated by 419.Dq \&: 420allows to specify group name different 421than default group for this user. 422Optional 423.Em login-class 424part separated by 425.Dq / 426allows to specify login class different 427than default 428.Dq daemon 429login class. 430.Pp 431The 432.Em server-program 433entry should contain the pathname of the program which is to be 434executed by 435.Nm 436when a request is found on its socket. If 437.Nm 438provides this service internally, this entry should 439be 440.Dq internal . 441.Pp 442The 443.Em server program arguments 444should be just as arguments 445normally are, starting with argv[0], which is the name of 446the program. If the service is provided internally, the 447.Em service-name 448of the service (and any arguments to it) or the word 449.Dq internal 450should take the place of this entry. 451.Pp 452Currently, the only internal service to take arguments is 453.Dq auth . 454Without options, the service will always return 455.Dq ERROR\ : HIDDEN-USER . 456The available arguments to this service that alter its behavior are: 457.Bl -tag -width indent 458.It Fl d Ar fallback 459Provide a 460.Ar fallback 461username. 462If the real 463.Dq auth 464service is enabled 465(with the 466.Fl r 467option discussed below), 468return this username instead of an error 469when lookups fail 470for either socket credentials or the username. 471If the real 472.Dq auth 473service is disabled, 474return this username for every request. 475This is primarily useful when running this service on a NAT machine. 476.It Fl g 477Instead of returning 478the user's name to the ident requester, 479report a 480username made up of random alphanumeric characters, 481e.g.\& 482.Dq c0c993 . 483The 484.Fl g 485flag overrides not only the user names, 486but also any fallback name, 487.Pa .fakeid 488or 489.Pa .noident 490files. 491.It Fl t Xo 492.Ar sec Ns Op . Ns Ar usec 493.Xc 494Specify a timeout for the service. 495The default timeout is 10.0 seconds. 496.It Fl r 497Offer a real 498.Dq auth 499service, as per RFC 1413. 500All the remaining flags apply only in this case. 501.It Fl i 502Return numeric user IDs instead of usernames. 503.It Fl f 504If the file 505.Pa .fakeid 506exists in the home directory of the identified user, report the username 507found in that file instead of the real username. 508If the username found in 509.Pa .fakeid 510is that of an existing user, 511then the real username is reported. 512If the 513.Fl i 514flag is also given then the username in 515.Pa .fakeid 516is checked against existing user IDs instead. 517.It Fl F 518same as 519.Fl f 520but without the restriction that the username in 521.Pa .fakeid 522must not match an existing user. 523.It Fl n 524If the file 525.Pa .noident 526exists in the home directory of the identified user, return 527.Dq ERROR\ : HIDDEN-USER . 528This overrides any 529.Pa fakeid 530file which might exist. 531.It Fl o Ar osname 532Use 533.Ar osname 534instead of the name of the system as reported by 535.Xr uname 3 . 536.El 537.Pp 538The 539.Nm 540utility also provides several other 541.Dq trivial 542services internally by use of 543routines within itself. These services are 544.Dq echo , 545.Dq discard , 546.Dq chargen 547(character generator), 548.Dq daytime 549(human readable time), and 550.Dq time 551(machine readable time, in the form of the number of seconds since 552midnight, January 1, 1900). All of these services are available in 553both TCP and UDP versions; the UDP versions will refuse service if the 554request specifies a reply port corresponding to any internal service. 555(This is done as a defense against looping attacks; the remote IP address 556is logged.) 557For details of these services, consult the 558appropriate 559.Tn RFC 560document. 561.Pp 562The TCPMUX-demultiplexing service is also implemented as an internal service. 563For any TCPMUX-based service to function, the following line must be included 564in 565.Pa inetd.conf : 566.Bd -literal -offset indent 567tcpmux stream tcp nowait root internal 568.Ed 569.Pp 570When given the 571.Fl l 572option 573.Nm 574will log an entry to syslog each time a connection is accepted, noting the 575service selected and the IP-number of the remote requester if available. 576Unless otherwise specified in the configuration file, 577and in the absence of the 578.Fl W 579and 580.Fl w 581options, 582.Nm 583will log to the 584.Dq daemon 585facility. 586.Pp 587The 588.Nm 589utility rereads its configuration file when it receives a hangup signal, 590.Dv SIGHUP . 591Services may be added, deleted or modified when the configuration file 592is reread. 593Except when started in debugging mode, 594.Nm 595records its process ID in the file 596.Pa /var/run/inetd.pid 597to assist in reconfiguration. 598.Sh IMPLEMENTATION NOTES 599.Ss TCP Wrappers 600When given the 601.Fl w 602option, 603.Nm 604will wrap all services specified as 605.Dq stream nowait 606or 607.Dq dgram 608except for 609.Dq internal 610services. 611If the 612.Fl W 613option is given, such 614.Dq internal 615services will be wrapped. 616If both options are given, wrapping for both 617internal and external services will be enabled. 618Either wrapping option 619will cause failed connections to be logged to the 620.Dq auth 621syslog facility. 622Adding the 623.Fl l 624flag to the wrapping options will include successful connections in the 625logging to the 626.Dq auth 627facility. 628.Pp 629Note that 630.Nm 631only wraps requests for a 632.Dq wait 633service while no servers are available to service requests. 634Once a 635connection to such a service has been allowed, 636.Nm 637has no control 638over subsequent connections to the service until no more servers 639are left listening for connection requests. 640.Pp 641When wrapping is enabled, the 642.Pa tcpd 643daemon is not required, as that functionality is builtin. 644For more information on TCP Wrappers, see the relevant documentation 645.Pq Xr hosts_access 5 . 646When reading that document, keep in mind that 647.Dq internal 648services have no associated daemon name. 649Therefore, the service name 650as specified in 651.Pa inetd.conf 652should be used as the daemon name for 653.Dq internal 654services. 655.Ss TCPMUX 656.Tn RFC 1078 657describes the TCPMUX protocol: 658``A TCP client connects to a foreign host on TCP port 1. It sends the 659service name followed by a carriage-return line-feed <CRLF>. The 660service name is never case sensitive. The server replies with a 661single character indicating positive (+) or negative (\-) 662acknowledgment, immediately followed by an optional message of 663explanation, terminated with a <CRLF>. If the reply was positive, 664the selected protocol begins; otherwise the connection is closed.'' 665The program is passed the TCP connection as file descriptors 0 and 1. 666.Pp 667If the TCPMUX service name begins with a 668.Dq + , 669.Nm 670returns the positive reply for the program. 671This allows you to invoke programs that use stdin/stdout 672without putting any special server code in them. 673.Pp 674The special service name 675.Dq help 676causes 677.Nm 678to list TCPMUX services in 679.Pa inetd.conf . 680.Ss IPsec 681The implementation includes a tiny hack 682to support IPsec policy settings for each socket. 683A special form of comment line, starting with 684.Dq Li #@ , 685is interpreted as a policy specifier. 686Everything after the 687.Dq Li #@ 688will be used as an IPsec policy string, 689as described in 690.Xr ipsec_set_policy 3 . 691Each 692policy specifier is applied to all the following lines in 693.Pa inetd.conf 694until the next policy specifier. 695An empty policy specifier resets the IPsec policy. 696.Pp 697If an invalid IPsec policy specifier appears in 698.Pa inetd.conf , 699.Nm 700will provide an error message via the 701.Xr syslog 3 702interface and abort execution. 703.Ss Ux Domain Sockets 704In addition to running services on IP sockets, 705.Nm 706can also manage 707.Ux 708domain sockets. 709To do this you specify a 710.Em protocol 711of 712.Dq unix 713and specify the 714.Ux 715domain socket as the 716.Em service-name . 717The 718.Em service-type 719may be 720.Dq stream 721or 722.Dq dgram . 723The specification of the socket must be 724an absolute path name, 725optionally prefixed by an owner and mode 726of the form 727.Em :user:group:mode: . 728The specification: 729.Pp 730.Dl ":news:daemon:220:/var/run/sock" 731.Pp 732creates a socket owned 733by user 734.Dq news 735in group 736.Dq daemon 737with permissions allowing only that user and group to connect. 738The default owner is the user that 739.Nm 740is running as. 741The default mode only allows the socket's owner to connect. 742.Pp 743.Sy WARNING : 744while creating 745.Ux 746domain socket, 747.Nm 748must change the ownership and permissions on the socket. 749This can only be done securely if 750the directory in which the socket is created 751is writable only by root. 752Do 753.Em NOT 754use 755.Nm 756to create sockets in world writable directories, 757such as 758.Pa /tmp , 759instead use 760.Pa /var/run 761or a similar directory. 762.Pp 763Internal services may be run on 764.Ux 765domain sockets, in the usual way. 766In this case 767the name of the internal service 768is determined using 769the last component of the socket's pathname. 770.Sh "FILES" 771.Bl -tag -width /var/run/inetd.pid -compact 772.It Pa /etc/inetd.conf 773configuration file 774.It Pa /etc/rpc 775translation of service names to RPC program numbers 776.It Pa /etc/services 777translation of service names to port numbers 778.It Pa /var/run/inetd.pid 779the pid of the currently running 780.Nm 781.El 782.Sh "EXAMPLES" 783Here are several example service entries for the various types of services: 784.Bd -literal 785ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l 786ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd 787telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd 788shell stream tcp46 nowait root /usr/libexec/rshd rshd 789tcpmux/+date stream tcp nowait guest /bin/date date 790tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook 791rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd 792/var/run/echo stream unix nowait root internal 793#@ ipsec ah/require 794chargen stream tcp nowait root internal 795#@ 796.Ed 797.Sh "ERROR MESSAGES" 798The 799.Nm 800server 801logs error messages using 802.Xr syslog 3 . 803Important error messages and their explanations are: 804.Pp 805.Bl -ohang -compact 806.It Xo 807.Ar service Ns / Ns Ar protocol 808.No "server failing (looping), service terminated." 809.Xc 810The number of requests for the specified service in the past minute 811exceeded the limit. 812The limit exists to prevent a broken program 813or a malicious user from swamping the system. 814This message may occur for several reasons: 815.Bl -enum -offset indent 816.It 817There are many hosts requesting the service within a short time period. 818.It 819A broken client program is requesting the service too frequently. 820.It 821A malicious user is running a program to invoke the service in 822a denial-of-service attack. 823.It 824The invoked service program has an error that causes clients 825to retry quickly. 826.El 827.Pp 828Use the 829.Fl R Ar rate 830option, 831as described above, to change the rate limit. 832Once the limit is reached, the service will be 833reenabled automatically in 10 minutes. 834.Pp 835.It Xo 836.Ar service Ns / Ns Ar protocol : 837.No \&No such user 838.Ar user , 839.No service ignored 840.Xc 841.It Xo 842.Ar service Ns / Ns Ar protocol : 843.No getpwnam : 844.Ar user : 845.No \&No such user 846.Xc 847No entry for 848.Ar user 849exists in the 850.Xr passwd 5 851database. 852The first message 853occurs when 854.Nm 855(re)reads the configuration file. 856The second message occurs when the 857service is invoked. 858.Pp 859.It Xo 860.Ar service : 861.No can't set uid 862.Ar uid 863.Xc 864.It Xo 865.Ar service : 866.No can't set gid 867.Ar gid 868.Xc 869The user or group ID for the entry's 870.Ar user 871field is invalid. 872.Pp 873.It "setsockopt(SO_PRIVSTATE): Operation not supported" 874The 875.Nm 876utility attempted to renounce the privileged state associated with a 877socket but was unable to. 878.El 879.Sh SEE ALSO 880.Xr ipsec_set_policy 3 , 881.Xr hosts_access 5 , 882.Xr hosts_options 5 , 883.Xr login.conf 5 , 884.Xr passwd 5 , 885.Xr rpc 5 , 886.Xr services 5 , 887.Xr comsat 8 , 888.Xr fingerd 8 , 889.Xr ftpd 8 , 890.Xr rexecd 8 , 891.Xr rlogind 8 , 892.Xr rpcbind 8 , 893.Xr rshd 8 , 894.Xr telnetd 8 , 895.Xr tftpd 8 896.Rs 897.%A Michael C. St. Johns 898.%T Identification Protocol 899.%O RFC 1413 900.Re 901.Sh HISTORY 902The 903.Nm 904utility appeared in 905.Bx 4.3 . 906TCPMUX is based on code and documentation by Mark Lottor. 907Support for 908.Tn "ONC RPC" 909based services is modeled after that 910provided by 911.Tn SunOS 9124.1. 913The IPsec hack was contributed by the KAME project in 1999. 914The 915.Fx 916TCP Wrappers support first appeared in 917.Fx 3.2 . 918