telnetd(1M) telnetd(1M)
NAME [Toc] [Back]
telnetd - TELNET protocol server
SYNOPSIS [Toc] [Back]
/usr/lbin/telnetd [-A] [-a authmode] [-b [bannerfile]] [-f] [-n] [-s]
[-t] [-y] [-z] [-TCP_DELAY]
DESCRIPTION [Toc] [Back]
The telnetd daemon executes a server that supports the DARPA standard
TELNET virtual terminal protocol. The Internet daemon (inetd)
executes telnetd when it receives a service request at the port listed
in the services database for telnet using the tcp protocol (see
inetd(1M) and services(4)).
telnetd operates by allocating a Telnet pseudo-terminal device (see
tels(7)) for a client, then creating a login process, which has the
slave side of the Telnet pseudo-terminal as stdin, stdout, and stderr.
telnetd manipulates the master side of the Telnet pseudo-terminal,
implementing the TELNET protocol, and passing characters between the
client and login process.
Note: telnetd no longer uses pty(7) devices; instead it uses
special devices created for TELNET sessions only. For more
information, see tels(7).
When a TELNET session is started up, telnetd sends TELNET options to
the client side, indicating a willingness to do remote echo of
characters, to suppress go ahead, and to receive terminal speed
terminal type, and authentication (if kerberos is enabled) information
from the remote client. If the remote client is ready, the remote
terminal type is propagated in the environment of the created login
process. The pseudo-terminal allocated to the client is configured as
a normal terminal for login, with the exception of echoing characters
(see tty(7)).
telnetd is willing to do: echo, binary, suppress go ahead, and
timing mark.
telnetd is willing to have the remote client do: binary, flow
control, terminal speed, terminal type, suppress go ahead and
authentication (if kerberos is enabled).
The flow control option permits applications running on a remote host
to toggle the flow control on the local host. To toggle flow control
for a telnet session programmatically, the application program must
first call the tcgetattr function to get the current termios settings.
For example,
tcgetattr(filedes, &termios_p)
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
Then, the c_iflag of the termios structure must have IXON set(reset)
to enable(disable) flow control.
Finally, the tcsetattr function call can implement the change. For
example,
tcsetattr(filedes, TCSANOW, &termios_p)
To toggle the flow control interactively, the user can issue a stty
command using the input options -ixon to disable, or ixon to enable
flow control. See the stty(1) manpage.
The terminal speed option permits applications running on a remote
host to obtain the terminal speed of the local host session using
either ioctl or stty.
The telnet server also supports the TAC User ID (also known as the TAC
Access Control System, or TACACS User ID) option using which, users
telneting to two or more consenting hosts may avoid going through a
second login sequence. See the -t option below.
To start telnetd from the Internet daemon, the configuration file
/etc/inetd.conf must contain an entry as follows:
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
The above configuration applies only for the IPv4 environment. For
telnetd to work in the IPv6 environment, the configuration file
/etc/inetd.conf must contain a tcp6 entry as follows:
telnet stream tcp6 nowait root /usr/lbin/telnetd telnetd
Note: The tcp entry has changed to tcp6 to work in the IPv6
environment.
telnet uses the same files as rlogin to verify participating systems
and authorized users, hosts.equiv and .rhosts. (See hosts.equiv(4)
and the Managing Systems and Workgroups manual for configuration
details.)
Options [Toc] [Back]
telnetd has the following options.
-b [bannerfile] Specify a file containing a custom banner. This
option overrides the standard telnetd login
banner. For example, to use /etc/issue as the
login banner, have inetd start telnetd with the
following lines in /etc/inetd.conf (\ provides
line continuation):
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
telnet stream tcp nowait root /usr/lbin/telnetd \
telnetd -b/etc/issue
To work in the IPv6 environment, the entry in
/etc/inetd.conf would be:
telnet stream tcp6 nowait root /usr/lbin/telnetd \
telnetd -b/etc/issue
Note: tcp has changed to tcp6 for IPv6.
If bannerfile is not specified, telnetd does not
print a login banner.
-n Set the time-out value for the initial option
negotiation in the /etc/inetd.conf file as:
telnet stream tcp nowait root /usr/lbin/telnetd \
telnetd -n240
This option informs telnetd how long it should
wait before timing out and exiting if it does not
receive either a positive or negative reply for
any of the initial option negotiations. The
time-out value is measured in seconds. This
option is set with integer values. The values
range between 1 and 21474836. The default value
is 120 seconds.
There should not be any space between the -n
option and the time-out value. For example, -
n240.
To work in the IPv6 environment, the entry in
/etc/inetd.conf would be:
telnet stream tcp6 nowait root /usr/lbin/telnetd \
telnetd -n240
Note: tcp has changed to tcp6 for IPv6.
-s This option allows users to set the BUFFERSIZE
value. This option, when set, informs telnetd the
number of user bytes to concatenate before sending
to TCP. This option is set with integer values.
There is no specified default.
-t Enable the TAC User ID option. The system
administrator can enable the TAC User ID option on
servers designated as participating hosts by
having inetd start telnetd with the -t option in
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
/etc/inetd.conf:
telnet stream tcp nowait root /usr/lbin/telnetd
telnetd -t
To enable the TAC User ID option for IPv6, users
must have inetd start telnetd with the -t option
in /etc/inetd.conf as shown below:
telnet stream tcp6 nowait root /usr/lbin/telnetd
telnetd -t
Note: tcp has changed to tcp6 for IPv6.
In order to make the TAC User ID option work as
specified, the system administrator must assign to
all authorized users of the option the same login
name and unique user ID (UUID) on every
participating system to which they are allowed TAC
User ID access. These same UUIDs should not be
assigned to non-authorized users.
Users cannot use the feature on systems where
their local and remote UUIDs differ, but they can
always use the normal telnet login sequence.
Also, there may be a potential security breach
where a user with one UUID may be able to gain
entry to participating systems and accounts where
that UUID is assigned to someone else, unless the
above restrictions are followed.
A typical configuration may consist of one or more
secure front-end systems and a network of
participating hosts. Users who have successfully
logged onto the front-end system may telnet
directly to any participating system without being
prompted for another login.
-y Set the behavior for stty 0 to instruct telnetd to
close the connection on the shell command stty 0
or whenever the telnet client communicates with
telnetd to arrive upon 0 baud rate for
TELOPT_TERMSPEED.
-z This option allows users to set the BUFFERTIMEOUT
value. This option, when set, informs telnetd how
long it should wait before timing out and flushing
the concatenated user data to TCP. Note that the
TIMEOUT value is measured in clock ticks (10ms)
and not in seconds. This option is set with
integer values. There is no specified default.
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
-TCP_DELAY This option allows the users to disable the
TCP_NODELAY socket option. When telnetd is invoked
with this option, small writes over telnetd may
concatenate at the tcp level so that larger tcp
packets are sent to the client at less frequent
intervals.
To configure telnetd to have a BUFFERSIZE of 100 bytes and a
BUFFERTIMEOUT of 100 ticks and the TCP_DELAY ON, the entry in
/etc/inetd.conf would be:
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -s100 \
-z100 -TCP_DELAY
To work in the IPv6 environment, the entry in /etc/inetd.conf would
be:
telnet stream tcp6 nowait root /usr/lbin/telnetd telnetd -s100 \
-z100 -TCP_DELAY
Note: tcp has changed to tcp6 for IPv6.
Kerberos-specific Options [Toc] [Back]
In Kerberos mode, inetd can start telnetd with the following lines in
/etc/inetd.conf:
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -A
or
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -a valid
The -A option is used to ensure that non-secure systems are denied
access to the server. It overrides any value specified with the -a
option except when authmode is debug. See the sis(5) manpage.
The -a authmode option specifies what mode is to be used for Kerberos
authentication. See the sis(5) manpage. Values for authmode are:
debug Activates authentication debugging.
valid Default value. Only allows connections when the remote
user can provide valid Kerberos authentication
information and is authorized to access the specified
account.
none Authentication information is not required. If no or
insufficient Kerberos authentication information is
provided, the login program provides the necessary user
verification. See the login(1) manpage.
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
The -f option instructs telnetd to use the normal authentication mode
whenever the telnet client communicates NULL type in the
authentication option negotiation.
By default, the telnet server provides remote execution facilities
with authentication based on Kerberos V5. See the sis(5) manpage.
DIAGNOSTICS [Toc] [Back]
If any error is encountered by telnetd in establishing the connection,
an error message is returned through the connection, after which the
connection is closed and the server exits. Any errors generated by
the login process or its descendents are passed through as ordinary
data.
The following diagnostic messages are displayed by telnetd:
unable to allocate Telnet device
The server was unable to obtain a Telnet pseudo-terminal for
use with the login process. Either all Telnet pseudoterminals
were in use or the telm driver has not been
properly set up (see tels(7)).
Next step: Check the Telnet pseudo driver configuration of
the host where telnetd is executing.
fork: No more processes
telnetd was unable to fork a process to handle the incoming
connection.
Next step: Wait a period of time and try again. If this
message persists, the server's host may have runaway
processes that are using all the entries in the process
table.
/usr/bin/login: ...
The login program could not be started via exec*() for the
reason indicated (see exec(2)).
WARNINGS [Toc] [Back]
The terminal type name received from the remote client is converted to
lowercase.
telnetd never sends TELNET go ahead commands.
AUTHOR [Toc] [Back]
telnetd was developed by the University of California, Berkeley.
Hewlett-Packard Company - 6 - HP-UX 11i Version 2: August 2003
telnetd(1M) telnetd(1M)
SEE ALSO [Toc] [Back]
login(1), rlogin(1), stty(1), telnet(1), inetd(1M), inetsvcs_sec(1M),
ioctl(2), hosts(4), inetd.conf(4), inetd.sec(4), services(4), tels(7),
tty(7).
DOD MIL_STD 1782.
RFC 854 for the TELNET protocol specification.
Hewlett-Packard Company - 7 - HP-UX 11i Version 2: August 2003 [ Back ] |
