mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-27 19:37:53 +01:00
074d0d4c1d
code. PR: 121721
618 lines
14 KiB
Groff
618 lines
14 KiB
Groff
.\" Copyright (c) 1983, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)telnetd.8 8.4 (Berkeley) 6/1/94
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd August 28, 2008
|
|
.Dt TELNETD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm telnetd
|
|
.Nd DARPA
|
|
.Tn TELNET
|
|
protocol server
|
|
.Sh SYNOPSIS
|
|
.Nm /usr/libexec/telnetd
|
|
.Op Fl 46BUhlkn
|
|
.Op Fl D Ar debugmode
|
|
.Op Fl S Ar tos
|
|
.Op Fl X Ar authtype
|
|
.Op Fl a Ar authmode
|
|
.Op Fl edebug
|
|
.Op Fl p Ar loginprog
|
|
.Op Fl u Ar len
|
|
.Op Fl debug Op Ar port
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
command is a server which supports the
|
|
.Tn DARPA
|
|
standard
|
|
.Tn TELNET
|
|
virtual terminal protocol.
|
|
.Nm Telnetd
|
|
is normally invoked by the internet server (see
|
|
.Xr inetd 8 )
|
|
for requests to connect to the
|
|
.Tn TELNET
|
|
port as indicated by the
|
|
.Pa /etc/services
|
|
file (see
|
|
.Xr services 5 ) .
|
|
The
|
|
.Fl debug
|
|
option may be used to start up
|
|
.Nm
|
|
manually, instead of through
|
|
.Xr inetd 8 .
|
|
If started up this way,
|
|
.Ar port
|
|
may be specified to run
|
|
.Nm
|
|
on an alternate
|
|
.Tn TCP
|
|
port number.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
command accepts the following options:
|
|
.Bl -tag -width indent
|
|
.It Fl 4
|
|
Forces
|
|
.Nm
|
|
to use IPv4 addresses only.
|
|
.It Fl 6
|
|
Forces
|
|
.Nm
|
|
to use IPv6 addresses only.
|
|
.It Fl a Ar authmode
|
|
This option may be used for specifying what mode should
|
|
be used for authentication.
|
|
Note that this option is only useful if
|
|
.Nm
|
|
has been compiled with support for the
|
|
.Dv AUTHENTICATION
|
|
option.
|
|
There are several valid values for
|
|
.Ar authmode :
|
|
.Bl -tag -width debug
|
|
.It Cm debug
|
|
Turn on authentication debugging code.
|
|
.It Cm user
|
|
Only allow connections when the remote user
|
|
can provide valid authentication information
|
|
to identify the remote user,
|
|
and is allowed access to the specified account
|
|
without providing a password.
|
|
.It Cm valid
|
|
Only allow connections when the remote user
|
|
can provide valid authentication information
|
|
to identify the remote user.
|
|
The
|
|
.Xr login 1
|
|
command will provide any additional user verification
|
|
needed if the remote user is not allowed automatic
|
|
access to the specified account.
|
|
.It Cm other
|
|
Only allow connections that supply some authentication information.
|
|
This option is currently not supported
|
|
by any of the existing authentication mechanisms,
|
|
and is thus the same as specifying
|
|
.Fl a
|
|
.Cm valid .
|
|
.It Cm none
|
|
This is the default state.
|
|
Authentication information is not required.
|
|
If no or insufficient authentication information
|
|
is provided, then the
|
|
.Xr login 1
|
|
program will provide the necessary user
|
|
verification.
|
|
.It Cm off
|
|
Disable the authentication code.
|
|
All user verification will happen through the
|
|
.Xr login 1
|
|
program.
|
|
.El
|
|
.It Fl B
|
|
Specify bftp server mode.
|
|
In this mode,
|
|
.Nm
|
|
causes login to start a
|
|
.Xr bftp 1
|
|
session rather than the user's
|
|
normal shell.
|
|
In bftp daemon mode normal
|
|
logins are not supported, and it must be used
|
|
on a port other than the normal
|
|
.Tn TELNET
|
|
port.
|
|
.It Fl D Ar debugmode
|
|
This option may be used for debugging purposes.
|
|
This allows
|
|
.Nm
|
|
to print out debugging information
|
|
to the connection, allowing the user to see what
|
|
.Nm
|
|
is doing.
|
|
There are several possible values for
|
|
.Ar debugmode :
|
|
.Bl -tag -width exercise
|
|
.It Cm options
|
|
Print information about the negotiation of
|
|
.Tn TELNET
|
|
options.
|
|
.It Cm report
|
|
Print the
|
|
.Cm options
|
|
information, plus some additional information
|
|
about what processing is going on.
|
|
.It Cm netdata
|
|
Display the data stream received by
|
|
.Nm .
|
|
.It Cm ptydata
|
|
Display data written to the pty.
|
|
.It Cm exercise
|
|
Has not been implemented yet.
|
|
.El
|
|
.It Fl debug
|
|
Enable debugging on each socket created by
|
|
.Nm
|
|
(see
|
|
.Dv SO_DEBUG
|
|
in
|
|
.Xr socket 2 ) .
|
|
.It Fl edebug
|
|
If
|
|
.Nm
|
|
has been compiled with support for data encryption, then the
|
|
.Fl edebug
|
|
option may be used to enable encryption debugging code.
|
|
.It Fl h
|
|
Disable the printing of host-specific information before
|
|
login has been completed.
|
|
.It Fl k
|
|
This option is only useful if
|
|
.Nm
|
|
has been compiled with both linemode and kludge linemode
|
|
support.
|
|
If the
|
|
.Fl k
|
|
option is specified, then if the remote client does not
|
|
support the
|
|
.Dv LINEMODE
|
|
option, then
|
|
.Nm
|
|
will operate in character at a time mode.
|
|
It will still support kludge linemode, but will only
|
|
go into kludge linemode if the remote client requests
|
|
it.
|
|
(This is done by the client sending
|
|
.Dv DONT SUPPRESS-GO-AHEAD
|
|
and
|
|
.Dv DONT ECHO . )
|
|
The
|
|
.Fl k
|
|
option is most useful when there are remote clients
|
|
that do not support kludge linemode, but pass the heuristic
|
|
(if they respond with
|
|
.Dv WILL TIMING-MARK
|
|
in response to a
|
|
.Dv DO TIMING-MARK )
|
|
for kludge linemode support.
|
|
.It Fl l
|
|
Specify line mode.
|
|
Try to force clients to use line-at-a-time mode.
|
|
If the
|
|
.Dv LINEMODE
|
|
option is not supported, it will go
|
|
into kludge linemode.
|
|
.It Fl n
|
|
Disable
|
|
.Dv TCP
|
|
keep-alives.
|
|
Normally
|
|
.Nm
|
|
enables the
|
|
.Tn TCP
|
|
keep-alive mechanism to probe connections that
|
|
have been idle for some period of time to determine
|
|
if the client is still there, so that idle connections
|
|
from machines that have crashed or can no longer
|
|
be reached may be cleaned up.
|
|
.It Fl p Ar loginprog
|
|
Specify an alternate
|
|
.Xr login 1
|
|
command to run to complete the login.
|
|
The alternate command must
|
|
understand the same command arguments as the standard login.
|
|
.It Fl S Ar tos
|
|
Sets the IP type-of-service (TOS) option for the telnet
|
|
connection to the value
|
|
.Ar tos ,
|
|
which can be a numeric TOS value or, on systems that support it, a symbolic
|
|
TOS name found in the
|
|
.Pa /etc/iptos
|
|
file.
|
|
.It Fl u Ar len
|
|
This option is used to specify the size of the field
|
|
in the
|
|
.Dv utmp
|
|
structure that holds the remote host name.
|
|
If the resolved host name is longer than
|
|
.Ar len ,
|
|
the dotted decimal value will be used instead.
|
|
This allows hosts with very long host names that
|
|
overflow this field to still be uniquely identified.
|
|
Specifying
|
|
.Fl u0
|
|
indicates that only dotted decimal addresses
|
|
should be put into the
|
|
.Pa utmp
|
|
file.
|
|
.It Fl U
|
|
This option causes
|
|
.Nm
|
|
to refuse connections from addresses that
|
|
cannot be mapped back into a symbolic name
|
|
via the
|
|
.Xr gethostbyaddr 3
|
|
routine.
|
|
.It Fl X Ar authtype
|
|
This option is only valid if
|
|
.Nm
|
|
has been built with support for the authentication option.
|
|
It disables the use of
|
|
.Ar authtype
|
|
authentication, and
|
|
can be used to temporarily disable
|
|
a specific authentication type without having to recompile
|
|
.Nm .
|
|
Available
|
|
.Ar authtype
|
|
values include
|
|
.Ar KERBEROS_V4, Ar KERBEROS_V5, Ar SPX, Ar MINK,
|
|
and
|
|
.Ar SRA .
|
|
These options are completely independent of the
|
|
.Fl a
|
|
option.
|
|
.El
|
|
.Pp
|
|
.Nm Telnetd
|
|
operates by allocating a pseudo-terminal device (see
|
|
.Xr pty 4 )
|
|
for a client, then creating a login process which has
|
|
the slave side of the pseudo-terminal as
|
|
.Dv stdin ,
|
|
.Dv stdout
|
|
and
|
|
.Dv stderr .
|
|
.Nm Telnetd
|
|
manipulates the master side of the pseudo-terminal,
|
|
implementing the
|
|
.Tn TELNET
|
|
protocol and passing characters
|
|
between the remote client and the login process.
|
|
.Pp
|
|
When a
|
|
.Tn TELNET
|
|
session is started up,
|
|
.Nm
|
|
sends
|
|
.Tn TELNET
|
|
options to the client side indicating
|
|
a willingness to do the
|
|
following
|
|
.Tn TELNET
|
|
options, which are described in more detail below:
|
|
.Bd -literal -offset indent
|
|
DO AUTHENTICATION
|
|
WILL ENCRYPT
|
|
DO TERMINAL TYPE
|
|
DO TSPEED
|
|
DO XDISPLOC
|
|
DO NEW-ENVIRON
|
|
DO ENVIRON
|
|
WILL SUPPRESS GO AHEAD
|
|
DO ECHO
|
|
DO LINEMODE
|
|
DO NAWS
|
|
WILL STATUS
|
|
DO LFLOW
|
|
DO TIMING-MARK
|
|
.Ed
|
|
.Pp
|
|
The pseudo-terminal allocated to the client is configured
|
|
to operate in
|
|
.Dq cooked
|
|
mode, and with
|
|
.Dv XTABS and
|
|
.Dv CRMOD
|
|
enabled (see
|
|
.Xr tty 4 ) .
|
|
.Pp
|
|
.Nm Telnetd
|
|
has support for enabling locally the following
|
|
.Tn TELNET
|
|
options:
|
|
.Bl -tag -width "DO AUTHENTICATION"
|
|
.It "WILL ECHO"
|
|
When the
|
|
.Dv LINEMODE
|
|
option is enabled, a
|
|
.Dv WILL ECHO
|
|
or
|
|
.Dv WONT ECHO
|
|
will be sent to the client to indicate the
|
|
current state of terminal echoing.
|
|
When terminal echo is not desired, a
|
|
.Dv WILL ECHO
|
|
is sent to indicate that
|
|
.Nm
|
|
will take care of echoing any data that needs to be
|
|
echoed to the terminal, and then nothing is echoed.
|
|
When terminal echo is desired, a
|
|
.Dv WONT ECHO
|
|
is sent to indicate that
|
|
.Nm
|
|
will not be doing any terminal echoing, so the
|
|
client should do any terminal echoing that is needed.
|
|
.It "WILL BINARY"
|
|
Indicate that the client is willing to send a
|
|
8 bits of data, rather than the normal 7 bits
|
|
of the Network Virtual Terminal.
|
|
.It "WILL SGA"
|
|
Indicate that it will not be sending
|
|
.Dv IAC GA ,
|
|
go ahead, commands.
|
|
.It "WILL STATUS"
|
|
Indicate a willingness to send the client, upon
|
|
request, of the current status of all
|
|
.Tn TELNET
|
|
options.
|
|
.It "WILL TIMING-MARK"
|
|
Whenever a
|
|
.Dv DO TIMING-MARK
|
|
command is received, it is always responded
|
|
to with a
|
|
.Dv WILL TIMING-MARK .
|
|
.It "WILL LOGOUT"
|
|
When a
|
|
.Dv DO LOGOUT
|
|
is received, a
|
|
.Dv WILL LOGOUT
|
|
is sent in response, and the
|
|
.Tn TELNET
|
|
session is shut down.
|
|
.It "WILL ENCRYPT"
|
|
Only sent if
|
|
.Nm
|
|
is compiled with support for data encryption, and
|
|
indicates a willingness to decrypt
|
|
the data stream.
|
|
.El
|
|
.Pp
|
|
.Nm Telnetd
|
|
has support for enabling remotely the following
|
|
.Tn TELNET
|
|
options:
|
|
.Bl -tag -width "DO AUTHENTICATION"
|
|
.It "DO BINARY"
|
|
Sent to indicate that
|
|
.Nm
|
|
is willing to receive an 8 bit data stream.
|
|
.It "DO LFLOW"
|
|
Requests that the client handle flow control
|
|
characters remotely.
|
|
.It "DO ECHO"
|
|
This is not really supported, but is sent to identify a
|
|
.Bx 4.2
|
|
.Xr telnet 1
|
|
client, which will improperly respond with
|
|
.Dv WILL ECHO .
|
|
If a
|
|
.Dv WILL ECHO
|
|
is received, a
|
|
.Dv DONT ECHO
|
|
will be sent in response.
|
|
.It "DO TERMINAL-TYPE"
|
|
Indicate a desire to be able to request the
|
|
name of the type of terminal that is attached
|
|
to the client side of the connection.
|
|
.It "DO SGA"
|
|
Indicate that it does not need to receive
|
|
.Dv IAC GA ,
|
|
the go ahead command.
|
|
.It "DO NAWS"
|
|
Requests that the client inform the server when
|
|
the window (display) size changes.
|
|
.It "DO TERMINAL-SPEED"
|
|
Indicate a desire to be able to request information
|
|
about the speed of the serial line to which
|
|
the client is attached.
|
|
.It "DO XDISPLOC"
|
|
Indicate a desire to be able to request the name
|
|
of the X Window System display that is associated with
|
|
the telnet client.
|
|
.It "DO NEW-ENVIRON"
|
|
Indicate a desire to be able to request environment
|
|
variable information, as described in RFC 1572.
|
|
.It "DO ENVIRON"
|
|
Indicate a desire to be able to request environment
|
|
variable information, as described in RFC 1408.
|
|
.It "DO LINEMODE"
|
|
Only sent if
|
|
.Nm
|
|
is compiled with support for linemode, and
|
|
requests that the client do line by line processing.
|
|
.It "DO TIMING-MARK"
|
|
Only sent if
|
|
.Nm
|
|
is compiled with support for both linemode and
|
|
kludge linemode, and the client responded with
|
|
.Dv WONT LINEMODE .
|
|
If the client responds with
|
|
.Dv WILL TM ,
|
|
the it is assumed that the client supports
|
|
kludge linemode.
|
|
Note that the
|
|
.Op Fl k
|
|
option can be used to disable this.
|
|
.It "DO AUTHENTICATION"
|
|
Only sent if
|
|
.Nm
|
|
is compiled with support for authentication, and
|
|
indicates a willingness to receive authentication
|
|
information for automatic login.
|
|
.It "DO ENCRYPT"
|
|
Only sent if
|
|
.Nm
|
|
is compiled with support for data encryption, and
|
|
indicates a willingness to decrypt
|
|
the data stream.
|
|
.El
|
|
.Sh NOTES
|
|
By default
|
|
.Nm
|
|
will read the
|
|
.Em \&he ,
|
|
.Em \&hn ,
|
|
and
|
|
.Em \&im
|
|
capabilities from
|
|
.Pa /etc/gettytab
|
|
and use that information (if present) to determine
|
|
what to display before the login: prompt.
|
|
You can
|
|
also use a System V style
|
|
.Pa /etc/issue
|
|
file by using the
|
|
.Em \&if
|
|
capability, which will override
|
|
.Em \&im .
|
|
The information specified in either
|
|
.Em \&im
|
|
or
|
|
.Em \&if
|
|
will be displayed to both console and remote logins.
|
|
.\" .Sh ENVIRONMENT
|
|
.Sh FILES
|
|
.Bl -tag -width /usr/ucb/bftp -compact
|
|
.It Pa /etc/services
|
|
.It Pa /etc/gettytab
|
|
.It Pa /etc/iptos
|
|
(if supported)
|
|
.It Pa /usr/ucb/bftp
|
|
(if supported)
|
|
.El
|
|
.Sh "SEE ALSO"
|
|
.Xr bftp 1 ,
|
|
.Xr login 1 ,
|
|
.Xr telnet 1
|
|
(if supported),
|
|
.Xr gettytab 5
|
|
.Sh STANDARDS
|
|
.Bl -tag -compact -width RFC-1572
|
|
.It Cm RFC-854
|
|
.Tn TELNET
|
|
PROTOCOL SPECIFICATION
|
|
.It Cm RFC-855
|
|
TELNET OPTION SPECIFICATIONS
|
|
.It Cm RFC-856
|
|
TELNET BINARY TRANSMISSION
|
|
.It Cm RFC-857
|
|
TELNET ECHO OPTION
|
|
.It Cm RFC-858
|
|
TELNET SUPPRESS GO AHEAD OPTION
|
|
.It Cm RFC-859
|
|
TELNET STATUS OPTION
|
|
.It Cm RFC-860
|
|
TELNET TIMING MARK OPTION
|
|
.It Cm RFC-861
|
|
TELNET EXTENDED OPTIONS - LIST OPTION
|
|
.It Cm RFC-885
|
|
TELNET END OF RECORD OPTION
|
|
.It Cm RFC-1073
|
|
Telnet Window Size Option
|
|
.It Cm RFC-1079
|
|
Telnet Terminal Speed Option
|
|
.It Cm RFC-1091
|
|
Telnet Terminal-Type Option
|
|
.It Cm RFC-1096
|
|
Telnet X Display Location Option
|
|
.It Cm RFC-1123
|
|
Requirements for Internet Hosts -- Application and Support
|
|
.It Cm RFC-1184
|
|
Telnet Linemode Option
|
|
.It Cm RFC-1372
|
|
Telnet Remote Flow Control Option
|
|
.It Cm RFC-1416
|
|
Telnet Authentication Option
|
|
.It Cm RFC-1411
|
|
Telnet Authentication: Kerberos Version 4
|
|
.It Cm RFC-1412
|
|
Telnet Authentication: SPX
|
|
.It Cm RFC-1571
|
|
Telnet Environment Option Interoperability Issues
|
|
.It Cm RFC-1572
|
|
Telnet Environment Option
|
|
.El
|
|
.Sh HISTORY
|
|
IPv6 support was added by WIDE/KAME project.
|
|
.Sh BUGS
|
|
Some
|
|
.Tn TELNET
|
|
commands are only partially implemented.
|
|
.Pp
|
|
Because of bugs in the original
|
|
.Bx 4.2
|
|
.Xr telnet 1 ,
|
|
.Nm
|
|
performs some dubious protocol exchanges to try to discover if the remote
|
|
client is, in fact, a
|
|
.Bx 4.2
|
|
.Xr telnet 1 .
|
|
.Pp
|
|
Binary mode
|
|
has no common interpretation except between similar operating systems
|
|
(Unix in this case).
|
|
.Pp
|
|
The terminal type name received from the remote client is converted to
|
|
lower case.
|
|
.Pp
|
|
.Nm Telnetd
|
|
never sends
|
|
.Tn TELNET
|
|
.Dv IAC GA
|
|
(go ahead) commands.
|