in.telnetd, telnetd - TELNET protocol server
/usr/sbin/in.telnetd [-a authmode] [-Uh] [-s tos]
svc:/network/telnet
in.telnetd is a server that supports the IETF standard TELNET virtual terminal protocol. in.telnetd is normally invoked by inetd(8) for requests to connect to the TELNET port as indicated by the services(5) database.
in.telnetd operates by allocating a pseudo-terminal device for a client, then creating a login process which has the slave side of the pseudo-terminal as its standard input, output, and error. in.telnetd manipulates the master side of the pseudo-terminal, implementing the TELNET protocol and passing characters between the remote client and the login process.
When a TELNET session starts up, in.telnetd sends TELNET options to the client side indicating a willingness to do remote echo of characters, and to suppress go ahead. The pseudo-terminal allocated to the client is configured to operate in “cooked” mode, and with XTABS, ICRNL and ONLCR enabled. See termio(4I).
in.telnetd is willing to do: echo, binary, suppress go ahead, and timing mark. in.telnetd is willing to have the remote client do: binary, terminal type, terminal size, logout option, and suppress go ahead.
in.telnetd also allows environment variables to be passed, provided that the client negotiates this during the initial option negotiation. The DISPLAY environment variable may be sent this way, either by the TELNET general environment passing methods, or by means of the XDISPLOC TELNET option. DISPLAY can be passed in the environment option during the same negotiation where XDISPLOC is used. Note that if you use both methods, use the same value for both. Otherwise, the results may be unpredictable.
These options are specified in Internet standards RFC 1096, RFC 1408, RFC 1510, RFC 1571, RFC 2941, RFC 2942, RFC 2946, and RFC 1572. The following Informational draft is also supported: RFC 2952.
The banner printed by in.telnetd is configurable. The default is (more or less) equivalent to `uname –sr` and will be used if no banner is set in /etc/default/telnetd. To set the banner, add a line of the form
BANNER="..."
to /etc/default/telnetd. Nonempty banner strings are fed to shells for evaluation. The default banner may be obtained by
BANNER="\\r\\n\\r\\n`uname -s` `uname -r`\\r\\n\\r\\n"
and no banner will be printed if /etc/default/telnetd contains
BANNER=""
The following options are supported:
This option may be used for specifying what mode should be used for authentication. There are several valid values for authmode:
Only allows connections when the remote user can provide valid authentication information to identify the remote user, and is allowed access to the specified account without providing a password.
Only allows connections when the remote user can provide valid authentication information to identify the remote user. The login(1) command will provide any additional user verification needed if the remote user is not allowed automatic access to the specified account.
This is the default state. Authentication information is not required. If no or insufficient authentication information is provided, then the login(1) program provides the necessary user verification.
This disables the authentication code. All user verification happens through the login(1) program.
Disables displaying host specific information before login has been completed.
Sets the IP TOS option.
Refuses connections that cannot be mapped to a name through the getnameinfo(3C) function.
in.telnetd is IPv6–enabled. See ip6(4P).
in.telnetd uses pam(3PAM) for authentication, account management, session management, and password management. The PAM configuration policy, configured in /etc/pam.conf or per-service files in /etc/pam.d/, specifies the modules to be used for in.telnetd. Here is a partial pam.conf file with entries for the telnet command using the UNIX authentication, account management, session management, and password management modules.
telnet auth requisite pam_authtok_get.so.1 telnet auth required pam_unix_auth.so.1 telnet account requisite pam_roles.so.1 telnet account required pam_projects.so.1 telnet account required pam_unix_account.so.1 telnet session required pam_unix_session.so.1 telnet password requisite pam_authtok_get.so.1 telnet password requisite pam_authtok_check.so.1 telnet password required pam_authtok_store.so.1
The equivalent PAM configuration using /etc/pam.d/ would be the following entries in /etc/pam.d/telnet:
auth requisite pam_authtok_get.so.1 auth required pam_unix_auth.so.1 account requisite pam_roles.so.1 account required pam_projects.so.1 account required pam_unix_account.so.1 session required pam_unix_session.so.1 password requisite pam_authtok_get.so.1 password requisite pam_authtok_check.so.1 password required pam_authtok_store.so.1
If there are no entries for the telnet service in /etc/pam.conf and /etc/pam.d/telnet does not exist, then the entries for the “other” service in /etc/pam.conf will be used. If there are not any entries in /etc/pam.conf for the “other” service then the entries in /etc/pam.d/other will be used. If multiple authentication modules are listed, then the user may be prompted for multiple passwords.
/etc/default/telnetd
See attributes(7) for descriptions of the following attributes:
|
login(1), ssh(1), svcs(1), telnet(1), getnameinfo(3C), pam(3PAM), termio(4I), ip6(4P), issue(5), pam.conf(5), services(5), attributes(7), pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7), pam_dhkeys(7), pam_passwd_auth(7), pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7), smf(7), sshd(8), inetadm(8), inetd(8), svcadm(8)
Alexander, S. RFC 1572, TELNET Environment Option. Network Working Group, January 1994. https://tools.ietf.org/html/rfc1572
Borman, Dave. RFC 1408, TELNET Environment Option. Network Working Group, January 1993. https://tools.ietf.org/html/rfc1408
Borman, Dave. RFC 1571, TELNET Environment Option Interoperability Issues. Network Working Group, January 1994. https://tools.ietf.org/html/rfc1571
Crispin, Mark. RFC 727, TELNET Logout Option. Network Working Group, April 1977. https://tools.ietf.org/html/rfc727
Marcy, G. RFC 1096, TELNET X Display Location Option. Network Working Group, March 1989. https://tools.ietf.org/html/rfc1096
Postel, Jon, and Joyce Reynolds. RFC 854, TELNET Protocol Specification. Network Working Group, May 1983. https://tools.ietf.org/html/rfc854
Waitzman, D. RFC 1073, TELNET Window Size Option. Network Working Group, October 1988. https://tools.ietf.org/html/rfc1073
Ts'o, T. and J. Altman, Telnet Authentication Option, RFC 2941. September 2000. https://tools.ietf.org/html/rfc2941
All data exchanges over this protocol are performed without encryption, and have no protection against spoofing or snooping of traffic. The in.telnetd server is disabled by default on Oracle Solaris and most other modern operating systems, and may be removed in future versions of Oracle Solaris. Use of the sshd(8) server is strongly recommended instead.
Some TELNET commands are only partially implemented.
Binary mode has no common interpretation except between similar operating systems.
The terminal type name received from the remote client is converted to lowercase.
The packet interface to the pseudo-terminal should be used for more intelligent flushing of input and output queues.
in.telnetd never sends TELNET go ahead commands.
The in.telnetd service is managed by the service management facility, smf(7), under the service identifier:
svc:/network/telnet
Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(8). Responsibility for initiating and restarting this service is delegated to inetd(8). Use inetadm(8) to make configuration changes and to view configuration information for this service. The service's status can be queried using the svcs(1) command.
Support for Kerberos, including the options –E, –M, –S, –X, and –X, was added in Solaris 10 3/05 and removed in Oracle Solaris 11.4.0. Prior to Solaris 10, a kerberized version was available in the Sun Enterprise Authentication Mechanism (SEAM) add-on package for Solaris.
Support for IPv6 was added in Solaris 8.
Support for the /etc/default/telnetd file, with the BANNER setting, was added in Solaris 2.6.
Enhancements from 4.4BSD were added in Solaris 2.5, including support for the LOGOUT, NAWS, XDISPLOC, OLD_ENVIRON, and NEW_ENVIRON protocol options.
Support for the –n option was added in Solaris 2.0.
The telnet command has been present since the initial release of Solaris.
The in.telnetd service was enabled by default in releases up through Solaris 9. In the Solaris 10 through 11.3 releases, the service was enabled under the generic_open.xml service profile, but disabled under the generic_limited_net.xml service profile. In Oracle Solaris 11.4, it is disabled by default.