telnetd(1M)															       telnetd(1M)

NAME

       telnetd - TELNET protocol server

SYNOPSIS

	authmode] [bannerfile]]

DESCRIPTION

       The  daemon  executes  a  server  that  supports the DARPA standard TELNET virtual terminal protocol.  The Internet daemon executes when it
       receives a service request at the port listed in the services database for using the protocol (see inetd(1M) and services(4)).

       operates by allocating a Telnet pseudo-terminal device (see tels(7)) for a client, then creating a login process, which has the slave  side
       of the Telnet pseudo-terminal as and manipulates the master side of the Telnet pseudo-terminal, implementing the TELNET protocol, and pass-
       ing characters between the client and login process.

	      NOTE: no longer uses pty(7) devices; instead it uses special devices created for TELNET sessions only.  For  more  information,  see
	      tels(7).

       When  a	TELNET	session  is  started  up, sends TELNET options to the client side, indicating a willingness to do of characters, to and to
       receive and (if kerberos is enabled) information from the remote client.  If the remote client is ready, the remote terminal type is propa-
       gated  in the environment of the created login process.	The pseudo-terminal allocated to the client is configured as a normal terminal for
       login, with the exception of echoing characters (see tty(7)).

	      is willing to and

	      is willing to have the remote client and (if kerberos is enabled).

       The flow control option permits applications running on a remote host to toggle the flow control on the local host.  To toggle flow control
       for a session programmatically, the application program must first call the function to get the current settings.  For example,

       Then, the of the structure must have set(reset) to enable(disable) flow control.

       Finally, the function call can implement the change.  For example,

       To  toggle the flow control interactively, the user can issue a command using the input options to disable, or to enable flow control.  See
       the stty(1) manpage.

       The terminal speed option permits applications running on a remote host to obtain the terminal speed of the local host session using either
       ioctl or stty.

       The server also supports the TAC User ID (also known as the TAC Access Control System, or TACACS User ID) option using which, users telnet-
       ing to two or more consenting hosts may avoid going through a second login sequence.  See the option below.

       To start from the Internet daemon, the configuration file must contain an entry as follows:

       The above configuration applies only for the IPv4 environment.  For to work in the IPv6 environment, the configuration file must contain  a
       entry as follows:

	      NOTE: The entry has changed to to work in the IPv6 environment.

       uses the same files as to verify participating systems and authorized users, and (See hosts.equiv(4) and the for configuration details.)

   Options
       has the following options.

       Specify a file containing a custom banner.
			   This  option overrides the standard login banner.  For example, to use as the login banner, have start with the follow-
			   ing lines in provides line continuation):

			   To work in the IPv6 environment, the entry in would be:

			   NOTE: has changed to for IPv6.

			   If bannerfile is not specified, does not print a login banner.

       Invoke		   with all the environment variables passed to

       Set the time-out value for the initial option
			   negotiation in the file as:

			   This option informs how long it should wait before timing out and exiting if it does not receive either a  positive	or
			   negative  reply for any of the initial option negotiations.	The time-out value is measured in seconds.  This option is
			   set with integer values.  The values range between 1 and 21474836.  The default value is 120 seconds.

			   There should not be any space between the option and the time-out value.  For example,

			   To work in the IPv6 environment, the entry in would be:

			   NOTE: has changed to for IPv6.

       This option allows users to set the BUFFERSIZE value.
			   This option, when set, informs the number of user bytes to concatenate before sending to TCP.  This option is set  with
			   integer values.  There is no specified default.

       Enable the TAC User ID option.
			   The system administrator can enable the TAC User ID option on servers designated as participating hosts by having start
			   with the option in

			   To enable the TAC User ID option for IPv6, users must have start with the option in as shown below:

			   NOTE: has changed to for IPv6.

			   In order to make the TAC User ID option work as specified, the system administrator must assign to all authorized users
			   of the option the same login name and unique user ID (UUID) on every participating system to which they are allowed TAC
			   User ID access.  These same UUIDs should not be assigned to non-authorized users.

			   Users cannot use the feature on systems where their local and remote UUIDs differ, but they can always use  the  normal
			   login sequence.  Also, there may be a potential security breach where a user with one UUID may be able to gain entry to
			   participating systems and accounts where that UUID is assigned to someone else, unless the above restrictions are  fol-
			   lowed.

			   A  typical  configuration  may  consist  of	one or more secure front-end systems and a network of participating hosts.
			   Users who have successfully logged onto the front-end system may directly to any  participating  system  without  being
			   prompted for another login.

       Set the behavior for
			   to instruct to close the connection on the shell command or whenever the client communicates with to arrive upon 0 baud
			   rate for

       This option allows users to set the
			   value.  This option, when set, informs how long it should wait before timing out and  flushing  the	concatenated  user
			   data to TCP.  Note that the value is measured in clock ticks (10 ms) and not in seconds.  This option is set with inte-
			   ger values.	There is no specified default.

       This option allows the users to disable the
			   socket option.  When is invoked with this option, small writes over may concatenate at the tcp level so that larger tcp
			   packets are sent to the client at less frequent intervals.

			   NOTE: Using the option with the and options is not recommended.

       To configure to use the option, the entry in would be:

       To work in the IPv6 environment using the option, the entry in would be:

	      NOTE: has changed to for IPv6.

       To configure to have a of 100 bytes and a of 100 ticks, the entry in would be:

       To work in the IPv6 environment, the entry in would be:

	      NOTE: has changed to for IPv6.

   Kerberos-specific Options
       In Kerberos mode, can start with the following lines in

       or

       The  option  is	used  to ensure that non-secure systems are denied access to the server.  It overrides any value specified with the option
       except when authmode is See the sis(5) manpage.

       The authmode option specifies what mode is to be used for Kerberos authentication.  See the sis(5) manpage.  Values for authmode are:

	      Activates authentication debugging.

	      Default value.
			Only allows connections when the remote user can provide valid Kerberos authentication information and	is  authorized	to
			access the specified account.

	      Authentication information is not required.
			If  no	or insufficient Kerberos authentication information is provided, the program provides the necessary user verifica-
			tion.  See the login(1) manpage.

       The option instructs to use the normal authentication mode whenever the telnet client communicates NULL type in the  authentication  option
       negotiation.

       By default, the server provides remote execution facilities with authentication based on Kerberos V5.  See the sis(5) manpage.

DIAGNOSTICS

       If any error is encountered by in establishing the connection, an error message is returned through the connection, after which the connec-
       tion is closed and the server exits.  Any errors generated by the login process or its descendents are passed through as ordinary data.

       The following diagnostic messages are displayed by

				   The server was unable to obtain a Telnet pseudo-terminal
		     for use with the login process.  Either all Telnet pseudo-terminals were in use or the driver has not been  properly  set	up
		     (see tels(7)).

		     Check the Telnet pseudo driver configuration of the host where is executing.

				   was unable to fork a process to handle the incoming connection.

		     Wait  a  period of time and try again.  If this message persists, the server's host may have runaway processes that are using
		     all the entries in the process table.

				   The login program could not be started via
		     for the reason indicated (see exec(2)).

WARNINGS

       The terminal type name received from the remote client is converted to lowercase.

       never sends TELNET commands.

AUTHOR

       was developed by the University of California, Berkeley.

SEE ALSO

       login(1),  rlogin(1),  stty(1),	telnet(1),  inetd(1M),	inetsvcs_sec(1M),  exec(2),  ioctl(2),	hosts(4),  hosts.equiv(4),  inetd.conf(4),
       inetd.sec(4), services(4), sis(5), pty(7), tels(7), tty(7).

       DOD MIL_STD 1782.

       RFC 854 for the TELNET protocol specification.

																       telnetd(1M)