|
|
Enabling Telnet Service for a particular User only
|
|
telnetd(1M) telnetd(1M) NAME
telnetd - TELNET protocol server SYNOPSIS
authmode] [bannerfile]] DESCRIPTION
The daemon executes a server that supports the DARPA standard TELNET virtual terminal protocol. The Internet daemon executes when it receives a service request at the port listed in the services database for using the protocol (see inetd(1M) and services(4)). operates by allocating a Telnet pseudo-terminal device (see tels(7)) for a client, then creating a login process, which has the slave side of the Telnet pseudo-terminal as and manipulates the master side of the Telnet pseudo-terminal, implementing the TELNET protocol, and pass- ing characters between the client and login process. NOTE: no longer uses pty(7) devices; instead it uses special devices created for TELNET sessions only. For more information, see tels(7). When a TELNET session is started up, sends TELNET options to the client side, indicating a willingness to do of characters, to and to receive and (if kerberos is enabled) information from the remote client. If the remote client is ready, the remote terminal type is propa- gated in the environment of the created login process. The pseudo-terminal allocated to the client is configured as a normal terminal for login, with the exception of echoing characters (see tty(7)). is willing to and is willing to have the remote client and (if kerberos is enabled). The flow control option permits applications running on a remote host to toggle the flow control on the local host. To toggle flow control for a session programmatically, the application program must first call the function to get the current settings. For example, Then, the of the structure must have set(reset) to enable(disable) flow control. Finally, the function call can implement the change. For example, To toggle the flow control interactively, the user can issue a command using the input options to disable, or to enable flow control. See the stty(1) manpage. The terminal speed option permits applications running on a remote host to obtain the terminal speed of the local host session using either ioctl or stty. The server also supports the TAC User ID (also known as the TAC Access Control System, or TACACS User ID) option using which, users telnet- ing to two or more consenting hosts may avoid going through a second login sequence. See the option below. To start from the Internet daemon, the configuration file must contain an entry as follows: The above configuration applies only for the IPv4 environment. For to work in the IPv6 environment, the configuration file must contain a entry as follows: NOTE: The entry has changed to to work in the IPv6 environment. uses the same files as to verify participating systems and authorized users, and (See hosts.equiv(4) and the for configuration details.) Options has the following options. Specify a file containing a custom banner. This option overrides the standard login banner. For example, to use as the login banner, have start with the follow- ing lines in provides line continuation): To work in the IPv6 environment, the entry in would be: NOTE: has changed to for IPv6. If bannerfile is not specified, does not print a login banner. Invoke with all the environment variables passed to Set the time-out value for the initial option negotiation in the file as: This option informs how long it should wait before timing out and exiting if it does not receive either a positive or negative reply for any of the initial option negotiations. The time-out value is measured in seconds. This option is set with integer values. The values range between 1 and 21474836. The default value is 120 seconds. There should not be any space between the option and the time-out value. For example, To work in the IPv6 environment, the entry in would be: NOTE: has changed to for IPv6. This option allows users to set the BUFFERSIZE value. This option, when set, informs the number of user bytes to concatenate before sending to TCP. This option is set with integer values. There is no specified default. Enable the TAC User ID option. The system administrator can enable the TAC User ID option on servers designated as participating hosts by having start with the option in To enable the TAC User ID option for IPv6, users must have start with the option in as shown below: NOTE: has changed to for IPv6. In order to make the TAC User ID option work as specified, the system administrator must assign to all authorized users of the option the same login name and unique user ID (UUID) on every participating system to which they are allowed TAC User ID access. These same UUIDs should not be assigned to non-authorized users. Users cannot use the feature on systems where their local and remote UUIDs differ, but they can always use the normal login sequence. Also, there may be a potential security breach where a user with one UUID may be able to gain entry to participating systems and accounts where that UUID is assigned to someone else, unless the above restrictions are fol- lowed. A typical configuration may consist of one or more secure front-end systems and a network of participating hosts. Users who have successfully logged onto the front-end system may directly to any participating system without being prompted for another login. Set the behavior for to instruct to close the connection on the shell command or whenever the client communicates with to arrive upon 0 baud rate for This option allows users to set the value. This option, when set, informs how long it should wait before timing out and flushing the concatenated user data to TCP. Note that the value is measured in clock ticks (10 ms) and not in seconds. This option is set with inte- ger values. There is no specified default. This option allows the users to disable the socket option. When is invoked with this option, small writes over may concatenate at the tcp level so that larger tcp packets are sent to the client at less frequent intervals. NOTE: Using the option with the and options is not recommended. To configure to use the option, the entry in would be: To work in the IPv6 environment using the option, the entry in would be: NOTE: has changed to for IPv6. To configure to have a of 100 bytes and a of 100 ticks, the entry in would be: To work in the IPv6 environment, the entry in would be: NOTE: has changed to for IPv6. Kerberos-specific Options In Kerberos mode, can start with the following lines in or The option is used to ensure that non-secure systems are denied access to the server. It overrides any value specified with the option except when authmode is See the sis(5) manpage. The authmode option specifies what mode is to be used for Kerberos authentication. See the sis(5) manpage. Values for authmode are: Activates authentication debugging. Default value. Only allows connections when the remote user can provide valid Kerberos authentication information and is authorized to access the specified account. Authentication information is not required. If no or insufficient Kerberos authentication information is provided, the program provides the necessary user verifica- tion. See the login(1) manpage. The option instructs to use the normal authentication mode whenever the telnet client communicates NULL type in the authentication option negotiation. By default, the server provides remote execution facilities with authentication based on Kerberos V5. See the sis(5) manpage. DIAGNOSTICS
If any error is encountered by in establishing the connection, an error message is returned through the connection, after which the connec- tion is closed and the server exits. Any errors generated by the login process or its descendents are passed through as ordinary data. The following diagnostic messages are displayed by The server was unable to obtain a Telnet pseudo-terminal for use with the login process. Either all Telnet pseudo-terminals were in use or the driver has not been properly set up (see tels(7)). Check the Telnet pseudo driver configuration of the host where is executing. was unable to fork a process to handle the incoming connection. Wait a period of time and try again. If this message persists, the server's host may have runaway processes that are using all the entries in the process table. The login program could not be started via for the reason indicated (see exec(2)). WARNINGS
The terminal type name received from the remote client is converted to lowercase. never sends TELNET commands. AUTHOR
was developed by the University of California, Berkeley. SEE ALSO
login(1), rlogin(1), stty(1), telnet(1), inetd(1M), inetsvcs_sec(1M), exec(2), ioctl(2), hosts(4), hosts.equiv(4), inetd.conf(4), inetd.sec(4), services(4), sis(5), pty(7), tels(7), tty(7). DOD MIL_STD 1782. RFC 854 for the TELNET protocol specification. telnetd(1M)
