telnetd Daemon

Purpose

Provides the server function for the TELNET protocol.

Syntax

/usr/sbin/telnetd [-a] [-c] [-n] [ -s]

Description

Note: The telnetd daemon is normally started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

The /usr/sbin/telnetd daemon is a server that supports the Defense Advanced Research Product Agency (DARPA) standard Telnet Protocol (TELNET). Changes to the telnetd daemon should be made using the System Management Interface Tool (SMIT).

Changes to the telnetd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Typing telnetd at the command line is not recommended. The telnetd daemon is started by default when it is uncommented in the /etc/inetd.conf file. By default, the -a flag is also turned on.

The inetd daemon get its information from the /etc/inetd.conf file and the /etc/services file.

After changing the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration file.

When a telnet session is started, the telnetd daemon sends TELNET options to the client (remote) host to indicate an ability to perform options.

Terminal Negotiation

The telnetd daemon requests the terminal type from the client host. On receipt, the telnetd daemon checks whether the indicated type is supported on the local system. If not, the daemon requests a terminal type again.

This terminal type negotiation continues until the remote client sends an acceptable terminal type or until the client sends the same type twice in a row, indicating that it has no other types available. When necessary, the telnetd daemon refers to the /etc/telnet.conf file to translate a client's terminal-type strings into terminfo file entries.

Note: Because the telnetd daemon allows the sending and receiving of 8-bit ASCII, NLS is supported.

If the remote client sends the TELNET SAK command, the telnetd daemon passes the local SAK characters through the PTY to invoke the trusted shell.

The telnetd daemon supports the following TELNET options:

The telnetd daemon also recognizes the following options for the remote client:

The telnetd daemon should be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Typing telnetd at the command line is not recommended.

Authentication Negotiation

If the system has Kerberos 5 authentication configured, telnetd will accept authentication option negotiation. If both agree on Kerberos 5 authentication, the client will pass over the DCE principal and telnetd will use the kvalid_user routine to determine if the DCE principal should have access to the account. If it passes, no password will be requested.

Manipulating the telnetd Daemon with the System Resource Controller

The telnetd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The telnetd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled by default in the /etc/inetd.conf file and can be manipulated by the following SRC commands:

Item Description
startsrc Starts a subsystem, group of subsystems, or a subserver.
stopsrc Stops a subsystem, group of subsystems, or a subserver.
lssrc Gets the status or a subsystem, group or subsystems, or a subserver.

Flags

Item Description
-a Causes the PTY and socket to be linked directly in the kernel so that the data handling remains in the kernel to improve the performance.
-c Suppresses the reverse host name lookup.
-n Disables transport-level keep-alive messages. Messages are enabled by default.
-s Turns on socket-level debugging.
Note: Unrecognized flags will be ignored by the daemon and logged to the syslog if syslog is enabled.

Security

The telnetd daemon is a PAM-enabled application with a service name of telnet. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

The authentication mechanisms used when PAM is enabled depend on the configuration for the telnet service in /etc/pam.conf. The telnetd daemon requires /etc/pam.conf entries for the auth, account, password, and session module types. Listed below is a recommended configuration in /etc/pam.conf for the telnet service:
#
# AIX telnet configuration
#
telnet auth      required     /usr/lib/security/pam_aix

telnet account   required     /usr/lib/security/pam_aix

telnet password  required     /usr/lib/security/pam_aix

telnet session   required     /usr/lib/security/pam_aix

Examples

Note: The arguments for the telnetd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.
  1. To start the telnetd daemon, type the following:

    startsrc  -t telnet

    This command starts the telnetd subserver.
  2. To stop the telnetd daemon normally, type the following:

    stopsrc  -t telnet

    This command allows all pending connections to start and existing connections to complete but prevents new connections from starting.
  3. To force stop the telnetd daemon and all telnetd connections, type the following:

    stopsrc -f -t telnet  

    This command terminates all pending connections and existing connections immediately.
  4. To display a short status report about the telnetd daemon, type the following:

    lssrc -t telnet

    This command returns the daemon's name, process ID, and state (active or inactive).

File

Item Description
terminfo Describes terminal by capability.