otelnetd

Note: The user ID associated with the daemon in /etc/inetd.conf requires superuser authority. See z/OS UNIX System Services Planning for a description of the types of authority defined for daemons.

The following syntax is used in the /etc/inetd.conf file to define the arguments used to invoke otelnetd.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-otelnetd--+-----+--+-----------------------------+----------->
             '- -C-'  |      .--------------------. |   
                      |      V                    | |   
                      '- -D----+-all------------+-+-'   
                               +-options--------+       
                               +-report---------+       
                               +-netdata--------+       
                               +-ptydata--------+       
                               +-login----------+       
                               +-authentication-+       
                               '-encryption-----'       

>--+-----+--+-----+--+-----+--+-----+--+-----+--+-----+--------->
   '- -h-'  '- -k-'  '- -l-'  '- -m-'  '- -n-'  '- -t-'   

>--+-----+--+-----+--+-----+--+--------------------+------------>
   '- -U-'  '- -g-'  '- -b-'  '- -c--timeout_value-'   

>--+---------------------+--+----------------+------------------>
   '- -T--terminfo_value-'  |      .-none--. |   
                            '- -a--+-valid-+-'   
                                   +-other-+     
                                   +-user--+     
                                   '-off---'     

>--+---------------+--+-----+----------------------------------><
   '- -X--authtype-'  '- -s-'   

Parameters

-C
Prints user messages in uppercase. There are several exceptions. Messages issued at startup are not affected by the -C option because the -C option is not processed during the startup. Also, data transmittal messages will not be uppercase. Data transmittal messages are generated from the -D netdata option or the -D ptydata option.
-D
The following suboptions apply to -D:
options
Prints information about the negotiation of Telnet options. This information is used for debugging purposes. This suboption allows telnetd to generate debugging information to the connection, which allows the user to view telnetd activity.
report
Prints the options information and additional information about processing. This information also includes print information designated for suboption=options. This can be used for debugging purposes. This suboption telnetd to generate debugging information to the connection, which enables the user to view telnetd activity.
netdata
Displays the data stream received by telnetd. This information is used for debugging purposes. It allows telnetd to generate debugging information to the connection, which enables the user to view telnetd activity.
ptydata
Displays the data stream written to the pty. This information is used for debugging purposes. It allows telnetd to generate debugging information to the connection, which enables the user to view telnetd activity.
all
Enables options, report, netdata, ptydata, login, authentication and encryption.
login
Records login and logout activity to syslogd facility auth using message EZYTU36I.
authentication
Turns on authentication debugging code.
encryption
Turns on encryption debugging code.
-h
Disables the display of the /etc/banner and /etc/otelnetd.banner files at the terminal of the client.
-k
Disables kludge linemode. The server normally attempts to use kludge linemode when the -l option was specified, but the client does not support line mode. Use the -k option when there are remote clients that do not support kludge linemode, but pass the heuristic for kludge line mode support (for example, if they respond with WILL TIMING-MARK in response to a DO TIMING-MARK). This option does not disable kludge line mode when the client requests it. This is accomplished by the client sending DONT SUPPRESS-GO-AHEAD and DONT ECHO.
-l
Specifies linemode, which tries to force clients to use linemode. If the LINEMODE option is not supported and the -k option was not specified, it will attempt to use kludge linemode.
Notes:
  1. Many clients decline the server's request to operate in linemode.
  2. Linemode is not appropriate for full-screen applications like the z/OS® UNIX vi editor.
-m
Enables the creation of a forked or spawned process to coexist in the same address space. This option can improve performance because the user's login shell runs in the same address space as otelnetd.
-n
Disables TCP keep-alives. Normally, telnetd enables the TCP keep-alive mechanism to probe connections that have been idle for some time to determine if the client is still there. In this way, idle connections from machines that have crashed or can no longer be reached can be cleaned up. The cleanup of disabled connections is controlled by the presence of the INTERVAL parameter on the TCPCONFIG statement in the TCPIP profile.
-t
Specifies internal tracing. It also activates the REPORT option, as if the user also specified -D Report.
-U
Causes telnetd to drop connections from any IP address that cannot be mapped back into a symbolic name by the gethostbyaddr or getnameinfo routines.
Result: If coded, the -U parameter causes the -g parameter to be ignored.
-g
Disables the ability to issue the gethostbyaddr or getnameinfo routines that use the client IP address to resolve the client host name.
Results:
  • If this parameter is coded, the host name does not appear in the trace output (-t parameter) or in the WHO command output.
  • This parameter is ignored if the -U parameter is coded.
-b
Forces the server to DO BINARY in the first pass during negotiations with the client.
-c timeout_value
Specifies the number of seconds to wait before terminating the Telnet session for inactive connections. The timeout_value is a value between 1 and 86400 seconds.
-T terminfo_value
Sets the TERMINFO environment variable to the specified values at startup. This option is needed when terminfo definitions are located in nonstandard directories.
-a
This option may be used for specifying what mode should be used for authentication. There are several valid suboptions for authentication mode:
valid
Allow connections only when the remote user can provide valid authentication information to identify the remote user. Thus, for otelnetd, Kerberos authentication will be required. User verification will still occur through the login and password prompt. However, if the login user ID matches the TSO user ID that was mapped from the name in the Kerberos principal using the SAF R_usermap function, then no password will be requested. This is the most secure authentication mode.
other
Allow only connections that supply some authentication information. This option is currently not supported by any of the existing authentication mechanisms, and is thus the same as specifying -a valid.
user
Allow connections only when the remote user can provide valid authentication information to identify the remote user, and is allowed access to the specified account without providing a password. Thus, for otelnetd, Kerberos authentication is required. The NAME received during AUTHENTICATION option negotiation must match the name in the Kerberos principal, and the Kerberos principal must map to a valid TSO user ID on the host using the SAF R_usermap function. No user verification will occur through the login or password prompt.
none
This is the default state. Authentication information is not required. User verification will still occur through the login and password prompt. However, if the login user ID matches the TSO user ID that was mapped from the name in the Kerberos principal using the SAF R_usermap function, then no password will be requested.
off
This disables the authentication code. All user verification happens through the login and password prompt. During option negotiation, otelnetd will not send DO AUTHENTICATION and, if necessary, will send DONT AUTHENTICATION.
Note: Authentication is not supported for IPv6 connections. If tcp6 is specified in inetd.conf, -a should not be used as a start option. If tcp6 and -a are both specified, the suboption will be overridden and forced to OFF.
-X authtype
This option disables the use of authtype authentication. Currently the only valid value for authtype is KERBEROS_V5. Thus, if otelnetd sends the AUTHENTICATION option SEND command, the authentication-type-pair-list will not contain any KERBEROS_V5 entries and will be empty.
-s
Used to set the KRB5_SERVER_KEYTAB environment variable. If this environment variable is set, run time security uses a local instance of the Kerberos security server to decrypt service tickets instead of obtaining the key from a key table. To use this capability, the otelnetd application must have at least READ access to the IRR.RUSERMAP resource in the FACILITY class. For more information, see z/OS Integrated Security Services Network Authentication Service Administration.
Parent topic: Configuring the z/OS UNIX Telnet server