Note: The
user ID associated with the daemon in /etc/inetd.conf requires superuser
authority. See
z/OS UNIX System Services Planning for a description of the types of authority
defined for daemons.
The following syntax is used in the
/etc/inetd.conf file to define the arguments used to invoke otelnetd.
Syntax
>>-otelnetd--+-----+--+-----------------------------+----------->
'- -C-' | .--------------------. |
| V | |
'- -D----+-all------------+-+-'
+-options--------+
+-report---------+
+-netdata--------+
+-ptydata--------+
+-login----------+
+-authentication-+
'-encryption-----'
>--+-----+--+-----+--+-----+--+-----+--+-----+--+-----+--------->
'- -h-' '- -k-' '- -l-' '- -m-' '- -n-' '- -t-'
>--+-----+--+-----+--+-----+--+--------------------+------------>
'- -U-' '- -g-' '- -b-' '- -c--timeout_value-'
>--+---------------------+--+----------------+------------------>
'- -T--terminfo_value-' | .-none--. |
'- -a--+-valid-+-'
+-other-+
+-user--+
'-off---'
>--+---------------+--+-----+----------------------------------><
'- -X--authtype-' '- -s-'
Parameters
- -C
- Prints user messages in uppercase. There are several exceptions.
Messages issued at startup are not affected by the -C option because
the -C option is not processed during the startup. Also, data transmittal
messages will not be uppercase. Data transmittal messages are generated
from the -D netdata option or the -D ptydata option.
- -D
- The following suboptions apply to -D:
- options
- Prints information about the negotiation of Telnet options. This
information is used for debugging purposes. This suboption allows
telnetd to generate debugging information to the connection, which
allows the user to view telnetd activity.
- report
- Prints the options information and additional information about
processing. This information also includes print information designated
for suboption=options. This can be used for debugging purposes. This
suboption telnetd to generate debugging information to the connection,
which enables the user to view telnetd activity.
- netdata
- Displays the data stream received by telnetd. This information
is used for debugging purposes. It allows telnetd to generate debugging
information to the connection, which enables the user to view telnetd
activity.
- ptydata
- Displays the data stream written to the pty. This information
is used for debugging purposes. It allows telnetd to generate debugging
information to the connection, which enables the user to view telnetd
activity.
- all
- Enables options, report, netdata, ptydata, login, authentication
and encryption.
- login
- Records login and logout activity to syslogd facility auth using
message EZYTU36I.
- authentication
- Turns on authentication debugging code.
- encryption
- Turns on encryption debugging code.
- -h
- Disables the display of the /etc/banner and /etc/otelnetd.banner
files at the terminal of the client.
- -k
- Disables kludge linemode. The server normally attempts to use
kludge linemode when the -l option was specified,
but the client does not support line mode. Use the -k option
when there are remote clients that do not support kludge linemode,
but pass the heuristic for kludge line mode support (for example,
if they respond with WILL TIMING-MARK in response to a DO TIMING-MARK).
This option does not disable kludge line mode when the client requests
it. This is accomplished by the client sending DONT SUPPRESS-GO-AHEAD
and DONT ECHO.
- -l
- Specifies linemode, which tries to force clients to use linemode.
If the LINEMODE option is not supported and the -k option
was not specified, it will attempt to use kludge linemode.
Notes: - Many clients decline the server's request to operate in linemode.
- Linemode is not appropriate for full-screen applications like
the z/OS® UNIX vi editor.
- -m
- Enables the creation of a forked or spawned process to coexist
in the same address space. This option can improve performance because
the user's login shell runs in the same address space as otelnetd.
- -n
- Disables TCP keep-alives. Normally, telnetd enables the TCP keep-alive
mechanism to probe connections that have been idle for some time to
determine if the client is still there. In this way, idle connections
from machines that have crashed or can no longer be reached can be
cleaned up. The cleanup of disabled connections is controlled by the
presence of the INTERVAL parameter on the TCPCONFIG statement in the
TCPIP profile.
- -t
- Specifies internal tracing. It also activates the REPORT option,
as if the user also specified -D Report.
- -U
- Causes telnetd to drop connections from any IP address that cannot
be mapped back into a symbolic name by the gethostbyaddr or getnameinfo
routines.
Result: If coded, the -U parameter
causes the -g parameter to be ignored.
- -g
- Disables the ability to issue the gethostbyaddr or getnameinfo
routines that use the client IP address to resolve the client host
name.
Results: - If this parameter is coded, the host name does not appear in the
trace output (-t parameter) or in the WHO command output.
- This parameter is ignored if the -U parameter is coded.
- -b
- Forces the server to DO BINARY in the first pass during negotiations
with the client.
- -c timeout_value
- Specifies the number of seconds to wait before terminating the
Telnet session for inactive connections. The timeout_value is
a value between 1 and 86400 seconds.
- -T terminfo_value
- Sets the TERMINFO environment variable to the specified values
at startup. This option is needed when terminfo definitions are located
in nonstandard directories.
- -a
- This option may be used for specifying what mode should be used
for authentication. There are several valid suboptions for authentication
mode:
- valid
- Allow connections only when the remote user can provide valid
authentication information to identify the remote user. Thus, for
otelnetd, Kerberos authentication will be required. User verification
will still occur through the login and password prompt. However, if
the login user ID matches the TSO user ID that was mapped from the
name in the Kerberos principal using the SAF R_usermap function, then
no password will be requested. This is the most secure authentication
mode.
- other
- Allow only connections that supply some authentication information.
This option is currently not supported by any of the existing authentication
mechanisms, and is thus the same as specifying -a valid.
- user
- Allow connections only when the remote user can provide valid
authentication information to identify the remote user, and is allowed
access to the specified account without providing a password. Thus,
for otelnetd, Kerberos authentication is required. The NAME received
during AUTHENTICATION option negotiation must match the name in the
Kerberos principal, and the Kerberos principal must map to a valid
TSO user ID on the host using the SAF R_usermap function. No user
verification will occur through the login or password prompt.
- none
- This is the default state. Authentication information is not
required. User verification will still occur through the login and
password prompt. However, if the login user ID matches the TSO user
ID that was mapped from the name in the Kerberos principal using the
SAF R_usermap function, then no password will be requested.
- off
- This disables the authentication code. All user verification
happens through the login and password prompt. During option negotiation,
otelnetd will not send DO AUTHENTICATION and, if necessary, will send
DONT AUTHENTICATION.
Note: Authentication is not supported for IPv6
connections. If tcp6 is specified in inetd.conf, -a should
not be used as a start option. If tcp6 and -a are
both specified, the suboption will be overridden and forced to OFF.
- -X authtype
- This option disables the use of authtype authentication. Currently
the only valid value for authtype is KERBEROS_V5. Thus, if otelnetd
sends the AUTHENTICATION option SEND command, the authentication-type-pair-list
will not contain any KERBEROS_V5 entries and will be empty.
- -s
- Used to set the KRB5_SERVER_KEYTAB environment variable. If this
environment variable is set, run time security uses a local instance
of the Kerberos security server to decrypt service tickets instead
of obtaining the key from a key table. To use this capability, the
otelnetd application must have at least READ access to the IRR.RUSERMAP
resource in the FACILITY class. For more information, see z/OS Integrated Security Services Network Authentication
Service Administration.