.TH AUTH_TELNETD 8 "March 2007" "OpenFWTK" .SH NAME auth_telnetd \- SSO authentication agent for telnet .SH SYNOPSIS .B auth_telnetd .RB "[-daemon ] " .RB "[-fastdaemon ] [-as ]" .sp .SH DESCRIPTION .IX "auth_telnetd" "" "\(em SSO authentication agent for telnet" The Firewall Toolkit SSO authentication agent for telnet provides authentication function for users connecting from signle-user hosts, enabling use of strong authentication with protocols that are not compatible with challenge/response authentication scenario. Once user logs in auth_telnetd "console", it is possible to selectively permit or deny further authentication actions originating from the same host and to issue reusable password which is valid only while console session is open. The console provides verbose log of authentication actions as well. .PP The telnet authentication agent .RB "(" auth_telnetd ")" generally runs as a daemon (invoked from system startup script, p.e. .IR "/etc/rc.local" ) and listens for requests on the specified port. Whenever the system receives a telnet connection request on this port, the authentication agent checks its configuration information (in the .IR "netperm-table" ) and determines whether the initiating host has permission to use agent. If the host does not have permission, the agent logs the connection attempt and displays an error message. .PP The agent may also be invoked from tcp/ip "superserver" (inetd or xinetd). .IR "-daemon" parameter should be omitted in this case. .PP If the host has permission, the agent authenticates the user and opens the authentication console session. .PP Agent protocol is described in .BR authsrv (8) \. .SH OPTIONS .SS Command Line Options The Telnet authentication agent recognizes the following command line options (whether started from the command line or from within .IR /etc/rc.local ): .TP .BI "-daemon " port Indicates that the agent proxy runs as a daemon, and the port (name or number) on which the agent proxy listens. When .IR "-daemon" option is used, configuration is being read from .IR netperm-table for every new connection accepted by agent. .IP .I port Specifies either a numeric id or symbolic name from the .I /etc/services file. .TP .BI "-fastdaemon " port Indicates that the Telnet authentication agent runs as a daemon, and the port (name or number) on which the agent listens. When .IR "-fastdaemon" option is used, configuration is being read from .IR netperm-table once the daemon starts or if .IR SIGHUP is received. .TP .BI "-as " tag Changes default application tag for .IR netperm-table from "auth_telnetd" to any given string. .SS Configuration Options The Telnet authentication agent reads configuration rules from the .IR "/usr/local/etc/netperm-table" . It reads all rules using the .B auth_telnetd and .B * (wildcard) keywords. The agent reads the .I netperm-table from top to bottom. If there are multiple rules in the table that could apply for a particular attribute, the agent uses the first one that it finds. See .BR "netperm-table" (5) for a more complete explanation of .I netperm-table syntax and precedence. .PP The agent recognizes the following attributes: .TP .BI "authserver " "host port" Specifies the host running the authentication server (and the port on which it runs) that the proxies use for authenticating users. .RS .TP .I host Specifies an IP address or host name. .TP .I port Specifies a service name or port number. .RE .TP .B hosts host-pattern [host-pattern2...] [options] rules specify host and access permissions. Typically, a hosts rule will be in the form of: .na .sp 1 auth_telnetd: deny-hosts unknown .sp auth_telnetd: hosts 192.33.112.* 192.94.214.* -keepalive .ad .sp 1 There may be several host patterns following the "hosts" keyword, ending with the first optional parameter beginning with '-'. Optional parameters permit the selective enabling or disabling of logging information, etc. Sub-options are: .IP .IP .B \-keepalive enables tcp/ip SO_KEEPALIVE option on client connection .IP .B \-dscp dscp-tag-name .br .B \-dscp dscp-hex-value specifies diffserv codepoint (QoS/ToS mark) for client telnet session. .TP .BI "welcome-msg" file Specifies the name of the file the agent displays as a welcome banner upon successful connection to the console. If no file is specified, the agent generates a default message. .TP .BI "directory " directory Specifies the directory that the Telnet authenticaion agent makes its root directory before providing service. This option is equivalent to the .B chroot option in previous versions. .TP .BI "groupid " group Specifies the name of the group the agent uses when running. .RS .TP .I group Specifies either a name or numeric id from the .I /etc/group file. .RE .TP .BI "userid " user Specifies the user ID the agent uses when running. .RS .TP .I user Specifies either a name or numeric id from the .I /etc/passwd file. This option is equivalent to the .B -user command in previous versions. .RE .SS Console Commands There are several commands available while authentication console is running: .TP .B help Displays a list of valid commands. .TP .B ? Alias to "help". .TP .B quit Closes the authentication console session. .TP .B exit Alias to "quit". .TP .BI "auth keepalive|ask [password] " Sets the authentication mode. .RS .TP .I keepalive means once authentication request is received by .BR authsrv and passed to the agent, the agent should issue "keepalive" check to telnet client (performed via control sequence to request cursor position). After (if) the request succeeds, the authentication is granted. .TP .I ask means once authentication request is received by .BR authsrv and passed to the agent, the agent should initate explicit confirmation dialog with console user. .TP .I password means a reusable password should be issued wich will be treated by .BR authsrv as valid password for the authenticated user while colsole session is active. .RE .TP .BI history Displays authentication requests history. .SH FILES .IP /etc/rc.local Command script that controls automatic reboot, and includes startup information for the Telnet authenticaion agent. .IP /usr/local/etc/netperm-table The network permissions file contains configuration information for the Firewall Toolkit, including the Telnet authentication agent. .SH BUGS Report bugs to arkenoi@gmail.com or fwtk-users@buoy.com mailing list. Include a complete example, explaining what you expected to happen and what actually happened. Be sure to indicate the type of system (operating system, hardware, etc.) you are using, as well as the version of the Telnet authentication agent. .SH AUTHOR Alexei Kravchuk. .SH SEE ALSO .BR netperm-table "(5), " rc "(8), "authsrv "(8), "netacl "(8)"