the djb way

services, services!


Protocol: TCP
Standard Port: 23

The telnetd daemon is generally considered insecure for today's hostile network environments. Not only has the daemon been the subject of many exploits, but all traffic between the client and server is unencrypted and visible to packet sniffers. For these reasons, sshd, the secure shell, is recommended instead of telnet. (We describe a daemontools setup for sshd here.)

There are occasions when a telnet server may still be desired, however. Within a heterogenous local network, for example, many common desktop operating systems are not supplied with a SSH client as standard equipment, yet they do include a telnet client. For the harried system administrator, then, it may be convenient to enable telnet connections to a server from some other workstations in the building.

telnetd is conventionally run by inetd. It is very easy to convert to a /service.

First, create the run script directories for the telnetd service:

# mkdir -p /var/svc.d/telnetd/log

Then the daemontools run script for /var/svc.d/telnetd/run:

# telnetd/run

exec 2>&1
echo "*** Starting telnetd service ..."
exec softlimit -m 3500000 \
  tcpserver -vr -l0 \
  -c ${CONLIMIT} \
  -x /etc/tcprules/telnet.cdb \
  0 telnet \

### that's all, folks!

The $TELNETD variable should be set to invoke the telnetd executable on your particular platform.

Here's the usual run script for the logger in /var/svc.d/telnetd/log/run:

# telnetd/log/run
exec setuidgid multilog multilog t /var/multilog/telnetd

### that's all, folks!

Prepare the log directory in /var/multilog:

# mkdir -p /var/multilog/telnetd
# chown multilog:nofiles /var/multilog/telnetd

Set up whatever tcprules you want for access control in /etc/tcprules/telnet.rules:

# telnet.rules
# our trusted workstations:

Then compile the rules:

# (cd /etc/tcprules ; make telnet.cdb)

Link into /service:

# ln -s /var/svc.d/telnetd /service/telnetd

Test the service, see if you can make a telnet connection to localhost from the server itself. If there's a problem, do the usual trouble-shooting: look at the logs, make sure the run scripts are executable, the softlimit parameters are not too tight.

The telnetd service makes a good candidate to consider setting down by default:

# svc -d /service/telnetd
# touch /service/telnetd/down

Now the service will run only when you bring it up manually:

# svc -u /service/telnetd

Shut 'er down when you're done:

# svc -d /service/telnetd

Copyright © 2002, 2003, 2004, Wayne Marshall.
All rights reserved.

Last edit 2004.03.08, wcm.