The Telnet Protocol
The Telnet protocol is often thought of as simply providing a facility for remote logins to computer via the Internet. This was its original purpose although it can be used for many other purposes.
It is best understood in the context of a user with a simple terminal using the local telnet program (known as the client program) to run a login session on a remote computer where his communications needs are handled by a telnet server program. It should be emphasised that the telnet server can pass on the data it has received from the client to many other types of process including a remote login server. It is described in RFC854 <http://www.scit.wlv.ac.uk/rfc/rfc8xx/RFC854.html> and was first published in 1983.
The Network Virtual Terminal
Communication is established using the TCP/IP protocols and communication is based on a set of facilities known as a Network Virtual Terminal (NVT). At the user or client end the telnet client program is responsible for mapping incoming NVT codes to the actual codes needed to operate the user's display device and is also responsible for mapping user generated keyboard sequences into NVT sequences.
The NVT uses 7 bit codes for characters, the display device, referred to as a printer in the RFC, is only required to display the "standard" printing ASCII characters represented by 7 bit codes and to recognise and process certain control codes. The 7 bit characters are transmitted as 8 bit bytes with most significant bit set to zero. An end-of-line is transmitted as the character sequence CR (carriage return) followed by LF (line feed). If it is desired to transmit an actual carriage return this is transmitted as a carriage return followed by a NUL (all bits zero) character.
NVT ASCII is used by many other Internet protocols.
The following control codes are required to be understood by the Network Virtual Terminal.
Name | code | Decimal Value | Function |
NULL | NUL | 0 | No operation |
Line Feed | LF | 10 | Moves the printer to the next print line, keeping the same horizontal position. |
Carriage Return | CR | 13 | Moves the printer to the left margin of the current line. |
The following further control codes are optional but should have the indicated defined effect on the display.
Name | code | Decimal Value | Function |
BELL | BEL | 7 | Produces an audible or visible signal (which does NOT move the print head. |
Back Space | BS | 8 | Moves the print head one character position towards the left margin. [On a printing devices this mechanism was commonly used to form composite characters by printing two basic characters on top of each other.] |
Horizontal Tab | HT | 9 | Moves the printer to the next horizontal tab stop. It remains unspecified how either party determines or establishes where such tab stops are located. |
Vertical Tab | VT | 11 | Moves the printer to the next vertical tab stop. It remains unspecified how either party determines or establishes where such tab stops are located. |
Form Feed | FF | 12 | Moves the printer to the top of the next page, keeping the same horizontal position. [On visual displays this commonly clears the screen and moves the cursor to the top left corner.] |
The NVT keyboard is specified as being capable of generating all 128 ASCII codes by using keys, key combinations or key sequences.
Commands
The telnet protocol also specifies various commands that control the method and various details of the interaction between the client and server. These commands are incorporated within the data stream. The commands are distinguished by the use of various characters with the most significant bit set. Commands are always introduced by a character with the decimal code 255 known as an Interpret as command (IAC) character. The complete set of special characters is
Name | Decimal Code | Meaning |
SE | 240 | End of subnegotiation parameters. |
NOP | 241 | No operation |
DM | 242 | Data mark. Indicates the position of a Synch event within the data stream. This should always be accompanied by a TCP urgent notification. |
BRK | 243 | Break. Indicates that the "break" or "attention" key was hit. |
IP | 244 | Suspend, interrupt or abort the process to which the NVT is connected. |
AO | 245 | Abort output. Allows the current process to run to completion but do not send its output to the user. |
AYT | 246 | Are you there. Send back to the NVT some visible evidence that the AYT was received. |
EC | 247 | Erase character. The receiver should delete the last preceding undeleted character from the data stream. |
EL | 248 | Erase line. Delete characters from the data stream back to but not including the previous CRLF. |
GA | 249 | Go ahead. Used, under certain circumstances, to tell the other end that it can transmit. |
SB | 250 | Subnegotiation of the indicated option follows. |
WILL | 251 | Indicates the desire to begin performing, or confirmation that you are now performing, the indicated option. |
WONT | 252 | Indicates the refusal to perform, or continue performing, the indicated option. |
DO | 253 | Indicates the request that the other party perform, or confirmation that you are expecting the other party to perform, the indicated option. |
DONT | 254 | Indicates the demand that the other party stop performing, or confirmation that you are no longer expecting the other party to perform, the indicated option. |
IAC | 255 | Interpret as command |
There are a variety of options that can be negotiated between a telnet client and server using commands at any stage during the connection. They are described in detail in separate RFCs. The following are the most important.
Decimal code | Name | RFC |
1 | echo | 857 <http://www.scit.wlv.ac.uk/rfc/rfc8xx/RFC857.html> |
3 | suppress go ahead | 858 <http://www.scit.wlv.ac.uk/rfc/rfc8xx/RFC858.html> |
5 | status | 859 <http://www.scit.wlv.ac.uk/rfc/rfc8xx/RFC859.html> |
6 | timing mark | 860 <http://www.scit.wlv.ac.uk/rfc/rfc8xx/RFC860.html> |
24 | terminal type | 1091 <http://www.scit.wlv.ac.uk/rfc/rfc10xx/RFC1091.html> |
31 | window size | 1073 <http://www.scit.wlv.ac.uk/rfc/rfc10xx/RFC1073.html> |
32 | terminal speed | 1079 <http://www.scit.wlv.ac.uk/rfc/rfc10xx/RFC1079.html> |
33 | remote flow control | 1372 <http://www.scit.wlv.ac.uk/rfc/rfc13xx/RFC1372.html> |
34 | linemode | 1184 <http://www.scit.wlv.ac.uk/rfc/rfc11xx/RFC1184.html> |
36 | environment variables | 1408 <http://www.scit.wlv.ac.uk/rfc/rfc14xx/RFC1408.html> |
Options are agreed by a process of negotiation which results in the client and server having a common view of various extra capabilities that affect the interchange and the operation of applications.
Either end of a telnet dialogue can enable or disable an option either locally or remotely. The initiator sends a 3 byte command of the form
IAC,<type of operation>,<option>
The following patterns of option negotiation are defined.
Sender Sent | Receiver Responds | Implication |
WILL | DO | The sender would like to use a certain option if the receiver can handle it. The receiver says it can support the option. Option is now in effect |
WILL | DONT | The sender would like to use a certain option if the receiver can handle it. The receiver says it cannot support the option. Option is not in effect. |
DO | WILL | The sender requests that the receiver use a certain option. The receiver says it can support the option. Option is now in effect. |
DO | WONT | The sender requests that the receiver use a certain option. The receiver says it cannot support the option. Option is not in effect. |
WONT | DONT | The sender will not use a certain option. Option disabled. DONT is only valid response. |
DONT | WONT | The sender requests that the receiver does not use a certain option. Option disabled. WONT is only valid response. |
For example if the sender wants the other end to suppress go-ahead it would send the byte sequence
255(IAC),251(WILL),3
The final byte of the three byte sequence identifies the required action.
For some of the negotiable options values need to be communicated once support of the option has been agreed. This is done using sub-option negotiation . Values are communicated via an exchange of value query commands and responses in the following form.
IAC,SB,<option code number>,1,IAC,SE
and
IAC,SB,<option code>,0,<value>,IAC,SE
For example if the client wishes to identify the terminal type to the server the following exchange might take place
Client 255(IAC),251(WILL),24
Server 255(IAC),253(DO),24
Server 255(IAC),250(SB),24,1,255(IAC),240(SE)
Client 255(IAC),250(SB),24,0,'V','T','2','2','0',255(IAC),240(SE)
The first exchange establishes that terminal type (option number 24) will be handled, the server then enquires of the client what value it wishes to associate with the terminal type. The sequence SB,24,1 implies sub-option negotiation for option type 24, value required (1). The IAC,SE sequence indicates the end of this request. The repsonse IAC,SB,24,0,'V'... implies sub-option negotiation for option type 24, value supplied (0), the IAC,SE sequence indicates the end of the response (and the supplied value).
The encoding of the value is specific to the option but a sequence of characters, as shown above, is common.
Telnet Negotiable Options
Many of those listed are self-evident, but some call for more comments.
Suppress Go Ahead
The original telnet implementation defaulted to "half duplex" operation. This means that data traffic could only go in one direction at a time and specific action is required to indicate the end of traffic in one direction and that traffic may now start in the other direction. [This similar to the use of "roger" and "over" by amateur and CB radio operators.] The specific action is the inclusion of a GA character in the data stream.
Modern links normally allow bi-directional operation and the "suppress go ahead" option is enabled.
echo
The echo option is enabled, usually by the server, to indicate that the server will echo every character it receives. A combination of "suppress go ahead" and "echo" is called character at a time mode meaning that each character is separately transmitted and echoed.
There is an understanding known as kludge line mode which means that if either "suppress go ahead" or "echo" is enabled but not both then telnet operates in line at a time mode meaning that complete lines are assembled at each end and transmitted in one "go".
linemode
This option replaces and supersedes the line mode kludge.
remote flow control
This option controls where the special flow control effects of Ctrl-S/Ctrl-Q are implemented.
Telnet control functions
The telnet protocol includes a number of control functions. These are initiated in response to conditions detected by the client (usually certain special keys or key combinations) or server. The detected condition causes a special character to be incorporated in the data stream.
Interrupt Process
This is used by the client to cause the suspension or termination of the server process. Typically the user types Ctrl-C on the keyboard. An IP (244) character is included in the data stream.
Abort Output
This is used to suppress the transmission of remote process output. An AO (238) character is included in the data stream.
Are You There
This is used to trigger a visible response from the other end to confirm the operation of the link and the remote process. An AYT (246) character is incorporated in the data stream.
Erase character
Sent to the display to tell it to delete the immediately preceding character from the display. An EC (247) character is incorporated in the data stream.
Erase line
Causes the deletion of the current line of input. An EL (248) character is incorporated in the data stream.
Data Mark
Some control functions such as AO and IP require immediate action and this may cause difficulties if data is held in buffers awaiting input requests from a (possibly misbehaving) remote process. To overcome this problem a DM (242) character is sent in a TCP Urgent segment, this tells the receiver to examine the data stream for "interesting" characters such as IP, AO and AYT. This is known as the telnet synch mechanism.
A DM not in a TCP Urgent segment has no effect.
The telnet command
On most Unix systems a telnet session can be initiated using the telnet </cgi-bin/mansec?1+telnet> command. Most users simply type
telnet <remote host>
but if the user just types telnet then various options and subcommands are available which can be used to study the behaviour of the session.
Here's an exmaple of a telnet session from scitsc to ccub
bash$ telnet
telnet> toggle options
Will show option processing.
telnet> open ccub
Trying 134.220.1.20 ...
Connected to ccub.wlv.ac.uk.
Escape character is '^]'.
SENT do SUPPRESS GO AHEAD
SENT will TERMINAL TYPE (reply)
RCVD do TERMINAL TYPE (don't reply)
RCVD will SUPPRESS GO AHEAD (don't reply)
RCVD will ECHO (reply)
SENT do ECHO (reply)
RCVD do ECHO (reply)
SENT wont ECHO (reply)
UNIX(r) System V Release 4.0 (ccub)
RCVD dont ECHO (don't reply)
login: Login timed out after 60 seconds
Connection closed by foreign host.
These pages were produced to support a communication systems module that is no longer taught. Further communication systems notes <http://www.scit.wlv.ac.uk/~jphb/comms/> are available on-line.
Author : Peter Burden <http://www.scit.wlv.ac.uk/~jphb/>
---------------------------------------
Telnet 协议
Telnet 协议 <http://www.cnpaf.net> 可以工作在任何主机(例如,任何操作系统)或任何终端之间。 RFC <http://www.cnpaf.net/class/RfcAll/> 854[Postel和Reynolds1983a]定义了该 协议 <http://www.cnpaf.net> 的规范,其中还定义了一种通用字符终端叫做网络虚拟终端NVT(NetworkVirtualTerminal)。NVT是虚拟设备,连接的双方,即客户机和服务器,都必须把它们的物理终端和NVT进行相互转换。也就是说,不管客户进程终端是什么类型,操作系统必须把它转换为NVT格式。同时,不管服务器进程的终端是什么类型,操作系统必须能够把NVT格式转换为终端所能够支持的格式。 NVT是带有键盘和打印机的字符设备。用户击键产生的数据被发送到服务器进程,服务器进程回送的响应则输出到打印机上。默认情况下,用户击键产生的数据是发送到打印机上的,但是我们可以看到这个选项是可以改变的。 NVTASCII 术语NVTASCII代表7比特的ASCII字符集,网间网 协议 <http://www.cnpaf.net> 族都使用NVTASCII。每个7比特的字符都以8比特格式发送,最高位比特为0。行结束符以两个字符CR(回车)和紧接着的LF(换行)这样的序列表示。以\r\n来表示。单独的一个CR也是以两个字符序列来表示,它们是CR和紧接着的NUL(字节0),以\r\0表示。 Telnet命令 Telnet通信的两个方向都采用带内信令方式。字节0xff(十进制的255)叫做IAC(interpretascommand,意思是"作为命令来解释")。该字节后面的一个字节才是命令字节。如果要发送数据255,就必须发送两个连续的字节255(在前面一节中我们讲到数据流是NVTASCII,它们都是7bit的格式,这就暗示着255这个数据字节不能在Telnet上传输。其实在Telnet中有一个二进制选项,在 RFC <http://www.cnpaf.net/class/RfcAll/> 856[Postel和Reynolds1983b]中有定义,关于这点我们没有讨论,该选项允许数据以8bit进行传输)。图26-8列出了所有的Telnet命令。由于这些命令中很多命令很少用到,所以对于一些重要的命令,如果在下面章节的例子或叙述中遇到,我们再做解释。
当前一个字节是IAC(255)时的Telnet命令集
名称 | 代码(十进制) | 描 | 述 |
E O F | 2 3 6 | 文件结束符 | |
S U S P | 2 3 7 | 挂起当前进程(作业控制) | |
A B O RT | 2 3 8 | 异常中止进程 | |
E O R | 2 3 9 | 记录结束符 | |
S E | 2 4 0 | 子选项结束 | |
N O P | 2 4 1 | 无操作 | |
D M | 2 4 2 | 数据标记 | |
B R K | 2 4 3 | 中断 | |
I P | 2 4 4 | 中断进程 | |
A O | 2 4 5 | 异常中止输出 | |
AY T | 2 4 6 | 对方是否还在运行? | |
E C | 2 4 7 | 转义字符 | |
E L | 2 4 8 | 删除行 | |
G A | 2 4 9 | 继续进行 | |
S B | 2 5 0 | 子选项开始 | |
W I L L | 2 5 1 | 选项协商(图2 6 - 9) | |
W O N T | 2 5 2 | 选项协商 | |
D O | 2 5 3 | 选项协商 | |
D O N T | 2 5 4 | 选项协商 | |
I A C | 2 5 5 | 数据字节2 5 5 |
虽然我们可以认为Telnet连接的双方都是NVT,但是实际上Telnet连接双方首先进行交互的信息是选项协商数据。选项协商是对称的,也就是说任何一方都可以主动发送选项协商请求给对方。 对于任何给定的选项,连接的任何一方都可以发送下面4种请求的任意一个请求。1)WILL:发送方本身将激活(enable)选项。2)DO:发送方想叫接收端激活选项。3)WONT:发送方本身想禁止选项。4)DON'T:发送方想让接收端去禁止选项由于Telnet规则规定,对于激活选项请求(如1和2),有权同意或者不同意。而对于使选项失效请求(如3和4),必须同意。这样,4种请求就会组合出6种情况,如图26-9所示。选项协商需要3个字节:一个IAC字节,接着一个字节是WILL,DO,WONT和DONT这四者之一,最后一个ID字节指明激活或禁止选项。选项标识(十进制)名称发送方接收方 描述1.WILL→←DO 发送方想激活选项接收方说同意2.WILL→←DONT 发送方想激活选项接收方说不同意3.DO→←WILL 发送方想让接收方激活选项接收方说同意4.DO→ 发送方想让接收方激活选项WONT← 接收方说不同意5.WONT→←DONT 发送方想禁止选项接收方必须说同意6.DONT→←WONT 发送方想让接收方禁止选项接收方必须说同意 RFC <http://www.cnpaf.net/class/RfcAll/> 现在,有40多个选项是可以协商的,下面为一些重要的选项:
Decimal code | Name | RFC |
1 | echo | 857 |
3 | suppress go ahead | 858 |
5 | status | 859 |
6 | timing mark | 860 |
24 | terminal type | 1091 |
31 | window size | 1073 |
32 | terminal speed | 1079 |
33 | remote flow control | 1372 |
34 | linemode | 1184 |
36 | environment variables | 1408 |
有些选项不是仅仅用"激活"或"禁止"就能够表达的。指定终端类型就是一个例子,客户进程必须发送用一个A S C I I字符串来表示终端类型。为了处理这种选项,我们必须定义子选项协商机制。
在R F C 1 0 9 1 [ VanBokkelen 1989] 中定义了如何表示终端类型这样的子选项协商机制。首先连接的某一方(通常是客户进程)发送3个字节的字符序列来请求激活该选项。 这里的2 4(十进制)是终端类型选项的I D号。如果收端(通常是服务器进程)同意,那么响应数据是:
然后服务器进程再发送如下的字符串:
该字符串询问客户进程的终端类型。其中S B是子选项协商的起始命令标志。下一个字节的"2 4"代表这是终端类型选项的子选项(通常S B后面的选项值就是子选项所要提交的内容)。下一个字节的"1"表示"发送你的终端类型"。子选项协商的结束命令标志也是I A C,就像S B是起始命令标志一样。如果终端类型是i b m p c,客户进程的响应命令将是:
<IAC, SB, 24, 0'I', 'B', 'M', 'P', 'C', IAC, SE>
第4个字节"0"代表"我的终端类型是"(在Assigned Numbers RFC <http://www.cnpaf.net/class/RfcAll/> 文档中有正式的关于终端类型的数值定义,但是最起码在U n i x系统之间,终端类型可以用任何对方可理解的数据进行表示。只要这些数据在t e r m c a p或t e r m i n f o数据库中有定义)。在Te l n e t 子选项协商过程中,终端类型用大写表示,当服务器收到该字符串后会自动转换为小写字符。