path: root/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T
 * All Rights Reserved.
 */

/*
 * University Copyright- Copyright (c) 1982, 1986, 1988
 * The Regents of the University of California.
 * All Rights Reserved.
 *
 * University Acknowledgment- Portions of this document are derived from
 * software developed by the University of California, Berkeley, and its
 * contributors.
 */

/*
 * Telnet server.
 */
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/filio.h>
#include <sys/time.h>
#include <sys/stropts.h>
#include <sys/stream.h>
#include <sys/tihdr.h>
#include <sys/utsname.h>
#include <unistd.h>

#include <netinet/in.h>

#define	AUTHWHO_STR
#define	AUTHTYPE_NAMES
#define	AUTHHOW_NAMES
#define	AUTHRSP_NAMES
#define	ENCRYPT_NAMES

#include <arpa/telnet.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdarg.h>
#include <signal.h>
#include <errno.h>
#include <netdb.h>
#include <syslog.h>
#include <ctype.h>
#include <fcntl.h>
#include <sac.h>	/* for SC_WILDC */
#include <utmpx.h>
#include <sys/ttold.h>
#include <malloc.h>
#include <string.h>
#include <security/pam_appl.h>
#include <sys/tihdr.h>
#include <sys/logindmux.h>
#include <sys/telioctl.h>
#include <deflt.h>
#include <stdlib.h>
#include <string.h>
#include <stropts.h>
#include <termios.h>

#include <com_err.h>
#include <krb5.h>
#include <krb5_repository.h>
#include <des/des.h>
#include <rpc/des_crypt.h>
#include <sys/cryptmod.h>
#include <bsm/adt.h>

#define	TELNETD_OPTS "Ss:a:dEXUhR:M:"
#ifdef DEBUG
#define	DEBUG_OPTS "p:e"
#else
#define	DEBUG_OPTS ""
#endif /* DEBUG */

#define	OPT_NO			0		/* won't do this option */
#define	OPT_YES			1		/* will do this option */
#define	OPT_YES_BUT_ALWAYS_LOOK	2
#define	OPT_NO_BUT_ALWAYS_LOOK	3

#define	MAXOPTLEN 256
#define	MAXUSERNAMELEN 256

static char	remopts[MAXOPTLEN];
static char	myopts[MAXOPTLEN];
static uchar_t	doopt[] = { (uchar_t)IAC, (uchar_t)DO, '%', 'c', 0 };
static uchar_t	dont[] = { (uchar_t)IAC, (uchar_t)DONT, '%', 'c', 0 };
static uchar_t	will[] = { (uchar_t)IAC, (uchar_t)WILL, '%', 'c', 0 };
static uchar_t	wont[] = { (uchar_t)IAC, (uchar_t)WONT, '%', 'c', 0 };
/*
 * I/O data buffers, pointers, and counters.
 */
static char	ptyobuf[BUFSIZ], *pfrontp = ptyobuf, *pbackp = ptyobuf;

static char	*netibuf, *netip;
static int	netibufsize;

#define	NIACCUM(c)	{   *netip++ = c; \
			    ncc++; \
			}

static char	netobuf[BUFSIZ], *nfrontp = netobuf, *nbackp = netobuf;
static char	*neturg = 0;		/* one past last bye of urgent data */
/* the remote system seems to NOT be an old 4.2 */
static int	not42 = 1;
static char	defaultfile[] = "/etc/default/telnetd";
static char	bannervar[] = "BANNER=";

static char BANNER1[] = "\r\n\r\n";
static char BANNER2[] = "\r\n\r\0\r\n\r\0";

/*
 * buffer for sub-options - enlarged to 4096 to handle credentials
 * from AUTH options
 */
static char	subbuffer[4096], *subpointer = subbuffer, *subend = subbuffer;
#define	SB_CLEAR()	subpointer = subbuffer;
#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof (subbuffer))) { \
				*subpointer++ = (c); \
			}
#define	SB_GET()	((*subpointer++)&0xff)
#define	SB_EOF()	(subpointer >= subend)
#define	SB_LEN()	(subend - subpointer)

#define	MAXERRSTRLEN 1024
#define	MAXPRINCLEN 256

extern uint_t kwarn_add_warning(char *, int);
extern uint_t kwarn_del_warning(char *);

static boolean_t auth_debug = 0;
static boolean_t negotiate_auth_krb5 = 1;
static boolean_t auth_negotiated = 0;
static int auth_status = 0;
static int auth_level = 0;
static char	*AuthenticatingUser = NULL;
static char	*krb5_name = NULL;

static krb5_address rsaddr = { 0, 0, 0, NULL };
static krb5_address rsport = { 0, 0, 0, NULL };

static krb5_context telnet_context = 0;
static krb5_auth_context auth_context = 0;

/* telnetd gets session key from here */
static krb5_ticket *ticket = NULL;
static krb5_keyblock *session_key = NULL;
static char *telnet_srvtab = NULL;

typedef struct {
	uchar_t AuthName;
	uchar_t AuthHow;
	char  *AuthString;
} AuthInfo;

static AuthInfo auth_list[] = {
	{AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT | AUTH_HOW_MUTUAL |
	AUTH_ENCRYPT_ON, "KRB5 MUTUAL CRYPTO"},
	{AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT | AUTH_HOW_MUTUAL,
	"KRB5 MUTUAL" },
	{AUTHTYPE_KERBEROS_V5,	AUTH_WHO_CLIENT | AUTH_HOW_ONE_WAY,
	"KRB5 1-WAY" },
	{0, 0, "NONE"}
};

static AuthInfo NoAuth = {0, 0, NULL};

static AuthInfo *authenticated = NULL;

#define	PREAMBLE_SIZE		5	/* for auth_reply_str allocation */
#define	POSTAMBLE_SIZE		5
#define	STR_DATA_LEN(len)	((len) * 2 + PREAMBLE_SIZE + POSTAMBLE_SIZE)

static void auth_name(uchar_t *, int);
static void auth_is(uchar_t *, int);

#define	NO_ENCRYPTION   0x00
#define	SEND_ENCRYPTED  0x01
#define	RECV_ENCRYPTED  0x02
#define	ENCRYPT_BOTH_WAYS    (SEND_ENCRYPTED | RECV_ENCRYPTED)

static telnet_enc_data_t  encr_data;
static boolean_t negotiate_encrypt = B_TRUE;
static boolean_t sent_encrypt_support = B_FALSE;
static boolean_t sent_will_encrypt = B_FALSE;
static boolean_t sent_do_encrypt = B_FALSE;
static boolean_t enc_debug = 0;

static void encrypt_session_key(Session_Key *key, cipher_info_t *cinfo);
static int  encrypt_send_encrypt_is();

extern void mit_des_fixup_key_parity(Block);
extern int krb5_setenv(const char *, const char *, int);
/* need to know what FD to use to talk to the crypto module */
static int cryptmod_fd = -1;

#define	LOGIN_PROGRAM "/bin/login"

/*
 * State for recv fsm
 */
#define	TS_DATA		0	/* base state */
#define	TS_IAC		1	/* look for double IAC's */
#define	TS_CR		2	/* CR-LF ->'s CR */
#define	TS_SB		3	/* throw away begin's... */
#define	TS_SE		4	/* ...end's (suboption negotiation) */
#define	TS_WILL		5	/* will option negotiation */
#define	TS_WONT		6	/* wont " */
#define	TS_DO		7	/* do " */
#define	TS_DONT		8	/* dont " */

static int	ncc;
static int	manager;	/* manager side of pty */
static int	pty;		/* side of pty that gets ioctls */
static int	net;
static int	inter;
extern char **environ;
static char	*line;
static int	SYNCHing = 0;		/* we are in TELNET SYNCH mode */
static int	state = TS_DATA;

static int env_ovar = -1;	/* XXX.sparker */
static int env_ovalue = -1;	/* XXX.sparker */
static char pam_svc_name[64];
static boolean_t	telmod_init_done = B_FALSE;

static void	doit(int, struct sockaddr_storage *);
static void	willoption(int);
static void	wontoption(int);
static void	dooption(int);
static void	dontoption(int);
static void	fatal(int, char *);
static void	fatalperror(int, char *, int);
static void	mode(int, int);
static void	interrupt(void);
static void	drainstream(int);
static int	readstream(int, char *, int);
static int	send_oob(int fd, char *ptr, int count);
static int	local_setenv(const char *name, const char *value, int rewrite);
static void	local_unsetenv(const char *name);
static void	suboption(void);
static int	removemod(int f, char *modname);
static void	willoption(int option);
static void	wontoption(int option);
static void	dooption(int option);
static void	dontoption(int option);
static void	write_data(const char *, ...);
static void	write_data_len(const char *, int);
static void	rmut(void);
static void	cleanup(int);
static void	telnet(int, int);
static void	telrcv(void);
static void	sendbrk(void);
static void	ptyflush(void);
static void	netclear(void);
static void	netflush(void);
static void	showbanner(void);
static void	map_banner(char *);
static void	defbanner(void);
static void ttloop(void);

/*
 * The env_list linked list is used to store the environment variables
 * until the final exec of login.  A malevolent client might try to
 * send an environment variable intended to affect the telnet daemon's
 * execution.  Right now the BANNER expansion is the only instance.
 * Note that it is okay to pass the environment variables to login
 * because login protects itself against environment variables mischief.
 */

struct envlist {
	struct envlist	*next;
	char		*name;
	char		*value;
	int		delete;
};

static struct envlist *envlist_head = NULL;

/*
 * The following are some clocks used to decide how to interpret
 * the relationship between various variables.
 */

static struct {
	int
	system,			/* what the current time is */
	echotoggle,		/* last time user entered echo character */
	modenegotiated,		/* last time operating mode negotiated */
	didnetreceive,		/* last time we read data from network */
	ttypeopt,		/* ttype will/won't received */
	ttypesubopt,		/* ttype subopt is received */
	getterminal,		/* time started to get terminal information */
	xdisplocopt,		/* xdisploc will/wont received */
	xdisplocsubopt,		/* xdisploc suboption received */
	nawsopt,		/* window size will/wont received */
	nawssubopt,		/* window size received */
	environopt,		/* environment option will/wont received */
	oenvironopt,		/* "old" environ option will/wont received */
	environsubopt,		/* environment option suboption received */
	oenvironsubopt,		/* "old environ option suboption received */
	gotDM;			/* when did we last see a data mark */

	int getauth;
	int authopt;	/* Authentication option negotiated */
	int authdone;

	int getencr;
	int encropt;
	int encr_support;
} clocks;

static int init_neg_done = 0;
static boolean_t resolve_hostname = 0;
static boolean_t show_hostinfo = 1;

#define	settimer(x)	(clocks.x = ++clocks.system)
#define	sequenceIs(x, y)	(clocks.x < clocks.y)

static void send_will(int);
static void send_wont(int);
static void send_do(int);
static char *__findenv(const char *name, int *offset);

/* ARGSUSED */
static void
auth_finished(AuthInfo *ap, int result)
{
	if ((authenticated = ap) == NULL) {
		authenticated = &NoAuth;
		if (myopts[TELOPT_ENCRYPT] == OPT_YES)
			send_wont(TELOPT_ENCRYPT);
		myopts[TELOPT_ENCRYPT] = remopts[TELOPT_ENCRYPT] = OPT_NO;
		encr_data.encrypt.autoflag = 0;
	} else if (result != AUTH_REJECT &&
		myopts[TELOPT_ENCRYPT] == OPT_YES &&
		remopts[TELOPT_ENCRYPT] == OPT_YES) {

		/*
		 * Authentication successful, so we have a session key, and
		 * we're willing to do ENCRYPT, so send our ENCRYPT SUPPORT.
		 *
		 * Can't have sent ENCRYPT SUPPORT yet!  And if we're sending it
		 * now it's really only because we did the DO ENCRYPT/WILL
		 * ENCRYPT dance before authentication, which is ok, but not too
		 * bright since we have to do the DONT ENCRYPT/WONT ENCRYPT
		 * dance if authentication fails, though clients typically just
		 * don't care.
		 */
		write_data("%c%c%c%c%c%c%c",
			(uchar_t)IAC,
			(uchar_t)SB,
			(uchar_t)TELOPT_ENCRYPT,
			(uchar_t)ENCRYPT_SUPPORT,
			(uchar_t)TELOPT_ENCTYPE_DES_CFB64,
			(uchar_t)IAC,
			(uchar_t)SE);

		netflush();

		sent_encrypt_support = B_TRUE;

		if (enc_debug)
			(void) fprintf(stderr,
			"SENT ENCRYPT SUPPORT\n");

		(void) encrypt_send_encrypt_is();
	}

	auth_status = result;

	settimer(authdone);
}

static void
reply_to_client(AuthInfo *ap, int type, void *data, int len)
{
	uchar_t reply[BUFSIZ];
	uchar_t *p = reply;
	uchar_t *cd = (uchar_t *)data;

	if (len == -1 && data != NULL)
		len = strlen((char *)data);
	else if (len > (sizeof (reply) - 9)) {
		syslog(LOG_ERR,
		    "krb5 auth reply length too large (%d)", len);
		if (auth_debug)
			(void) fprintf(stderr,
				    "krb5 auth reply length too large (%d)\n",
				    len);
		return;
	} else if (data == NULL)
		len = 0;

	*p++ = IAC;
	*p++ = SB;
	*p++ = TELOPT_AUTHENTICATION;
	*p++ = AUTHTYPE_KERBEROS_V5;
	*p++ = ap->AuthName;
	*p++ = ap->AuthHow; /* MUTUAL, ONE-WAY, etc */
	*p++ = type;	    /* RESPONSE or ACCEPT */
	while (len-- > 0) {
		if ((*p++ = *cd++) == IAC)
			*p++ = IAC;
	}
	*p++ = IAC;
	*p++ = SE;

	/* queue the data to be sent */
	write_data_len((const char *)reply, p-reply);

#if defined(AUTHTYPE_NAMES) && defined(AUTHWHO_STR) &&\
defined(AUTHHOW_NAMES) && defined(AUTHRSP_NAMES)
	if (auth_debug) {
		(void) fprintf(stderr, "SENT TELOPT_AUTHENTICATION REPLY "
			    "%s %s|%s %s\n",
			    AUTHTYPE_NAME(ap->AuthName),
			    AUTHWHO_NAME(ap->AuthHow & AUTH_WHO_MASK),
			    AUTHHOW_NAME(ap->AuthHow & AUTH_HOW_MASK),
			    AUTHRSP_NAME(type));
	}
#endif /* AUTHTYPE_NAMES && AUTHWHO_NAMES && AUTHHOW_NAMES && AUTHRSP_NAMES */

	netflush();
}

/* Decode, decrypt and store the forwarded creds in the local ccache. */
static krb5_error_code
rd_and_store_forwarded_creds(krb5_context context,
			    krb5_auth_context auth_context,
			    krb5_data *inbuf, krb5_ticket *ticket,
			    char *username)
{
	krb5_creds **creds;
	krb5_error_code retval;
	char ccname[MAXPATHLEN];
	krb5_ccache ccache = NULL;
	char *client_name = NULL;

	if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
		return (retval);

	(void) sprintf(ccname, "FILE:/tmp/krb5cc_p%ld", getpid());
	(void) krb5_setenv("KRB5CCNAME", ccname, 1);

	if ((retval = krb5_cc_default(context, &ccache)))
		goto cleanup;

	if ((retval = krb5_cc_initialize(context, ccache,
					ticket->enc_part2->client)) != 0)
		goto cleanup;

	if ((retval = krb5_cc_store_cred(context, ccache, *creds)) != 0)
		goto cleanup;

	if ((retval = krb5_cc_close(context, ccache)) != 0)
		goto cleanup;

	/* Register with ktkt_warnd(8) */
	if ((retval = krb5_unparse_name(context, (*creds)->client,
					&client_name)) != 0)
		goto cleanup;
	(void) kwarn_del_warning(client_name);
	if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
		syslog(LOG_AUTH|LOG_NOTICE,
		    "rd_and_store_forwarded_creds: kwarn_add_warning"
		    " failed: ktkt_warnd(8) down? ");
		if (auth_debug)
			(void) fprintf(stderr,
				    "kwarn_add_warning failed:"
				    " ktkt_warnd(8) down?\n");
	}
	free(client_name);
	client_name = NULL;

	if (username != NULL) {
		/*
		 * This verifies that the user is valid on the local system,
		 * maps the username from KerberosV5 to unix,
		 * and moves the KRB5CCNAME file to the correct place
		 *  /tmp/krb5cc_[uid] with correct ownership (0600 uid gid).
		 *
		 * NOTE: the user must be in the gsscred table in order to map
		 * from KRB5 to Unix.
		 */
		(void) krb5_kuserok(context, ticket->enc_part2->client,
				username);
	}
	if (auth_debug)
		(void) fprintf(stderr,
			    "Successfully stored forwarded creds\n");

cleanup:
	krb5_free_creds(context, *creds);
	return (retval);
}

static void
kerberos5_is(AuthInfo *ap, uchar_t *data, int cnt)
{
	krb5_error_code err = 0;
	krb5_principal server;
	krb5_keyblock *newkey = NULL;
	krb5_keytab keytabid = 0;
	krb5_data outbuf;
	krb5_data inbuf;
	krb5_authenticator *authenticator;
	char errbuf[MAXERRSTRLEN];
	char *name;
	krb5_data auth;

	Session_Key skey;

	if (cnt-- < 1)
		return;
	switch (*data++) {
	case KRB_AUTH:
		auth.data = (char *)data;
		auth.length = cnt;

		if (auth_context == NULL) {
			err = krb5_auth_con_init(telnet_context, &auth_context);
			if (err)
				syslog(LOG_ERR,
				    "Error getting krb5 auth "
				    "context: %s", error_message(err));
		}
		if (!err) {
			krb5_rcache rcache;

			err = krb5_auth_con_getrcache(telnet_context,
						    auth_context,
						    &rcache);
			if (!err && !rcache) {
				err = krb5_sname_to_principal(telnet_context,
							    0, 0,
							    KRB5_NT_SRV_HST,
							    &server);
				if (!err) {
					err = krb5_get_server_rcache(
						telnet_context,
						krb5_princ_component(
							telnet_context,
							server, 0),
						&rcache);

					krb5_free_principal(telnet_context,
							    server);
				}
			}
			if (err)
				syslog(LOG_ERR,
				    "Error allocating krb5 replay cache: %s",
				    error_message(err));
			else {
				err = krb5_auth_con_setrcache(telnet_context,
							    auth_context,
							    rcache);
				if (err)
					syslog(LOG_ERR,
					    "Error creating krb5 "
					    "replay cache: %s",
					    error_message(err));
			}
		}
		if (!err && telnet_srvtab != NULL)
			err = krb5_kt_resolve(telnet_context,
					    telnet_srvtab, &keytabid);
		if (!err)
			err = krb5_rd_req(telnet_context, &auth_context, &auth,
					NULL, keytabid, NULL, &ticket);
		if (err) {
			(void) snprintf(errbuf, sizeof (errbuf),
				"Error reading krb5 auth information:"
				" %s", error_message(err));
			goto errout;
		}

		/*
		 * Verify that the correct principal was used
		 */
		if (krb5_princ_component(telnet_context,
				ticket->server, 0)->length < MAXPRINCLEN) {
			char princ[MAXPRINCLEN];
			(void) strncpy(princ,
				    krb5_princ_component(telnet_context,
						ticket->server, 0)->data,
				    krb5_princ_component(telnet_context,
					    ticket->server, 0)->length);
			princ[krb5_princ_component(telnet_context,
					ticket->server, 0)->length] = '\0';
			if (strcmp("host", princ)) {
				if (strlen(princ) < sizeof (errbuf) - 39) {
				    (void) snprintf(errbuf, sizeof (errbuf),
						"incorrect service "
						    "name: \"%s\" != "
						    "\"host\"",
						    princ);
			    } else {
				    (void) strncpy(errbuf,
						"incorrect service "
						"name: principal != "
						"\"host\"",
						sizeof (errbuf));
			    }
			    goto errout;
			}
		} else {
			(void) strlcpy(errbuf, "service name too long",
					sizeof (errbuf));
			goto errout;
		}

		err = krb5_auth_con_getauthenticator(telnet_context,
						auth_context,
						&authenticator);
		if (err) {
			(void) snprintf(errbuf, sizeof (errbuf),
				"Failed to get authenticator: %s",
				error_message(err));
			goto errout;
		}
		if ((ap->AuthHow & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON &&
			!authenticator->checksum) {
			(void) strlcpy(errbuf,
				    "authenticator is missing checksum",
				    sizeof (errbuf));
			goto errout;
		}
		if (authenticator->checksum) {
			char type_check[2];
			krb5_checksum *cksum = authenticator->checksum;
			krb5_keyblock *key;
			krb5_data input;
			krb5_boolean valid;

			type_check[0] = ap->AuthName;
			type_check[1] = ap->AuthHow;

			err = krb5_auth_con_getkey(telnet_context,
						auth_context, &key);
			if (err) {
				(void) snprintf(errbuf, sizeof (errbuf),
					"Failed to get key from "
					"authenticator: %s",
					error_message(err));
				goto errout;
			}

			input.data = type_check;
			input.length = 2;
			err = krb5_c_verify_checksum(telnet_context,
							key, 0,
							&input,
							cksum,
							&valid);
			if (!err && !valid)
				err = KRB5KRB_AP_ERR_BAD_INTEGRITY;

			if (err) {
				(void) snprintf(errbuf, sizeof (errbuf),
						"Kerberos checksum "
						"verification failed: "
						"%s",
						error_message(err));
				goto errout;
			}
			krb5_free_keyblock(telnet_context, key);
		}

		krb5_free_authenticator(telnet_context, authenticator);
		if ((ap->AuthHow & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
			/* do ap_rep stuff here */
			if ((err = krb5_mk_rep(telnet_context, auth_context,
					    &outbuf))) {
				(void) snprintf(errbuf, sizeof (errbuf),
						"Failed to make "
						"Kerberos auth reply: "
						"%s",
						error_message(err));
				goto errout;
			}
			reply_to_client(ap, KRB_RESPONSE, outbuf.data,
					outbuf.length);
		}
		if (krb5_unparse_name(telnet_context,
				    ticket->enc_part2->client,
				    &name))
			name = 0;
		reply_to_client(ap, KRB_ACCEPT, name, name ? -1 : 0);
		if (auth_debug) {
			syslog(LOG_NOTICE,
			    "\tKerberos5 identifies user as ``%s''\r\n",
			    name ? name : "");
		}
		if (name != NULL) {
			krb5_name = (char *)strdup(name);
		}
		auth_finished(ap, AUTH_USER);

		if (name != NULL)
			free(name);
		(void) krb5_auth_con_getremotesubkey(telnet_context,
		    auth_context, &newkey);
		if (session_key != NULL) {
			krb5_free_keyblock(telnet_context, session_key);
			session_key = 0;
		}
		if (newkey != NULL) {
			(void) krb5_copy_keyblock(telnet_context,
			    newkey, &session_key);
			krb5_free_keyblock(telnet_context, newkey);
		} else {
			(void) krb5_copy_keyblock(telnet_context,
			    ticket->enc_part2->session, &session_key);
		}

		/*
		 * Initialize encryption stuff.  Currently, we are only
		 * supporting 8 byte keys and blocks. Check for this later.
		 */
		skey.type = SK_DES;
		skey.length = DES_BLOCKSIZE;
		skey.data = session_key->contents;
		encrypt_session_key(&skey, &encr_data.encrypt);
		encrypt_session_key(&skey, &encr_data.decrypt);
		break;
	case KRB_FORWARD:
		inbuf.length = cnt;
		inbuf.data = (char *)data;
		if (auth_debug)
			(void) fprintf(stderr,
				    "RCVD KRB_FORWARD data (%d bytes)\n", cnt);

		if (auth_context != NULL) {
			krb5_rcache rcache;

			err = krb5_auth_con_getrcache(telnet_context,
						    auth_context, &rcache);
			if (!err && !rcache) {
				err = krb5_sname_to_principal(telnet_context,
					0, 0, KRB5_NT_SRV_HST, &server);
				if (!err) {
					err = krb5_get_server_rcache(
						telnet_context,
						krb5_princ_component(
							telnet_context,
							server, 0),
						&rcache);
					krb5_free_principal(telnet_context,
								server);
				}
			}
			if (err) {
				syslog(LOG_ERR,
				    "Error allocating krb5 replay cache: %s",
				    error_message(err));
			} else {
				err = krb5_auth_con_setrcache(telnet_context,
					auth_context, rcache);
				if (err)
					syslog(LOG_ERR,
					    "Error creating krb5 replay cache:"
					    " %s",
					    error_message(err));
			}
		}
		/*
		 * Use the 'rsaddr' and 'rsport' (remote service addr/port)
		 * from the original connection.  This data is used to
		 * verify the forwarded credentials.
		 */
		if (!(err = krb5_auth_con_setaddrs(telnet_context, auth_context,
					    NULL, &rsaddr)))
			err = krb5_auth_con_setports(telnet_context,
						auth_context, NULL, &rsport);

		if (err == 0)
			/*
			 * If all is well, store the forwarded creds in
			 * the users local credential cache.
			 */
			err = rd_and_store_forwarded_creds(telnet_context,
							auth_context, &inbuf,
							ticket,
							AuthenticatingUser);
		if (err) {
			(void) snprintf(errbuf, sizeof (errbuf),
					"Read forwarded creds failed: %s",
					error_message(err));
			syslog(LOG_ERR, "%s", errbuf);

			reply_to_client(ap, KRB_FORWARD_REJECT, errbuf, -1);
			if (auth_debug)
				(void) fprintf(stderr,
					    "\tCould not read "
					    "forwarded credentials\r\n");
		} else
			reply_to_client(ap, KRB_FORWARD_ACCEPT, (void *) 0, 0);

		if (rsaddr.contents != NULL)
			free(rsaddr.contents);

		if (rsport.contents != NULL)
			free(rsport.contents);

		if (auth_debug)
			(void) fprintf(stderr, "\tForwarded "
						"credentials obtained\r\n");
		break;
	default:
		if (auth_debug)
			(void) fprintf(stderr,
				    "\tUnknown Kerberos option %d\r\n",
				    data[-1]);
		reply_to_client(ap, KRB_REJECT, (void *) 0, 0);
		break;
	}
	return;

errout:
	reply_to_client(ap, KRB_REJECT, errbuf, -1);

	if (auth_debug)
		(void) fprintf(stderr, "\tKerberos V5 error: %s\r\n", errbuf);

	syslog(LOG_ERR, "%s", errbuf);

	if (auth_context != NULL) {
		(void) krb5_auth_con_free(telnet_context, auth_context);
		auth_context = 0;
	}
}

static int
krb5_init()
{
	int code = 0;

	if (telnet_context == NULL) {
		code = krb5_init_context(&telnet_context);
		if (code != 0 && auth_debug)
			syslog(LOG_NOTICE,
			    "Cannot initialize Kerberos V5: %s",
			    error_message(code));
	}

	return (code);
}

static void
auth_name(uchar_t *data, int cnt)
{
	char namebuf[MAXPRINCLEN];

	if (cnt < 1) {
		if (auth_debug)
			(void) fprintf(stderr,
				    "\t(auth_name) Empty NAME in auth "
				    "reply\n");
		return;
	}
	if (cnt > sizeof (namebuf)-1) {
		if (auth_debug)
			(void) fprintf(stderr,
				    "\t(auth_name) NAME exceeds %d bytes\n",
				sizeof (namebuf)-1);
		return;
	}
	(void) memcpy((void *)namebuf, (void *)data, cnt);
	namebuf[cnt] = 0;
	if (auth_debug)
		(void) fprintf(stderr, "\t(auth_name) name [%s]\n", namebuf);
	AuthenticatingUser = (char *)strdup(namebuf);
}

static void
auth_is(uchar_t *data, int cnt)
{
	AuthInfo *aptr = auth_list;

	if (cnt < 2)
		return;

	/*
	 * We failed to negoiate secure authentication
	 */
	if (data[0] == AUTHTYPE_NULL) {
		auth_finished(0, AUTH_REJECT);
		return;
	}

	while (aptr->AuthName != 0 &&
	    (aptr->AuthName != data[0] || aptr->AuthHow != data[1]))
		aptr++;

	if (aptr != NULL) {
		if (auth_debug)
			(void) fprintf(stderr, "\t(auth_is) auth type is %s "
				"(%d bytes)\n",	aptr->AuthString, cnt);

		if (aptr->AuthName == AUTHTYPE_KERBEROS_V5)
			kerberos5_is(aptr, data+2, cnt-2);
	}
}

static int
krb5_user_status(char *name, int namelen, int level)
{
	int retval = AUTH_USER;

	if (auth_debug)
		(void) fprintf(stderr, "\t(krb5_user_status) level = %d "
			"auth_level = %d  user = %s\n",
			level, auth_level,
			(AuthenticatingUser != NULL ? AuthenticatingUser : ""));

	if (level < AUTH_USER)
		return (level);

	if (AuthenticatingUser != NULL &&
	    (retval = krb5_kuserok(telnet_context, ticket->enc_part2->client,
			    AuthenticatingUser))) {
		(void) strncpy(name, AuthenticatingUser, namelen);
		return (AUTH_VALID);
	} else {
		if (!retval)
			syslog(LOG_ERR,
			    "Krb5 principal lacks permission to "
			    "access local account for %s",
			    AuthenticatingUser);
		return (AUTH_USER);
	}
}

/*
 * Wrapper around /dev/urandom
 */
static int
getrandom(char *buf, int buflen)
{
	static int devrandom = -1;

	if (devrandom == -1 &&
	    (devrandom = open("/dev/urandom", O_RDONLY)) == -1) {
		fatalperror(net, "Unable to open /dev/urandom: ",
			    errno);
		return (-1);
	}

	if (read(devrandom, buf, buflen) == -1) {
		fatalperror(net, "Unable to read from /dev/urandom: ",
			    errno);
		return (-1);
	}

	return (0);
}

/*
 * encrypt_init
 *
 * Initialize the encryption data structures
 */
static void
encrypt_init()
{
	(void) memset(&encr_data.encrypt, 0, sizeof (cipher_info_t));
	(void) memset(&encr_data.decrypt, 0, sizeof (cipher_info_t));

	encr_data.encrypt.state = ENCR_STATE_NOT_READY;
	encr_data.decrypt.state = ENCR_STATE_NOT_READY;
}

/*
 * encrypt_send_request_start
 *
 * Request that the remote side automatically start sending
 * encrypted output
 */
static void
encrypt_send_request_start()
{
	uchar_t buf[6+TELNET_MAXKEYIDLEN], *p;

	p = buf;

	*p++ = IAC;
	*p++ = SB;
	*p++ = TELOPT_ENCRYPT;
	*p++ = ENCRYPT_REQSTART;
	/*
	 * We are telling the remote side which
	 * decrypt key we will use so that it may
	 * encrypt in the same key.
	 */
	(void) memcpy(p, encr_data.decrypt.keyid, encr_data.decrypt.keyidlen);
	p += encr_data.decrypt.keyidlen;

	*p++ = IAC;
	*p++ = SE;

	write_data_len((const char *)buf, p-buf);
	netflush();
	if (enc_debug)
		(void) fprintf(stderr,
			    "SENT TELOPT_ENCRYPT ENCRYPT_REQSTART\n");
}

/*
 * encrypt_is
 *
 * When we receive the TELOPT_ENCRYPT ENCRYPT_IS ...
 * message, the client is telling us that it will be sending
 * encrypted data using the indicated cipher.
 * We must initialize the read (decrypt) side of our connection
 */
static void
encrypt_is(uchar_t *data, int cnt)
{
	register int type;
	register int iv_status = CFB64_IV_OK;
	register int lstate = 0;

	uchar_t sbbuf[] = {
		(uchar_t)IAC,
		(uchar_t)SB,
		(uchar_t)TELOPT_ENCRYPT,
		(uchar_t)ENCRYPT_REPLY,
		(uchar_t)0,		/* placeholder:  sbbuf[4] */
		(uchar_t)CFB64_IV_OK,	/* placeholder:  sbbuf[5] */
		(uchar_t)IAC,
		(uchar_t)SE,
	};

	if (--cnt < 0)
		return;

	type = sbbuf[4] = *data++;

	/*
	 * Steps to take:
	 *   1. Create the proper stream Initialization vector
	 *		- copy the correct 'seed' to IV and output blocks
	 *		- set the correct key schedule
	 *   2. Generate reply for the other side:
	 *		IAC SB TELOPT_ENCRYPT ENCRYPT_REPLY type CFB64_IV_OK
	 *		[ data ... ] IAC SE
	 *   3. Tell crypto module:  method, direction, IV
	 */
	switch (type) {
	case TELOPT_ENCTYPE_DES_CFB64:
		encr_data.decrypt.type = type;

		lstate = encr_data.decrypt.state;
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(encrypt_is) initial state = %d\n",
				    lstate);
		/*
		 * Before we extract the IV bytes, make sure we got
		 * enough data.
		 */
		if (cnt < sizeof (Block)) {
			iv_status = CFB64_IV_BAD;
			if (enc_debug)
				(void) fprintf(stderr,
					    "\t(encrypt_is) Not enough "
					    "IV bytes\n");
			lstate = ENCR_STATE_NOT_READY;
		} else {
			data++; /* skip over the CFB64_IV byte */
			(void) memcpy(encr_data.decrypt.ivec, data,
				    sizeof (Block));
			lstate = ENCR_STATE_IN_PROGRESS;
		}
		break;
	case TELOPT_ENCTYPE_NULL:
		encr_data.decrypt.type = type;
		lstate &= ~ENCR_STATE_NO_RECV_IV;
		lstate &= ~ENCR_STATE_NO_SEND_IV;
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_is) We accept NULL encr\n");
		break;
	default:
		iv_status = CFB64_IV_BAD;
		encr_data.decrypt.type = 0;
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(encrypt_is) Can't find type (%d) "
				    "for initial negotiation\r\n",
				    type);
		lstate = ENCR_STATE_NOT_READY;
		break;
	}

	sbbuf[5] = (uchar_t)iv_status; /* either CFB64_IV_OK or BAD */

	if (iv_status == CFB64_IV_OK) {
		/*
		 * send IV to crypto module and indicate it is for
		 * decrypt only
		 */
		lstate &= ~ENCR_STATE_NO_RECV_IV;  /* we received an OK IV */
		lstate &= ~ENCR_STATE_NO_SEND_IV;  /* we dont send an IV */
	} else {
		/* tell crypto module to disable crypto on "read" stream */
		lstate = ENCR_STATE_NOT_READY;
	}

	write_data_len((const char *)sbbuf, sizeof (sbbuf));
	netflush();
#ifdef ENCRYPT_NAMES
	if (enc_debug)
		(void) fprintf(stderr,
			    "SENT TELOPT_ENCRYPT ENCRYPT_REPLY %s %s\n",
			    ENCTYPE_NAME(type),
			    (iv_status == CFB64_IV_OK ? "CFB64_IV_OK" :
			    "CFB64_IV_BAD"));
#endif /* ENCRYPT_NAMES */
	/* Update the state of the decryption negotiation */
	encr_data.decrypt.state = lstate;

	if (lstate == ENCR_STATE_NOT_READY)
		encr_data.decrypt.autoflag = 0;
	else {
		if (lstate == ENCR_STATE_OK && encr_data.decrypt.autoflag)
			encrypt_send_request_start();
	}
	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(encrypt_is) final DECRYPT state = %d\n",
			    encr_data.decrypt.state);
}

/*
 * encrypt_send_encrypt_is
 *
 * Tell the client what encryption we will use
 * and what our IV will be.
 */
static int
encrypt_send_encrypt_is()
{
	register int lstate;
	krb5_error_code kret;
	uchar_t sbbuf[MAXOPTLEN], *p;
	int i;

	lstate = encr_data.encrypt.state;

	if (encr_data.encrypt.type == ENCTYPE_NULL) {
		/*
		 * Haven't received ENCRYPT SUPPORT yet or we couldn't agree
		 * on a cipher.
		 */
		return (lstate);
	}

	/*
	 * - Create a random DES key
	 *
	 * - DES ECB encrypt
	 *   encrypt the IV using itself as the key.
	 *
	 * - Send response
	 *   IAC SB TELOPT_ENCRYPT ENCRYPT_IS CFB64 FB64_IV [ feed block ]
	 *   IAC SE
	 *
	 */
	if (lstate == ENCR_STATE_NOT_READY)
		lstate = ENCR_STATE_IN_PROGRESS;
	else if ((lstate & ENCR_STATE_NO_SEND_IV) == 0) {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_send_is) IV already sent,"
				" state = %d\n", lstate);
		return (lstate);
	}

	if (!VALIDKEY(encr_data.encrypt.krbdes_key)) {
		/*
		 * Invalid key, set flag so we try again later
		 * when we get a good one
		 */
		encr_data.encrypt.need_start = 1;
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_send_is) No Key, cannot "
				"start encryption yet\n");
		return (lstate);
	}
	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(encrypt_send_is) Creating new feed\n");

	/*
	 * Create a random feed and send it over.
	 *
	 * Use the /dev/[u]random interface to generate
	 * our encryption IV.
	 */
	kret = getrandom((char *)encr_data.encrypt.ivec, sizeof (Block));

	if (kret) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(encrypt_send_is) error from "
				    "getrandom: %d\n", kret);
		syslog(LOG_ERR, "Failed to create encryption key (err %d)\n");
		encr_data.encrypt.type = ENCTYPE_NULL;
	} else {
		mit_des_fixup_key_parity(encr_data.encrypt.ivec);
	}

	p = sbbuf;
	*p++ = IAC;
	*p++ = SB;
	*p++ = TELOPT_ENCRYPT;
	*p++ = ENCRYPT_IS;
	*p++ = encr_data.encrypt.type;
	*p++ = CFB64_IV;

	/*
	 * Copy the IV bytes individually so that when a
	 * 255 (telnet IAC) is used, it can be "escaped" by
	 * adding it twice (telnet RFC 854).
	 */
	for (i = 0; i < sizeof (Block); i++)
		if ((*p++ = encr_data.encrypt.ivec[i]) == IAC)
			*p++ = IAC;

	*p++ = IAC;
	*p++ = SE;
	write_data_len((const char *)sbbuf, (size_t)(p-sbbuf));
	netflush();

	if (!kret) {
		lstate &= ~ENCR_STATE_NO_SEND_IV; /* we sent our IV */
		lstate &= ~ENCR_STATE_NO_SEND_IV; /* dont need decrypt IV */
	}
	encr_data.encrypt.state = lstate;

	if (enc_debug) {
		int i;
		(void) fprintf(stderr,
			    "SENT TELOPT_ENCRYPT ENCRYPT_IS %d CFB64_IV ",
			    encr_data.encrypt.type);
		for (i = 0; i < (p-sbbuf); i++)
			(void) fprintf(stderr, "%d ", (int)sbbuf[i]);
		(void) fprintf(stderr, "\n");
	}

	return (lstate);
}

/*
 * stop_stream
 *
 * Utility routine to send a CRIOCSTOP ioctl to the
 * crypto module (cryptmod).
 */
static void
stop_stream(int fd, int dir)
{
	struct strioctl  crioc;
	uint32_t stopdir = dir;

	crioc.ic_cmd = CRYPTIOCSTOP;
	crioc.ic_timout = -1;
	crioc.ic_len = sizeof (stopdir);
	crioc.ic_dp = (char *)&stopdir;

	if (ioctl(fd, I_STR, &crioc)) {
		syslog(LOG_ERR, "Error sending CRYPTIOCSTOP ioctl: %m");
	}
}

/*
 * start_stream
 *
 * Utility routine to send a CRYPTIOCSTART ioctl to the
 * crypto module (cryptmod).  This routine may contain optional
 * payload data that the cryptmod will interpret as bytes that
 * need to be decrypted and sent back up to the application
 * via the data stream.
 */
static void
start_stream(int fd, int dir, int datalen, char *data)
{
	struct strioctl crioc;

	crioc.ic_cmd = (dir == CRYPT_ENCRYPT ? CRYPTIOCSTARTENC :
			CRYPTIOCSTARTDEC);
	crioc.ic_timout = -1;
	crioc.ic_len = datalen;
	crioc.ic_dp = data;

	if (ioctl(fd, I_STR, &crioc)) {
		syslog(LOG_ERR, "Error sending CRYPTIOCSTART ioctl: %m");
	}
}

/*
 * encrypt_start_output
 *
 * Tell the other side to start encrypting its data
 */
static void
encrypt_start_output()
{
	int lstate;
	uchar_t *p;
	uchar_t sbbuf[MAXOPTLEN];
	struct strioctl crioc;
	struct cr_info_t cki;

	/*
	 * Initialize crypto and send the ENCRYPT_IS msg
	 */
	lstate = encrypt_send_encrypt_is();

	if (lstate != ENCR_STATE_OK) {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_start_output) ENCRYPT state "
				"= %d\n", lstate);
		return;
	}

	p = sbbuf;

	*p++ = IAC;
	*p++ = SB;
	*p++ = TELOPT_ENCRYPT;
	*p++ = ENCRYPT_START;

	(void) memcpy(p, encr_data.encrypt.keyid, encr_data.encrypt.keyidlen);
	p += encr_data.encrypt.keyidlen;

	*p++ = IAC;
	*p++ = SE;

	/* Flush this data out before we start encrypting */
	write_data_len((const char *)sbbuf, (int)(p-sbbuf));
	netflush();

	if (enc_debug)
		(void) fprintf(stderr, "SENT TELOPT_ENCRYPT ENCRYPT_START %d "
			"(lstate = %d) data waiting = %d\n",
			(int)encr_data.encrypt.keyid[0],
			lstate, nfrontp-nbackp);

	encr_data.encrypt.state = lstate;

	/*
	 * tell crypto module what key to use for encrypting
	 * Note that the ENCRYPT has not yet been enabled, but we
	 * need to first set the crypto key to use.
	 */
	cki.direction_mask = CRYPT_ENCRYPT;

	if (encr_data.encrypt.type == TELOPT_ENCTYPE_DES_CFB64) {
		cki.crypto_method = CRYPT_METHOD_DES_CFB;
	} else {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_start_output) - unknown "
				"crypto_method %d\n",
				encr_data.encrypt.type);
		syslog(LOG_ERR, "unrecognized crypto encrypt method: %d",
				encr_data.encrypt.type);

		return;
	}

	/*
	 * If we previously configured this crypto method, we dont want to
	 * overwrite the key or ivec information already given to the crypto
	 * module as it will cause the cipher data between the client and server
	 * to become out of synch and impossible to decipher.
	 */
	if (encr_data.encrypt.setup == cki.crypto_method) {
		cki.keylen = 0;
		cki.iveclen = 0;
	} else {
		cki.keylen = DES_BLOCKSIZE;
		(void) memcpy(cki.key, (void *)encr_data.encrypt.krbdes_key,
		    DES_BLOCKSIZE);

		cki.iveclen = DES_BLOCKSIZE;
		(void) memcpy(cki.ivec, (void *)encr_data.encrypt.ivec,
		    DES_BLOCKSIZE);

		cki.ivec_usage = IVEC_ONETIME;
	}

	cki.option_mask = 0;

	/* Stop encrypt side prior to setup so we dont lose data */
	stop_stream(cryptmod_fd, CRYPT_ENCRYPT);

	crioc.ic_cmd = CRYPTIOCSETUP;
	crioc.ic_timout = -1;
	crioc.ic_len = sizeof (struct cr_info_t);
	crioc.ic_dp = (char *)&cki;

	if (ioctl(cryptmod_fd, I_STR, &crioc)) {
		perror("ioctl(CRYPTIOCSETUP) [encrypt_start_output] error");
	} else {
		/* Setup completed OK */
		encr_data.encrypt.setup = cki.crypto_method;
	}

	/*
	 * We do not check for "stuck" data when setting up the
	 * outbound "encrypt" channel.  Any data queued prior to
	 * this IOCTL will get processed correctly without our help.
	 */
	start_stream(cryptmod_fd, CRYPT_ENCRYPT, 0, NULL);

	/*
	 * tell crypto module to start encrypting
	 */
	if (enc_debug)
		(void) fprintf(stderr,
			"\t(encrypt_start_output) Encrypting output\n");
}

/*
 * encrypt_request_start
 *
 * The client requests that we start encryption immediately after
 * successful negotiation
 */
static void
encrypt_request_start(void)
{
	if (encr_data.encrypt.type == ENCTYPE_NULL) {
		encr_data.encrypt.autoflag = 1;
		if (enc_debug)
			(void) fprintf(stderr, "\t(encrypt_request_start) "
				"autoencrypt = ON\n");
	} else {
		encrypt_start_output();
	}
}

/*
 * encrypt_end
 *
 * ENCRYPT END received, stop decrypting the read stream
 */
static void
encrypt_end(int direction)
{
	struct cr_info_t cki;
	struct strioctl  crioc;
	uint32_t stopdir;

	stopdir = (direction == TELNET_DIR_DECRYPT ? CRYPT_DECRYPT :
		CRYPT_ENCRYPT);

	stop_stream(cryptmod_fd, stopdir);

	/*
	 * Call this function when we wish to disable crypto in
	 * either direction (ENCRYPT or DECRYPT)
	 */
	cki.direction_mask = (direction == TELNET_DIR_DECRYPT ? CRYPT_DECRYPT :
			    CRYPT_ENCRYPT);
	cki.crypto_method = CRYPT_METHOD_NONE;
	cki.option_mask = 0;

	cki.keylen = 0;
	cki.iveclen = 0;
	cki.ivec_usage = IVEC_ONETIME;

	crioc.ic_cmd = CRYPTIOCSETUP;
	crioc.ic_timout = -1;
	crioc.ic_len = sizeof (cki);
	crioc.ic_dp = (char *)&cki;

	if (ioctl(cryptmod_fd, I_STR, &crioc)) {
		perror("ioctl(CRYPTIOCSETUP) [encrypt_end] error");
	}

	start_stream(cryptmod_fd, stopdir, 0, NULL);
}

/*
 * encrypt_request_end
 *
 * When we receive a REQEND from the client, it means
 * that we are supposed to stop encrypting
 */
static void
encrypt_request_end()
{
	/*
	 * Tell the other side we are done encrypting
	 */

	write_data("%c%c%c%c%c%c",
		(uchar_t)IAC,
		(uchar_t)SB,
		(uchar_t)TELOPT_ENCRYPT,
		(uchar_t)ENCRYPT_END,
		(uchar_t)IAC,
		(uchar_t)SE);
	netflush();
	if (enc_debug)
		(void) fprintf(stderr, "SENT TELOPT_ENCRYPT ENCRYPT_END\n");

	/*
	 * Turn off encryption of the write stream
	 */
	encrypt_end(TELNET_DIR_ENCRYPT);
}

/*
 * encrypt_send_request_end
 *
 * We stop encrypting the write stream and tell the other side about it.
 */
static void
encrypt_send_request_end()
{
	write_data("%c%c%c%c%c%c",
		(uchar_t)IAC,
		(uchar_t)SB,
		(uchar_t)TELOPT_ENCRYPT,
		(uchar_t)ENCRYPT_REQEND,
		(uchar_t)IAC,
		(uchar_t)SE);
	netflush();
	if (enc_debug)
		(void) fprintf(stderr, "SENT TELOPT_ENCRYPT ENCRYPT_REQEND\n");
}

/*
 * encrypt_start
 *
 * The client is going to start sending encrypted data
 * using the previously negotiated cipher (see what we set
 * when we did the REPLY in encrypt_is).
 */
static void
encrypt_start(void)
{
	struct cr_info_t cki;
	struct strioctl  crioc;
	int bytes = 0;
	char *dataptr = NULL;

	if (encr_data.decrypt.type == ENCTYPE_NULL) {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_start) No DECRYPT method "
				"defined yet\n");
		encrypt_send_request_end();
		return;
	}

	cki.direction_mask = CRYPT_DECRYPT;

	if (encr_data.decrypt.type == TELOPT_ENCTYPE_DES_CFB64) {
		cki.crypto_method = CRYPT_METHOD_DES_CFB;
	} else {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_start) - unknown "
				"crypto_method %d\n", encr_data.decrypt.type);

		syslog(LOG_ERR, "unrecognized crypto decrypt method: %d",
				encr_data.decrypt.type);

		return;
	}

	/*
	 * Don't overwrite previously configured key and ivec info
	 */
	if (encr_data.decrypt.setup != cki.crypto_method) {
		(void) memcpy(cki.key, (void *)encr_data.decrypt.krbdes_key,
		    DES_BLOCKSIZE);
		(void) memcpy(cki.ivec, (void *)encr_data.decrypt.ivec,
		    DES_BLOCKSIZE);

		cki.keylen = DES_BLOCKSIZE;
		cki.iveclen = DES_BLOCKSIZE;
		cki.ivec_usage = IVEC_ONETIME;
	} else {
		cki.keylen = 0;
		cki.iveclen = 0;
	}
	cki.option_mask = 0;

	stop_stream(cryptmod_fd, CRYPT_DECRYPT);

	crioc.ic_cmd = CRYPTIOCSETUP;
	crioc.ic_timout = -1;
	crioc.ic_len = sizeof (struct cr_info_t);
	crioc.ic_dp = (char *)&cki;

	if (ioctl(cryptmod_fd, I_STR, &crioc)) {
		syslog(LOG_ERR, "ioctl(CRYPTIOCSETUP) [encrypt_start] "
		    "error: %m");
	} else {
		encr_data.decrypt.setup = cki.crypto_method;
	}
	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(encrypt_start) called CRYPTIOCSETUP for "
			    "decrypt side\n");

	/*
	 * Read any data stuck between the cryptmod and the application
	 * so we can pass it back down to be properly decrypted after
	 * this operation finishes.
	 */
	if (ioctl(cryptmod_fd, I_NREAD, &bytes) < 0) {
		syslog(LOG_ERR, "I_NREAD returned error %m");
		bytes = 0;
	}

	/*
	 * Any data which was read AFTER the ENCRYPT START message
	 * must be sent back down to be decrypted properly.
	 *
	 * 'ncc' is the number of bytes that have been read but
	 * not yet processed by the telnet state machine.
	 *
	 * 'bytes' is the number of bytes waiting to be read from
	 * the stream.
	 *
	 * If either one is a positive value, then those bytes
	 * must be pulled up and sent back down to be decrypted.
	 */
	if (ncc || bytes) {
		drainstream(bytes);
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_start) after drainstream, "
				"ncc=%d bytes = %d\n", ncc, bytes);
		bytes += ncc;
		dataptr = netip;
	}

	start_stream(cryptmod_fd, CRYPT_DECRYPT, bytes, dataptr);

	/*
	 * The bytes putback into the stream are no longer
	 * available to be read by the server, so adjust the
	 * counter accordingly.
	 */
	ncc = 0;
	netip = netibuf;
	(void) memset(netip, 0, netibufsize);

#ifdef ENCRYPT_NAMES
	if (enc_debug) {
		(void) fprintf(stderr,
			    "\t(encrypt_start) Start DECRYPT using %s\n",
			    ENCTYPE_NAME(encr_data.decrypt.type));
	}
#endif /* ENCRYPT_NAMES */
}

/*
 * encrypt_support
 *
 * Called when we recieve the TELOPT_ENCRYPT SUPPORT [ encr type list ]
 * message from a client.
 *
 * Choose an agreeable method (DES_CFB64) and
 * respond with  TELOPT_ENCRYPT ENCRYPT_IS [ desired crypto method ]
 *
 * from: RFC 2946
 */
static void
encrypt_support(char *data, int cnt)
{
	int lstate = ENCR_STATE_NOT_READY;
	int type, use_type = 0;

	while (cnt-- > 0 && use_type == 0) {
		type = *data++;
#ifdef ENCRYPT_NAMES
		if (enc_debug)
			(void) fprintf(stderr,
				    "RCVD ENCRYPT SUPPORT %s\n",
				    ENCTYPE_NAME(type));
#endif /* ENCRYPT_NAMES */
		/*
		 * Prefer CFB64
		 */
		if (type == TELOPT_ENCTYPE_DES_CFB64) {
			use_type = type;
		}
	}
	encr_data.encrypt.type = use_type;

	if (use_type != TELOPT_ENCTYPE_NULL &&
	    authenticated != NULL && authenticated != &NoAuth &&
	    auth_status != AUTH_REJECT) {

		/* Authenticated -> have session key -> send ENCRYPT IS */
		lstate = encrypt_send_encrypt_is();
		if (lstate == ENCR_STATE_OK)
			encrypt_start_output();
	} else if (use_type == TELOPT_ENCTYPE_NULL) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(encrypt_support) Cannot agree "
				    "on crypto algorithm, output encryption "
				    "disabled.\n");

		/*
		 * Cannot agree on crypto algorithm
		 * RFC 2946 sez:
		 *    send "IAC SB ENCRYPT IS NULL IAC SE"
		 *    optionally, also send IAC WONT ENCRYPT
		 */
		write_data("%c%c%c%c%c%c%c",
			(uchar_t)IAC,
			(uchar_t)SB,
			(uchar_t)TELOPT_ENCRYPT,
			(uchar_t)ENCRYPT_IS,
			(uchar_t)TELOPT_ENCTYPE_NULL,
			(uchar_t)IAC,
			(uchar_t)SE);
		send_wont(TELOPT_ENCRYPT);
		netflush();
		if (enc_debug)
			(void) fprintf(stderr,
				    "SENT TELOPT_ENCRYPT ENCRYPT_IS "
				    "[NULL]\n");

		remopts[TELOPT_ENCRYPT] = OPT_NO;
	}
	settimer(encr_support);
}

/*
 * encrypt_send_keyid
 *
 * Sent the key id we will use to the client
 */
static void
encrypt_send_keyid(int dir, uchar_t *keyid, int keylen, boolean_t saveit)
{
	uchar_t sbbuf[128], *p;

	p = sbbuf;

	*p++ = IAC;
	*p++ = SB;
	*p++ = TELOPT_ENCRYPT;
	*p++ = (dir == TELNET_DIR_ENCRYPT ? ENCRYPT_ENC_KEYID :
		ENCRYPT_DEC_KEYID);
	if (saveit) {
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(send_keyid) store %d byte %s keyid\n",
				keylen,
				(dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" :
				"DECRYPT"));

		if (dir == TELNET_DIR_ENCRYPT) {
			(void) memcpy(encr_data.encrypt.keyid, keyid, keylen);
			encr_data.encrypt.keyidlen = keylen;
		} else {
			(void) memcpy(encr_data.decrypt.keyid, keyid, keylen);
			encr_data.decrypt.keyidlen = keylen;
		}
	}
	(void) memcpy(p, keyid, keylen);
	p += keylen;

	*p++ = IAC;
	*p++ = SE;
	write_data_len((const char *)sbbuf, (size_t)(p-sbbuf));
	netflush();

	if (enc_debug)
		(void) fprintf(stderr, "SENT TELOPT_ENCRYPT %s %d\n",
			(dir == TELNET_DIR_ENCRYPT ? "ENC_KEYID" :
			"DEC_KEYID"), keyid[0]);
}

/*
 * encrypt_reply
 *
 * When we receive the TELOPT_ENCRYPT REPLY [crtype] CFB64_IV_OK IAC SE
 * message, process it accordingly.
 * If the vector is acceptable, tell client we are encrypting and
 * enable encryption on our write stream.
 *
 * Negotiate the KEYID next..
 * RFC 2946, 2952
 */
static void
encrypt_reply(char *data, int len)
{
	uchar_t type = (uchar_t)(*data++);
	uchar_t result = (uchar_t)(*data);
	int lstate;

#ifdef ENCRYPT_NAMES
	if (enc_debug)
		(void) fprintf(stderr,
			"\t(encrypt_reply) ENCRYPT REPLY %s %s [len=%d]\n",
			ENCRYPT_NAME(type),
			(result == CFB64_IV_OK ? "CFB64_IV_OK" :
			"CFB64_IV_BAD"), len);
#endif /* ENCRYPT_NAMES */

	lstate = encr_data.encrypt.state;
	if (enc_debug)
		(void) fprintf(stderr,
			"\t(encrypt_reply) initial ENCRYPT state = %d\n",
			lstate);
	switch (result) {
	case CFB64_IV_OK:
		if (lstate == ENCR_STATE_NOT_READY)
			lstate = ENCR_STATE_IN_PROGRESS;
		lstate &= ~ENCR_STATE_NO_RECV_IV; /* we got the IV */
		lstate &= ~ENCR_STATE_NO_SEND_IV; /* we dont need to send IV */

		/*
		 * The correct response here is to send the encryption key id
		 * RFC 2752.
		 *
		 * Send keyid 0 to indicate that we will just use default
		 * keys.
		 */
		encrypt_send_keyid(TELNET_DIR_ENCRYPT, (uchar_t *)"\0", 1, 1);

		break;
	case CFB64_IV_BAD:
		/*
		 * Clear the ivec
		 */
		(void) memset(encr_data.encrypt.ivec, 0, sizeof (Block));
		lstate = ENCR_STATE_NOT_READY;
		break;
	default:
		if (enc_debug)
			(void) fprintf(stderr,
				"\t(encrypt_reply) Got unknown IV value in "
				"REPLY message\n");
		lstate = ENCR_STATE_NOT_READY;
		break;
	}

	encr_data.encrypt.state = lstate;
	if (lstate == ENCR_STATE_NOT_READY) {
		encr_data.encrypt.autoflag = 0;
		encr_data.encrypt.type = ENCTYPE_NULL;
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(encrypt_reply) encrypt.autoflag = "
				    "OFF\n");
	} else {
		encr_data.encrypt.type = type;
		if ((lstate == ENCR_STATE_OK) && encr_data.encrypt.autoflag)
			encrypt_start_output();
	}

	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(encrypt_reply) ENCRYPT final state = %d\n",
			    lstate);
}

static void
encrypt_set_keyid_state(uchar_t *keyid, int *keyidlen, int dir)
{
	int lstate;

	lstate = (dir == TELNET_DIR_ENCRYPT ? encr_data.encrypt.state :
		encr_data.decrypt.state);

	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(set_keyid_state) %s initial state = %d\n",
			    (dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" :
			    "DECRYPT"), lstate);

	/*
	 * Currently, we only support using the default keyid,
	 * so it should be an error if the len > 1 or the keyid != 0.
	 */
	if (*keyidlen != 1 || (*keyid != '\0')) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(set_keyid_state) unexpected keyid: "
				    "len=%d value=%d\n", *keyidlen, *keyid);
		*keyidlen = 0;
		syslog(LOG_ERR, "rcvd unexpected keyid %d  - only keyid of 0 "
		    "is supported",  *keyid);
	} else {
		/*
		 * We move to the "IN_PROGRESS" state.
		 */
		if (lstate == ENCR_STATE_NOT_READY)
			lstate = ENCR_STATE_IN_PROGRESS;
		/*
		 * Clear the NO_KEYID bit because we now have a valid keyid
		 */
		lstate &= ~ENCR_STATE_NO_KEYID;
	}

	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(set_keyid_state) %s final state = %d\n",
			    (dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" :
			    "DECRYPT"), lstate);

	if (dir == TELNET_DIR_ENCRYPT)
		encr_data.encrypt.state = lstate;
	else
		encr_data.decrypt.state = lstate;
}

/*
 * encrypt_keyid
 *
 * Set the keyid value in the key_info structure.
 * if necessary send a response to the sender
 */
static void
encrypt_keyid(uchar_t *newkeyid, int *keyidlen, uchar_t *keyid,
	int len, int dir)
{
	if (len > TELNET_MAXNUMKEYS) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(keyid) keylen too big (%d)\n", len);
		return;
	}

	if (enc_debug) {
		(void) fprintf(stderr, "\t(keyid) set KEYID for %s len = %d\n",
			    (dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" :
			    "DECRYPT"), len);
	}

	if (len == 0) {
		if (*keyidlen == 0) {
			if (enc_debug)
				(void) fprintf(stderr,
					    "\t(keyid) Got 0 length keyid - "
					    "failure\n");
			return;
		}
		*keyidlen = 0;
		encrypt_set_keyid_state(newkeyid, keyidlen, dir);

	} else if (len != *keyidlen || memcmp(keyid, newkeyid, len)) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(keyid) Setting new key (%d bytes)\n",
				    len);

		*keyidlen = len;
		(void) memcpy(newkeyid, keyid, len);

		encrypt_set_keyid_state(newkeyid, keyidlen, dir);
	} else {
		encrypt_set_keyid_state(newkeyid, keyidlen, dir);

		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(keyid) %s Key already in place,"
				    "state = %d autoflag=%d\n",
			(dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" : "DECRYPT"),
			(dir == TELNET_DIR_ENCRYPT ? encr_data.encrypt.state:
			encr_data.decrypt.state),
			(dir == TELNET_DIR_ENCRYPT ?
				encr_data.encrypt.autoflag:
				encr_data.decrypt.autoflag));

		/* key already in place */
		if ((encr_data.encrypt.state == ENCR_STATE_OK) &&
		    dir == TELNET_DIR_ENCRYPT && encr_data.encrypt.autoflag) {
			encrypt_start_output();
		}
		return;
	}

	if (enc_debug)
		(void) fprintf(stderr, "\t(keyid) %s final state = %d\n",
			    (dir == TELNET_DIR_ENCRYPT ? "ENCRYPT" :
			    "DECRYPT"),
			    (dir == TELNET_DIR_ENCRYPT ?
			    encr_data.encrypt.state :
			    encr_data.decrypt.state));

	encrypt_send_keyid(dir, newkeyid, *keyidlen, 0);
}

/*
 * encrypt_enc_keyid
 *
 * We received the ENC_KEYID message from a client indicating that
 * the client wishes to verify that the indicated keyid maps to a
 * valid key.
 */
static void
encrypt_enc_keyid(char *data, int cnt)
{
	/*
	 * Verify the decrypt keyid is valid
	 */
	encrypt_keyid(encr_data.decrypt.keyid, &encr_data.decrypt.keyidlen,
		    (uchar_t *)data, cnt, TELNET_DIR_DECRYPT);
}

/*
 * encrypt_dec_keyid
 *
 * We received the DEC_KEYID message from a client indicating that
 * the client wants to verify that the indicated keyid maps to a valid key.
 */
static void
encrypt_dec_keyid(char *data, int cnt)
{
	encrypt_keyid(encr_data.encrypt.keyid, &encr_data.encrypt.keyidlen,
		    (uchar_t *)data, cnt, TELNET_DIR_ENCRYPT);
}

/*
 * encrypt_session_key
 *
 * Store the session key in the encryption data record
 */
static void
encrypt_session_key(Session_Key *key, cipher_info_t *cinfo)
{
	if (key == NULL || key->type != SK_DES) {
		if (enc_debug)
			(void) fprintf(stderr,
				    "\t(session_key) Cannot set krb5 "
				    "session key (unknown type = %d)\n",
				    key ? key->type : -1);
	}
	if (enc_debug)
		(void) fprintf(stderr,
			    "\t(session_key) Settting session key "
			    "for server\n");

	/* store the key in the cipher info data struct */
	(void) memcpy(cinfo->krbdes_key, (void *)key->data, sizeof (Block));

	/*
	 * Now look to see if we still need to send the key and start
	 * encrypting.
	 *
	 * If so, go ahead an call it now that we have the key.
	 */
	if (cinfo->need_start) {
		if (encrypt_send_encrypt_is() == ENCR_STATE_OK) {
			cinfo->need_start = 0;
		}
	}
}

/*
 * new_env
 *
 * Used to add an environment variable and value to the
 * linked list structure.
 */
static int
new_env(const char *name, const char *value)
{
	struct envlist *env;

	env = malloc(sizeof (struct envlist));
	if (env == NULL)
		return (1);
	if ((env->name = strdup(name)) == NULL) {
		free(env);
		return (1);
	}
	if ((env->value = strdup(value)) == NULL) {
		free(env->name);
		free(env);
		return (1);
	}
	env->delete = 0;
	env->next = envlist_head;
	envlist_head = env;
	return (0);
}

/*
 * del_env
 *
 * Used to delete an environment variable from the linked list
 * structure.  We just set a flag because we will delete the list
 * anyway before we exec login.
 */
static int
del_env(const char *name)
{
	struct envlist *env;

	for (env = envlist_head; env; env = env->next) {
		if (strcmp(env->name, name) == 0) {
			env->delete = 1;
			break;
		}
	}
	return (0);
}

static int
issock(int fd)
{
	struct stat stats;

	if (fstat(fd, &stats) == -1)
		return (0);
	return (S_ISSOCK(stats.st_mode));
}

/*
 * audit_telnet_settid stores the terminal id while it is still
 * available.  Subsequent calls to adt_load_hostname() return
 * the id which is stored here.
 */
static int
audit_telnet_settid(int sock) {
	adt_session_data_t	*ah;
	adt_termid_t		*termid;
	int			rc;

	if ((rc = adt_start_session(&ah, NULL, 0)) == 0) {
		if ((rc = adt_load_termid(sock, &termid)) == 0) {
			if ((rc = adt_set_user(ah, ADT_NO_AUDIT,
			    ADT_NO_AUDIT, 0, ADT_NO_AUDIT,
			    termid, ADT_SETTID)) == 0)
				(void) adt_set_proc(ah);
			free(termid);
		}
		(void) adt_end_session(ah);
	}
	return (rc);
}

/* ARGSUSED */
int
main(int argc, char *argv[])
{
	struct sockaddr_storage from;
	int on = 1;
	socklen_t fromlen;
	int issocket;
#if	defined(DEBUG)
	ushort_t porttouse = 0;
	boolean_t standalone = 0;
#endif /* defined(DEBUG) */
	extern char *optarg;
	char c;
	int tos = -1;

	while ((c = getopt(argc, argv, TELNETD_OPTS DEBUG_OPTS)) != -1) {
		switch (c) {
#if defined(DEBUG)
		case 'p':
			/*
			 * note: alternative port number only used in
			 * standalone mode.
			 */
			porttouse = atoi(optarg);
			standalone = 1;
			break;
		case 'e':
			enc_debug = 1;
			break;
#endif /* DEBUG */
		case 'a':
			if (strcasecmp(optarg, "none") == 0) {
				auth_level = 0;
			} else if (strcasecmp(optarg, "user") == 0) {
				auth_level = AUTH_USER;
			} else if (strcasecmp(optarg, "valid") == 0) {
				auth_level = AUTH_VALID;
			} else if (strcasecmp(optarg, "off") == 0) {
				auth_level = -1;
				negotiate_auth_krb5 = 0;
			} else if (strcasecmp(optarg, "debug") == 0) {
				auth_debug = 1;
			} else {
				syslog(LOG_ERR,
				    "unknown authentication level specified "
				    "with \'-a\' option (%s)", optarg);
				auth_level = AUTH_USER;
			}
			break;
		case 'X':
			/* disable authentication negotiation */
			negotiate_auth_krb5 = 0;
			break;
		case 'R':
		case 'M':
			if (optarg != NULL) {
				int ret = krb5_init();
				if (ret) {
					syslog(LOG_ERR,
						"Unable to use Kerberos V5 as "
						"requested, exiting");
					exit(1);
				}
				(void) krb5_set_default_realm(telnet_context,
				    optarg);
				syslog(LOG_NOTICE,
				    "using %s as default KRB5 realm", optarg);
			}
			break;
		case 'S':
			telnet_srvtab = (char *)strdup(optarg);
			break;
		case 'E': /* disable automatic encryption */
			negotiate_encrypt = B_FALSE;
			break;
		case 'U':
			resolve_hostname = 1;
			break;
		case 's':
			if (optarg == NULL || (tos = atoi(optarg)) < 0 ||
			    tos > 255) {
				syslog(LOG_ERR, "telnetd: illegal tos value: "
				    "%s\n", optarg);
			} else {
				if (tos < 0)
					tos = 020;
			}
			break;
		case 'h':
			show_hostinfo = 0;
			break;
		default:
			syslog(LOG_ERR, "telnetd: illegal cmd line option %c",
			    c);
			break;
		}
	}

	netibufsize = BUFSIZ;
	if (!(netibuf = (char *)malloc(netibufsize)))
		syslog(LOG_ERR, "netibuf malloc failed\n");
	(void) memset(netibuf, 0, netibufsize);
	netip = netibuf;

#if	defined(DEBUG)
	if (standalone) {
		int s, ns, foo;
		struct servent *sp;
		static struct sockaddr_in6 sin6 = { AF_INET6 };
		int option = 1;

		if (porttouse) {
			sin6.sin6_port = htons(porttouse);
		} else {
			sp = getservbyname("telnet", "tcp");
			if (sp == 0) {
				(void) fprintf(stderr,
					    "telnetd: tcp/telnet: "
					    "unknown service\n");
				exit(EXIT_FAILURE);
			}
			sin6.sin6_port = sp->s_port;
		}

		s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
		if (s < 0) {
			perror("telnetd: socket");
			exit(EXIT_FAILURE);
		}
		if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&option,
		    sizeof (option)) == -1)
			perror("setsockopt SO_REUSEADDR");
		if (bind(s, (struct sockaddr *)&sin6, sizeof (sin6)) < 0) {
			perror("bind");
			exit(EXIT_FAILURE);
		}
		if (listen(s, 32) < 0) {
			perror("listen");
			exit(EXIT_FAILURE);
		}

		/* automatically reap all child processes */
		(void) signal(SIGCHLD, SIG_IGN);

		for (;;) {
			pid_t pid;

			foo = sizeof (sin6);
			ns = accept(s, (struct sockaddr *)&sin6, &foo);
			if (ns < 0) {
				perror("accept");
				exit(EXIT_FAILURE);
			}
			pid = fork();
			if (pid == -1) {
				perror("fork");
				exit(EXIT_FAILURE);
			}
			if (pid == 0) {
				(void) dup2(ns, 0);
				(void) close(s);
				(void) signal(SIGCHLD, SIG_DFL);
				break;
			}
			(void) close(ns);
		}
	}
#endif /* defined(DEBUG) */

	openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);

	issocket = issock(0);
	if (!issocket)
		fatal(0, "stdin is not a socket file descriptor");

	fromlen = (socklen_t)sizeof (from);
	(void) memset((char *)&from, 0, sizeof (from));
	if (getpeername(0, (struct sockaddr *)&from, &fromlen)
	    < 0) {
		(void) fprintf(stderr, "%s: ", argv[0]);
		perror("getpeername");
		_exit(EXIT_FAILURE);
	}

	if (audit_telnet_settid(0)) {	/* set terminal ID */
		(void) fprintf(stderr, "%s: ", argv[0]);
		perror("audit");
		exit(EXIT_FAILURE);
	}

	if (setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (const char *)&on,
						sizeof (on)) < 0) {
		syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
	}

	/*
	 * Set the TOS value
	 */
	if (tos != -1 &&
	    setsockopt(0, IPPROTO_IP, IP_TOS,
		    (char *)&tos, sizeof (tos)) < 0 &&
		errno != ENOPROTOOPT) {
		syslog(LOG_ERR, "setsockopt (IP_TOS %d): %m", tos);
	}

	if (setsockopt(net, SOL_SOCKET, SO_OOBINLINE, (char *)&on,
	    sizeof (on)) < 0) {
		syslog(LOG_WARNING, "setsockopt (SO_OOBINLINE): %m");
	}

	/* set the default PAM service name */
	(void) strcpy(pam_svc_name, "telnet");

	doit(0, &from);
	return (EXIT_SUCCESS);
}

static char	*terminaltype = 0;

/*
 * ttloop
 *
 *	A small subroutine to flush the network output buffer, get some data
 * from the network, and pass it through the telnet state machine.  We
 * also flush the pty input buffer (by dropping its data) if it becomes
 * too full.
 */
static void
ttloop(void)
{
	if (nfrontp-nbackp) {
		netflush();
	}
read_again:
	ncc = read(net, netibuf, netibufsize);
	if (ncc < 0) {
		if (errno == EINTR)
			goto read_again;
		syslog(LOG_INFO, "ttloop:  read: %m");
		exit(EXIT_FAILURE);
	} else if (ncc == 0) {
		syslog(LOG_INFO, "ttloop:  peer closed connection\n");
		exit(EXIT_FAILURE);
	}

	netip = netibuf;
	telrcv();		/* state machine */
	if (ncc > 0) {
		pfrontp = pbackp = ptyobuf;
		telrcv();
	}
}

static void
send_do(int option)
{
	write_data("%c%c%c", (uchar_t)IAC, (uchar_t)DO, (uchar_t)option);
}

static void
send_will(int option)
{
	write_data("%c%c%c", (uchar_t)IAC, (uchar_t)WILL, (uchar_t)option);
}

static void
send_wont(int option)
{
	write_data("%c%c%c", (uchar_t)IAC, (uchar_t)WONT, (uchar_t)option);
}


/*
 * getauthtype
 *
 * Negotiate automatic authentication, is possible.
 */
static int
getauthtype(char *username, int *len)
{
	int init_status = -1;

	init_status = krb5_init();

	if (auth_level == -1 || init_status != 0) {
		remopts[TELOPT_AUTHENTICATION] = OPT_NO;
		myopts[TELOPT_AUTHENTICATION] = OPT_NO;
		negotiate_auth_krb5 = B_FALSE;
		negotiate_encrypt = B_FALSE;
		return (AUTH_REJECT);
	}

	if (init_status == 0 && auth_level != -1) {
		if (negotiate_auth_krb5) {
			/*
			 * Negotiate Authentication FIRST
			 */
			send_do(TELOPT_AUTHENTICATION);
			remopts[TELOPT_AUTHENTICATION] =
				OPT_YES_BUT_ALWAYS_LOOK;
		}
		while (sequenceIs(authopt, getauth))
			ttloop();

		if (remopts[TELOPT_AUTHENTICATION] == OPT_YES) {
			/*
			 * Request KRB5 Mutual authentication and if that fails,
			 * KRB5 1-way client authentication
			 */
			uchar_t sbbuf[MAXOPTLEN], *p;
			p = sbbuf;
			*p++ = (uchar_t)IAC;
			*p++ = (uchar_t)SB;
			*p++ = (uchar_t)TELOPT_AUTHENTICATION;
			*p++ = (uchar_t)TELQUAL_SEND;
			if (negotiate_auth_krb5) {
				*p++ = (uchar_t)AUTHTYPE_KERBEROS_V5;
				*p++ = (uchar_t)(AUTH_WHO_CLIENT |
						AUTH_HOW_MUTUAL |
						AUTH_ENCRYPT_ON);
				*p++ = (uchar_t)AUTHTYPE_KERBEROS_V5;
				*p++ = (uchar_t)(AUTH_WHO_CLIENT |
						AUTH_HOW_MUTUAL);
				*p++ = (uchar_t)AUTHTYPE_KERBEROS_V5;
				*p++ = (uchar_t)(AUTH_WHO_CLIENT|
						AUTH_HOW_ONE_WAY);
			} else {
				*p++ = (uchar_t)AUTHTYPE_NULL;
			}
			*p++ = (uchar_t)IAC;
			*p++ = (uchar_t)SE;

			write_data_len((const char *)sbbuf,
				    (size_t)(p - sbbuf));
			netflush();
			if (auth_debug)
				(void) fprintf(stderr,
					    "SENT TELOPT_AUTHENTICATION "
					    "[data]\n");

			/* auth_wait returns the authentication level */
			/* status = auth_wait(username, len); */
			while (sequenceIs(authdone, getauth))
				ttloop();
			/*
			 * Now check to see if the user is valid or not
			 */
			if (authenticated == NULL || authenticated == &NoAuth)
				auth_status = AUTH_REJECT;
			else {
				/*
				 * We cant be VALID until the user status is
				 * checked.
				 */
				if (auth_status == AUTH_VALID)
					auth_status = AUTH_USER;

				if (authenticated->AuthName ==
					AUTHTYPE_KERBEROS_V5)
					auth_status = krb5_user_status(
						username, *len, auth_status);
			}
		}
	}
	return (auth_status);
}

static void
getencrtype(void)
{
	if (krb5_privacy_allowed() && negotiate_encrypt) {
		if (myopts[TELOPT_ENCRYPT] != OPT_YES) {
			if (!sent_will_encrypt) {
				send_will(TELOPT_ENCRYPT);
				sent_will_encrypt = B_TRUE;
			}
			if (enc_debug)
				(void) fprintf(stderr, "SENT WILL ENCRYPT\n");
		}
		if (remopts[TELOPT_ENCRYPT] != OPT_YES) {
			if (!sent_do_encrypt) {
				send_do(TELOPT_ENCRYPT);
				sent_do_encrypt = B_TRUE;
				remopts[TELOPT_ENCRYPT] =
				    OPT_YES_BUT_ALWAYS_LOOK;
			}
			if (enc_debug)
				(void) fprintf(stderr, "SENT DO ENCRYPT\n");
		}
		myopts[TELOPT_ENCRYPT] = OPT_YES;

		while (sequenceIs(encropt, getencr))
		    ttloop();

		if (auth_status != AUTH_REJECT &&
		    remopts[TELOPT_ENCRYPT] == OPT_YES &&
		    myopts[TELOPT_ENCRYPT] == OPT_YES) {

			if (sent_encrypt_support == B_FALSE) {
				write_data("%c%c%c%c%c%c%c",
					(uchar_t)IAC,
					(uchar_t)SB,
					(uchar_t)TELOPT_ENCRYPT,
					(uchar_t)ENCRYPT_SUPPORT,
					(uchar_t)TELOPT_ENCTYPE_DES_CFB64,
					(uchar_t)IAC,
					(uchar_t)SE);

				netflush();
			}
			/*
			 * Now wait for a response to these messages before
			 * continuing...
			 * Look for TELOPT_ENCRYPT suboptions
			 */
			while (sequenceIs(encr_support, getencr))
				ttloop();
		}
	} else {
		/* Dont need responses to these, so dont wait for them */
		settimer(encropt);
		remopts[TELOPT_ENCRYPT] = OPT_NO;
		myopts[TELOPT_ENCRYPT] = OPT_NO;
	}

}

/*
 * getterminaltype
 *
 * Ask the other end to send along its terminal type.
 * Output is the variable terminaltype filled in.
 */
static void
getterminaltype(void)
{
	/*
	 * The remote side may have already sent this info, so
	 * dont ask for these options if the other side already
	 * sent the information.
	 */
	if (sequenceIs(ttypeopt, getterminal)) {
		send_do(TELOPT_TTYPE);
		remopts[TELOPT_TTYPE] = OPT_YES_BUT_ALWAYS_LOOK;
	}

	if (sequenceIs(nawsopt, getterminal)) {
		send_do(TELOPT_NAWS);
		remopts[TELOPT_NAWS] = OPT_YES_BUT_ALWAYS_LOOK;
	}

	if (sequenceIs(xdisplocopt, getterminal)) {
		send_do(TELOPT_XDISPLOC);
		remopts[TELOPT_XDISPLOC] = OPT_YES_BUT_ALWAYS_LOOK;
	}

	if (sequenceIs(environopt, getterminal)) {
		send_do(TELOPT_NEW_ENVIRON);
		remopts[TELOPT_NEW_ENVIRON] = OPT_YES_BUT_ALWAYS_LOOK;
	}

	if (sequenceIs(oenvironopt, getterminal)) {
		send_do(TELOPT_OLD_ENVIRON);
		remopts[TELOPT_OLD_ENVIRON] = OPT_YES_BUT_ALWAYS_LOOK;
	}

	/* make sure encryption is started here */
	while (auth_status != AUTH_REJECT &&
		authenticated != &NoAuth && authenticated != NULL &&
		remopts[TELOPT_ENCRYPT] == OPT_YES &&
		encr_data.encrypt.autoflag &&
		encr_data.encrypt.state != ENCR_STATE_OK) {
	    if (enc_debug)
		(void) fprintf(stderr, "getterminaltype() forcing encrypt\n");
	    ttloop();
	}

	if (enc_debug) {
	    (void) fprintf(stderr, "getterminaltype() encryption %sstarted\n",
		    encr_data.encrypt.state == ENCR_STATE_OK ? "" : "not ");
	}

	while (sequenceIs(ttypeopt, getterminal) ||
	    sequenceIs(nawsopt, getterminal) ||
	    sequenceIs(xdisplocopt, getterminal) ||
	    sequenceIs(environopt, getterminal) ||
	    sequenceIs(oenvironopt, getterminal)) {
		ttloop();
	}


	if (remopts[TELOPT_TTYPE] == OPT_YES) {
		static uchar_t sbbuf[] = { (uchar_t)IAC, (uchar_t)SB,
		    (uchar_t)TELOPT_TTYPE, (uchar_t)TELQUAL_SEND,
		    (uchar_t)IAC, (uchar_t)SE };

		write_data_len((const char *)sbbuf, sizeof (sbbuf));
	}
	if (remopts[TELOPT_XDISPLOC] == OPT_YES) {
		static uchar_t sbbuf[] = { (uchar_t)IAC, (uchar_t)SB,
		    (uchar_t)TELOPT_XDISPLOC, (uchar_t)TELQUAL_SEND,
		    (uchar_t)IAC, (uchar_t)SE };

		write_data_len((const char *)sbbuf, sizeof (sbbuf));
	}
	if (remopts[TELOPT_NEW_ENVIRON] == OPT_YES) {
		static uchar_t sbbuf[] = { (uchar_t)IAC, (uchar_t)SB,
		    (uchar_t)TELOPT_NEW_ENVIRON, (uchar_t)TELQUAL_SEND,
		    (uchar_t)IAC, (uchar_t)SE };

		write_data_len((const char *)sbbuf, sizeof (sbbuf));
	}
	if (remopts[TELOPT_OLD_ENVIRON] == OPT_YES) {
		static uchar_t sbbuf[] = { (uchar_t)IAC, (uchar_t)SB,
		    (uchar_t)TELOPT_OLD_ENVIRON, (uchar_t)TELQUAL_SEND,
		    (uchar_t)IAC, (uchar_t)SE };

		write_data_len((const char *)sbbuf, sizeof (sbbuf));
	}

	if (remopts[TELOPT_TTYPE] == OPT_YES) {
		while (sequenceIs(ttypesubopt, getterminal)) {
			ttloop();
		}
	}
	if (remopts[TELOPT_XDISPLOC] == OPT_YES) {
		while (sequenceIs(xdisplocsubopt, getterminal)) {
			ttloop();
		}
	}
	if (remopts[TELOPT_NEW_ENVIRON] == OPT_YES) {
		while (sequenceIs(environsubopt, getterminal)) {
			ttloop();
		}
	}
	if (remopts[TELOPT_OLD_ENVIRON] == OPT_YES) {
		while (sequenceIs(oenvironsubopt, getterminal)) {
			ttloop();
		}
	}
	init_neg_done = 1;
}

pid_t pid;

/*
 * Get a pty, scan input lines.
 */
static void
doit(int f, struct sockaddr_storage *who)
{
	char *host;
	char host_name[MAXHOSTNAMELEN];
	int p, t, tt;
	struct sgttyb b;
	int	ptmfd;	/* fd of logindmux connected to pty */
	int	netfd;	/* fd of logindmux connected to netf */
	struct	stat	buf;
	struct	protocol_arg	telnetp;
	struct	strioctl	telnetmod;
	struct	envlist	*env, *next;
	int	nsize = 0;
	char abuf[INET6_ADDRSTRLEN];
	struct sockaddr_in *sin;
	struct sockaddr_in6 *sin6;
	socklen_t wholen;
	char username[MAXUSERNAMELEN];
	int len;
	uchar_t passthru;
	char *subsidname;

	if ((p = open("/dev/ptmx", O_RDWR | O_NOCTTY)) == -1) {
		fatalperror(f, "open /dev/ptmx", errno);
	}
	if (grantpt(p) == -1)
		fatal(f, "could not grant subsidiary pty");
	if (unlockpt(p) == -1)
		fatal(f, "could not unlock subsidiary pty");
	if ((subsidname = ptsname(p)) == NULL)
		fatal(f, "could not enable subsidiary pty");
	(void) dup2(f, 0);
	if ((t = open(subsidname, O_RDWR | O_NOCTTY)) == -1)
		fatal(f, "could not open subsidiary pty");
	if (ioctl(t, I_PUSH, "ptem") == -1)
		fatalperror(f, "ioctl I_PUSH ptem", errno);
	if (ioctl(t, I_PUSH, "ldterm") == -1)
		fatalperror(f, "ioctl I_PUSH ldterm", errno);
	if (ioctl(t, I_PUSH, "ttcompat") == -1)
		fatalperror(f, "ioctl I_PUSH ttcompat", errno);

	line = subsidname;

	pty = t;

	if (ioctl(t, TIOCGETP, &b) == -1)
		syslog(LOG_INFO, "ioctl TIOCGETP pty t: %m\n");
	b.sg_flags = O_CRMOD|O_XTABS|O_ANYP;
	/* XXX - ispeed and ospeed must be non-zero */
	b.sg_ispeed = B38400;
	b.sg_ospeed = B38400;
	if (ioctl(t, TIOCSETN, &b) == -1)
		syslog(LOG_INFO, "ioctl TIOCSETN pty t: %m\n");
	if (ioctl(pty, TIOCGETP, &b) == -1)
		syslog(LOG_INFO, "ioctl TIOCGETP pty pty: %m\n");
	b.sg_flags &= ~O_ECHO;
	if (ioctl(pty, TIOCSETN, &b) == -1)
		syslog(LOG_INFO, "ioctl TIOCSETN pty pty: %m\n");

	if (who->ss_family == AF_INET) {
		char *addrbuf = NULL;
		char *portbuf = NULL;

		sin = (struct sockaddr_in *)who;
		wholen = sizeof (struct sockaddr_in);

		addrbuf = (char *)malloc(wholen);
		if (addrbuf == NULL)
			fatal(f, "Cannot alloc memory for address info\n");
		portbuf = (char *)malloc(sizeof (sin->sin_port));
		if (portbuf == NULL) {
			free(addrbuf);
			fatal(f, "Cannot alloc memory for port info\n");
		}

		(void) memcpy(addrbuf, (const void *)&sin->sin_addr, wholen);
		(void) memcpy(portbuf, (const void *)&sin->sin_port,
			    sizeof (sin->sin_port));

		if (rsaddr.contents != NULL)
			free(rsaddr.contents);

		rsaddr.contents = (krb5_octet *)addrbuf;
		rsaddr.length = wholen;
		rsaddr.addrtype = ADDRTYPE_INET;

		if (rsport.contents != NULL)
			free(rsport.contents);

		rsport.contents = (krb5_octet *)portbuf;
		rsport.length = sizeof (sin->sin_port);
		rsport.addrtype = ADDRTYPE_IPPORT;
	} else if (who->ss_family == AF_INET6) {
		struct in_addr ipv4_addr;
		char *addrbuf = NULL;
		char *portbuf = NULL;

		sin6 = (struct sockaddr_in6 *)who;
		wholen = sizeof (struct sockaddr_in6);

		IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr,
				    &ipv4_addr);

		addrbuf = (char *)malloc(wholen);
		if (addrbuf == NULL)
			fatal(f, "Cannot alloc memory for address info\n");

		portbuf = (char *)malloc(sizeof (sin6->sin6_port));
		if (portbuf == NULL) {
			free(addrbuf);
			fatal(f, "Cannot alloc memory for port info\n");
		}

		(void) memcpy((void *) addrbuf,
			    (const void *)&ipv4_addr,
			    wholen);
		/*
		 * If we already used rsaddr.contents, free the previous
		 * buffer.
		 */
		if (rsaddr.contents != NULL)
			free(rsaddr.contents);

		rsaddr.contents = (krb5_octet *)addrbuf;
		rsaddr.length = sizeof (ipv4_addr);
		rsaddr.addrtype = ADDRTYPE_INET;

		(void) memcpy((void *) portbuf, (const void *)&sin6->sin6_port,
			    sizeof (sin6->sin6_port));

		if (rsport.contents != NULL)
			free(rsport.contents);

		rsport.contents = (krb5_octet *)portbuf;
		rsport.length = sizeof (sin6->sin6_port);
		rsport.addrtype = ADDRTYPE_IPPORT;
	} else {
		syslog(LOG_ERR, "unknown address family %d\n",
		    who->ss_family);
		fatal(f, "getpeername: unknown address family\n");
	}

	if (getnameinfo((const struct sockaddr *) who, wholen, host_name,
	    sizeof (host_name), NULL, 0, 0) == 0) {
		host = host_name;
	} else {
		/*
		 * If the '-U' option was given on the cmd line, we must
		 * be able to lookup the hostname
		 */
		if (resolve_hostname) {
			fatal(f, "Couldn't resolve your address into a "
			    "host name.\r\nPlease contact your net "
			    "administrator");
		}

		if (who->ss_family == AF_INET6) {
			if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
				struct in_addr ipv4_addr;

				IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr,
				    &ipv4_addr);
				host = (char *)inet_ntop(AF_INET,
				    &ipv4_addr, abuf, sizeof (abuf));
			} else {
				host = (char *)inet_ntop(AF_INET6,
				    &sin6->sin6_addr, abuf,
				    sizeof (abuf));
			}
		} else if (who->ss_family == AF_INET) {
				host = (char *)inet_ntop(AF_INET,
				    &sin->sin_addr, abuf, sizeof (abuf));
			}
	}
	/*
	 * Note that sockmod has to be removed since readstream assumes
	 * a "raw" TPI endpoint (e.g. it uses getmsg).
	 */
	if (removemod(f, "sockmod") < 0)
		fatalperror(f, "couldn't remove sockmod", errno);

	encrypt_init();

	/*
	 * Push the crypto module on the stream before 'telmod' so it
	 * can encrypt/decrypt without interfering with telmod functionality
	 * We must push it now because many of the crypto options negotiated
	 * initially must be saved in the crypto module (via IOCTL calls).
	 */
	if (ioctl(f, I_PUSH, "cryptmod") < 0)
		fatalperror(f, "ioctl I_PUSH cryptmod", errno);

	cryptmod_fd = f;
	/*
	 * gotta set the encryption clock now because it is often negotiated
	 * immediately by the client, and if we wait till after we negotiate
	 * auth, it will be out of whack with when the WILL/WONT ENCRYPT
	 * option is received.
	 */
	settimer(getencr);

	/*
	 * get terminal type.
	 */
	username[0] = '\0';
	len = sizeof (username);

	settimer(getterminal);
	settimer(getauth);
	/*
	 * Exchange TELOPT_AUTHENTICATE options per RFC 2941/2942
	 */
	auth_status = getauthtype(username, &len);
	/*
	 * Exchange TELOPT_ENCRYPT options per RFC 2946
	 */
	getencrtype();
	getterminaltype();

	if (ioctl(f, I_PUSH, "telmod") < 0)
		fatalperror(f, "ioctl I_PUSH telmod", errno);

	/*
	 * Make sure telmod will pass unrecognized IOCTLs to cryptmod
	 */
	passthru = 1;

	telnetmod.ic_cmd = CRYPTPASSTHRU;
	telnetmod.ic_timout = -1;
	telnetmod.ic_len = sizeof (uchar_t);
	telnetmod.ic_dp = (char *)&passthru;

	if (ioctl(f, I_STR, &telnetmod) < 0)
		fatal(f, "ioctl CRPASSTHRU failed\n");

	if (!ncc)
		netip = netibuf;

	/*
	 * readstream will do a getmsg till it receives M_PROTO type
	 * T_DATA_REQ from telnetmodopen().  This signals that all data
	 * in-flight before telmod was pushed has been received at the
	 * stream head.
	 */
	while ((nsize = readstream(f, netibuf, ncc + netip - netibuf)) > 0) {
		ncc += nsize;
	}

	if (nsize < 0) {
		fatalperror(f, "readstream failed\n", errno);
	}

	/*
	 * open logindmux drivers and link them with network and ptm
	 * file descriptors.
	 */
	if ((ptmfd = open("/dev/logindmux", O_RDWR)) == -1) {
		fatalperror(f, "open /dev/logindmux", errno);
	}
	if ((netfd = open("/dev/logindmux", O_RDWR)) == -1) {
		fatalperror(f, "open /dev/logindmux", errno);
	}

	if (ioctl(ptmfd, I_LINK, p) < 0)
		fatal(f, "ioctl I_LINK of /dev/ptmx failed\n");
	if (ioctl(netfd, I_LINK, f) < 0)
		fatal(f, "ioctl I_LINK of tcp connection failed\n");

	/*
	 * Figure out the device number of ptm's mux fd, and pass that
	 * to the net's mux.
	 */
	if (fstat(ptmfd, &buf) < 0) {
		fatalperror(f, "fstat ptmfd failed", errno);
	}
	telnetp.dev = buf.st_rdev;
	telnetp.flag = 0;

	telnetmod.ic_cmd = LOGDMX_IOC_QEXCHANGE;
	telnetmod.ic_timout = -1;
	telnetmod.ic_len = sizeof (struct protocol_arg);
	telnetmod.ic_dp = (char *)&telnetp;

	if (ioctl(netfd, I_STR, &telnetmod) < 0)
		fatal(netfd, "ioctl LOGDMX_IOC_QEXCHANGE of netfd failed\n");

	/*
	 * Figure out the device number of the net's mux fd, and pass that
	 * to the ptm's mux.
	 */
	if (fstat(netfd, &buf) < 0) {
		fatalperror(f, "fstat netfd failed", errno);
	}
	telnetp.dev = buf.st_rdev;
	telnetp.flag = 1;

	telnetmod.ic_cmd = LOGDMX_IOC_QEXCHANGE;
	telnetmod.ic_timout = -1;
	telnetmod.ic_len = sizeof (struct protocol_arg);
	telnetmod.ic_dp = (char *)&telnetp;

	if (ioctl(ptmfd, I_STR, &telnetmod) < 0)
		fatal(netfd, "ioctl LOGDMX_IOC_QEXCHANGE of ptmfd failed\n");

	net = netfd;
	manager = ptmfd;
	cryptmod_fd = netfd;

	/*
	 * Show banner that getty never gave, but
	 * only if the user did not automatically authenticate.
	 */
	if (getenv("USER") == NULL && auth_status < AUTH_USER)
		showbanner();

	/*
	 * If the user automatically authenticated with Kerberos
	 * we must set the service name that PAM will use.  We
	 * need to do it BEFORE the child fork so that 'cleanup'
	 * in the parent can call the PAM cleanup stuff with the
	 * same PAM service that /bin/login will use to authenticate
	 * this session.
	 */
	if (auth_level >= 0 && auth_status >= AUTH_USER &&
	    (AuthenticatingUser != NULL) && strlen(AuthenticatingUser)) {
		(void) strcpy(pam_svc_name, "ktelnet");
	}
	/*
	 * Request to do suppress go ahead.
	 *
	 * Send this before sending the TELOPT_ECHO stuff below because
	 * some clients (MIT KRB5 telnet) have quirky 'kludge mode' support
	 * that has them turn off local echo mode if SGA is not received first.
	 * This also has the odd side-effect of causing the client to enable
	 * encryption and then immediately disable it during the ECHO option
	 * negotiations.  Its just better to to SGA first now that we support
	 * encryption.
	 */
	if (!myopts[TELOPT_SGA]) {
	    dooption(TELOPT_SGA);
	}

	/*
	 * Pretend we got a DO ECHO from the client if we have not
	 * yet negotiated the ECHO.
	 */
	if (!myopts[TELOPT_ECHO]) {
	    dooption(TELOPT_ECHO);
	}

	/*
	 * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
	 * because 4.2 clients are unable to deal with TCP urgent data.
	 *
	 * To find out, we send out a "DO ECHO".  If the remote system
	 * answers "WILL ECHO" it is probably a 4.2 client, and we note
	 * that fact ("WILL ECHO" ==> that the client will echo what
	 * WE, the server, sends it; it does NOT mean that the client will
	 * echo the terminal input).
	 */
	send_do(TELOPT_ECHO);
	remopts[TELOPT_ECHO] = OPT_YES_BUT_ALWAYS_LOOK;

	if ((pid = fork()) < 0)
		fatalperror(netfd, "fork", errno);
	if (pid)
		telnet(net, manager);
	/*
	 * The child process needs to be the session leader
	 * and have the pty as its controlling tty.  Thus we need
	 * to re-open the subsidiary side of the pty no without
	 * the O_NOCTTY flag that we have been careful to
	 * use up to this point.
	 */
	(void) setsid();

	tt = open(line, O_RDWR);
	if (tt < 0)
		fatalperror(netfd, line, errno);
	(void) close(netfd);
	(void) close(ptmfd);
	(void) close(f);
	(void) close(p);
	(void) close(t);
	if (tt != 0)
		(void) dup2(tt, 0);
	if (tt != 1)
		(void) dup2(tt, 1);
	if (tt != 2)
		(void) dup2(tt, 2);
	if (tt > 2)
		(void) close(tt);

	if (terminaltype)
		(void) local_setenv("TERM", terminaltype+5, 1);
	/*
	 *	-h : pass on name of host.
	 *		WARNING:  -h is accepted by login if and only if
	 *			getuid() == 0.
	 *	-p : don't clobber the environment (so terminal type stays set).
	 */
	{
		/* System V login expects a utmp entry to already be there */
		struct utmpx ut;
		(void) memset((char *)&ut, 0, sizeof (ut));
		(void) strncpy(ut.ut_user, ".telnet", sizeof (ut.ut_user));
		(void) strncpy(ut.ut_line, line, sizeof (ut.ut_line));
		ut.ut_pid = getpid();
		ut.ut_id[0] = 't';
		ut.ut_id[1] = (char)SC_WILDC;
		ut.ut_id[2] = (char)SC_WILDC;
		ut.ut_id[3] = (char)SC_WILDC;
		ut.ut_type = LOGIN_PROCESS;
		ut.ut_exit.e_termination = 0;
		ut.ut_exit.e_exit = 0;
		(void) time(&ut.ut_tv.tv_sec);
		if (makeutx(&ut) == NULL)
			syslog(LOG_INFO, "in.telnetd:\tmakeutx failed");
	}

	/*
	 * Load in the cached environment variables and either
	 * set/unset them in the environment.
	 */
	for (next = envlist_head; next; ) {
		env = next;
		if (env->delete)
			(void) local_unsetenv(env->name);
		else
			(void) local_setenv(env->name, env->value, 1);
		free(env->name);
		free(env->value);
		next = env->next;
		free(env);
	}

	if (!username || !username[0])
		auth_status = AUTH_REJECT; /* we dont know who this is */

	/* If the current auth status is less than the required level, exit */
	if (auth_status < auth_level) {
		fatal(net, "Authentication failed\n");
		exit(EXIT_FAILURE);
	}

	/*
	 * If AUTH_VALID (proper authentication REQUIRED and we have
	 * a krb5_name), exec '/bin/login', make sure it uses the
	 * correct PAM service name (pam_svc_name). If possible,
	 * make sure the krb5 authenticated user's name (krb5_name)
	 * is in the PAM REPOSITORY for krb5.
	 */
	if (auth_level >= 0 &&
	    (auth_status == AUTH_VALID || auth_status == AUTH_USER) &&
	    ((krb5_name != NULL) && strlen(krb5_name)) &&
	    ((AuthenticatingUser != NULL) && strlen(AuthenticatingUser))) {
		(void) execl(LOGIN_PROGRAM, "login",
			    "-p",
			    "-d", subsidname,
			    "-h", host,
			    "-u", krb5_name,
			    "-s", pam_svc_name,
			    "-R", KRB5_REPOSITORY_NAME,
			    AuthenticatingUser, 0);
	} else if (auth_level >= 0 &&
		auth_status >= AUTH_USER &&
		(((AuthenticatingUser != NULL) && strlen(AuthenticatingUser)) ||
		getenv("USER"))) {
		/*
		 * If we only know the name but not the principal,
		 * login will have to authenticate further.
		 */
		(void) execl(LOGIN_PROGRAM, "login",
		    "-p",
		    "-d", subsidname,
		    "-h", host,
		    "-s", pam_svc_name, "--",
		    (AuthenticatingUser != NULL ? AuthenticatingUser :
			getenv("USER")), 0);

	} else /* default, no auth. info available, login does it all */ {
		(void) execl(LOGIN_PROGRAM, "login",
		    "-p", "-h", host, "-d", subsidname, "--",
		    getenv("USER"), 0);
	}

	fatalperror(netfd, LOGIN_PROGRAM, errno);
	/*NOTREACHED*/
}

static void
fatal(int f, char *msg)
{
	char buf[BUFSIZ];

	(void) snprintf(buf, sizeof (buf), "telnetd: %s.\r\n", msg);
	(void) write(f, buf, strlen(buf));
	exit(EXIT_FAILURE);
	/*NOTREACHED*/
}

static void
fatalperror(int f, char *msg, int errnum)
{
	char buf[BUFSIZ];

	(void) snprintf(buf, sizeof (buf),
			"%s: %s\r\n", msg, strerror(errnum));
	fatal(f, buf);
	/*NOTREACHED*/
}

/*
 * Main loop.  Select from pty and network, and
 * hand data to telnet receiver finite state machine
 * when it receives telnet protocol. Regular data
 * flow between pty and network takes place through
 * inkernel telnet streams module (telmod).
 */
static void
telnet(int net, int manager)
{
	int on = 1;
	char mode;
	struct	strioctl	telnetmod;
	int	nsize = 0;
	char	binary_in = 0;
	char binary_out = 0;

	if (ioctl(net, FIONBIO, &on) == -1)
		syslog(LOG_INFO, "ioctl FIONBIO net: %m\n");
	if (ioctl(manager, FIONBIO, &on) == -1)
		syslog(LOG_INFO, "ioctl FIONBIO pty p: %m\n");
	(void) signal(SIGTSTP, SIG_IGN);
	(void) signal(SIGCHLD, (void (*)())cleanup);
	(void) setpgrp();

	/*
	 * Call telrcv() once to pick up anything received during
	 * terminal type negotiation.
	 */
	telrcv();

	netflush();
	ptyflush();

	for (;;) {
		fd_set ibits, obits, xbits;
		int c;

		if (ncc < 0)
			break;

		FD_ZERO(&ibits);
		FD_ZERO(&obits);
		FD_ZERO(&xbits);

		/*
		 * If we couldn't flush all our output to the network,
		 * keep checking for when we can.
		 */
		if (nfrontp - nbackp)
			FD_SET(net, &obits);
		/*
		 * Never look for input if there's still
		 * stuff in the corresponding output buffer
		 */
		if (pfrontp - pbackp) {
			FD_SET(manager, &obits);
		} else {
			FD_SET(net, &ibits);
		}
		if (!SYNCHing) {
			FD_SET(net, &xbits);
		}

#define	max(x, y)	(((x) < (y)) ? (y) : (x))

		/*
		 * make an ioctl to telnet module (net side) to send
		 * binary mode of telnet daemon. binary_in and
		 * binary_out are 0 if not in binary mode.
		 */
		if (binary_in != myopts[TELOPT_BINARY] ||
		    binary_out != remopts[TELOPT_BINARY]) {

			mode = 0;
			if (myopts[TELOPT_BINARY] != OPT_NO)
				mode |= TEL_BINARY_IN;

			if (remopts[TELOPT_BINARY] != OPT_NO)
				mode |= TEL_BINARY_OUT;

			telnetmod.ic_cmd = TEL_IOC_MODE;
			telnetmod.ic_timout = -1;
			telnetmod.ic_len = 1;
			telnetmod.ic_dp = &mode;

			syslog(LOG_DEBUG, "TEL_IOC_MODE binary has changed\n");

			if (ioctl(net, I_STR, &telnetmod) < 0)
				fatal(net, "ioctl TEL_IOC_MODE failed\n");
			binary_in = myopts[TELOPT_BINARY];
			binary_out = remopts[TELOPT_BINARY];
		}
		if (state == TS_DATA) {
			if ((nfrontp == nbackp) &&
				(pfrontp == pbackp)) {
				if (ioctl(net, I_NREAD, &nsize) < 0)
					fatalperror(net,
					    "ioctl I_NREAD failed\n", errno);
				if (nsize)
					drainstream(nsize);

				/*
				 * make an ioctl to reinsert remaining data at
				 * streamhead. After this, ioctl reenables the
				 * telnet lower put queue. This queue was
				 * noenabled by telnet module after sending
				 * protocol/urgent data to telnetd.
				 */

				telnetmod.ic_cmd = TEL_IOC_ENABLE;
				telnetmod.ic_timout = -1;
				if (ncc || nsize) {
					telnetmod.ic_len = ncc + nsize;
					telnetmod.ic_dp = netip;
				} else {
					telnetmod.ic_len = 0;
					telnetmod.ic_dp = NULL;
				}
				if (ioctl(net, I_STR, &telnetmod) < 0)
					fatal(net, "ioctl TEL_IOC_ENABLE \
						failed\n");

				telmod_init_done = B_TRUE;

				netip = netibuf;
				(void) memset(netibuf, 0, netibufsize);

				ncc = 0;
			}
		} else {
			/*
			 * state not changed to TS_DATA and hence, more to read
			 * send ioctl to get one more message block.
			 */
			telnetmod.ic_cmd = TEL_IOC_GETBLK;
			telnetmod.ic_timout = -1;
			telnetmod.ic_len = 0;
			telnetmod.ic_dp = NULL;

			if (ioctl(net, I_STR, &telnetmod) < 0)
				fatal(net, "ioctl TEL_IOC_GETBLK failed\n");
		}

		if ((c = select(max(net, manager) + 1, &ibits, &obits, &xbits,
		    (struct timeval *)0)) < 1) {
			if (c == -1) {
				if (errno == EINTR) {
					continue;
				}
			}
			(void) sleep(5);
			continue;
		}

		/*
		 * Any urgent data?
		 */
		if (FD_ISSET(net, &xbits)) {
			SYNCHing = 1;
		}

		/*
		 * Something to read from the network...
		 */
		if (FD_ISSET(net, &ibits)) {
		    ncc = read(net, netibuf, netibufsize);
		    if (ncc < 0 && errno == EWOULDBLOCK)
			ncc = 0;
		    else {
			if (ncc <= 0) {
			    break;
			}
			netip = netibuf;
		    }
		}

		if (FD_ISSET(net, &obits) && (nfrontp - nbackp) > 0)
			netflush();
		if (ncc > 0)
			telrcv();
		if (FD_ISSET(manager, &obits) && (pfrontp - pbackp) > 0)
			ptyflush();
	}
	cleanup(0);
}

static void
telrcv(void)
{
	int c;

	while (ncc > 0) {
		if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
			return;
		c = *netip & 0377;
		/*
		 * Once we hit data, we want to transition back to
		 * in-kernel processing.  However, this code is shared
		 * by getterminaltype()/ttloop() which run before the
		 * in-kernel plumbing is available.  So if we are still
		 * processing the initial option negotiation, even TS_DATA
		 * must be processed here.
		 */
		if (c != IAC && state == TS_DATA && init_neg_done) {
			break;
		}
		netip++;
		ncc--;
		switch (state) {

		case TS_CR:
			state = TS_DATA;
			/* Strip off \n or \0 after a \r */
			if ((c == 0) || (c == '\n')) {
				break;
			}
			/* FALLTHRU */

		case TS_DATA:
			if (c == IAC) {
				state = TS_IAC;
				break;
			}
			if (inter > 0)
				break;
			/*
			 * We map \r\n ==> \r, since
			 * We now map \r\n ==> \r for pragmatic reasons.
			 * Many client implementations send \r\n when
			 * the user hits the CarriageReturn key.
			 *
			 * We USED to map \r\n ==> \n, since \r\n says
			 * that we want to be in column 1 of the next
			 * line.
			 */
			if (c == '\r' && (myopts[TELOPT_BINARY] == OPT_NO)) {
				state = TS_CR;
			}
			*pfrontp++ = c;
			break;

		case TS_IAC:
			switch (c) {

			/*
			 * Send the process on the pty side an
			 * interrupt.  Do this with a NULL or
			 * interrupt char; depending on the tty mode.
			 */
			case IP:
				interrupt();
				break;

			case BREAK:
				sendbrk();
				break;

			/*
			 * Are You There?
			 */
			case AYT:
				write_data_len("\r\n[Yes]\r\n", 9);
				break;

			/*
			 * Abort Output
			 */
			case AO: {
					struct ltchars tmpltc;

					ptyflush();	/* half-hearted */
					if (ioctl(pty, TIOCGLTC, &tmpltc) == -1)
						syslog(LOG_INFO,
						    "ioctl TIOCGLTC: %m\n");
					if (tmpltc.t_flushc != '\377') {
						*pfrontp++ = tmpltc.t_flushc;
					}
					netclear();	/* clear buffer back */
					write_data("%c%c", (uchar_t)IAC,
						(uchar_t)DM);

					neturg = nfrontp-1; /* off by one XXX */
					netflush();
					netflush(); /* XXX.sparker */
					break;
				}

			/*
			 * Erase Character and
			 * Erase Line
			 */
			case EC:
			case EL: {
					struct sgttyb b;
					char ch;

					ptyflush();	/* half-hearted */
					if (ioctl(pty, TIOCGETP, &b) == -1)
						syslog(LOG_INFO,
						    "ioctl TIOCGETP: %m\n");
					ch = (c == EC) ?
						b.sg_erase : b.sg_kill;
					if (ch != '\377') {
						*pfrontp++ = ch;
					}
					break;
				}

			/*
			 * Check for urgent data...
			 */
			case DM:
				break;

			/*
			 * Begin option subnegotiation...
			 */
			case SB:
				state = TS_SB;
				SB_CLEAR();
				continue;

			case WILL:
				state = TS_WILL;
				continue;

			case WONT:
				state = TS_WONT;
				continue;

			case DO:
				state = TS_DO;
				continue;

			case DONT:
				state = TS_DONT;
				continue;

			case IAC:
				*pfrontp++ = c;
				break;
			}
			state = TS_DATA;
			break;
		case TS_SB:
			if (c == IAC) {
				state = TS_SE;
			} else {
				SB_ACCUM(c);
			}
			break;
		case TS_SE:
			if (c != SE) {
				if (c != IAC) {
					SB_ACCUM((uchar_t)IAC);
				}
				SB_ACCUM(c);
				state = TS_SB;

			} else {
				SB_TERM();
				suboption();	/* handle sub-option */
				state = TS_DATA;
			}
			break;

		case TS_WILL:
			if (remopts[c] != OPT_YES)
				willoption(c);
			state = TS_DATA;
			continue;

		case TS_WONT:
			if (remopts[c] != OPT_NO)
				wontoption(c);
			state = TS_DATA;
			continue;

		case TS_DO:
			if (myopts[c] != OPT_YES)
				dooption(c);
			state = TS_DATA;
			continue;

		case TS_DONT:
			if (myopts[c] != OPT_NO) {
				dontoption(c);
			}
			state = TS_DATA;
			continue;

		default:
			syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
			(void) printf("telnetd: panic state=%d\n", state);
			exit(EXIT_FAILURE);
		}
	}
}

static void
willoption(int option)
{
	uchar_t *fmt;
	boolean_t send_reply = B_TRUE;

	switch (option) {
	case TELOPT_BINARY:
		mode(O_RAW, 0);
		fmt = doopt;
		break;

	case TELOPT_ECHO:
		not42 = 0;		/* looks like a 4.2 system */
		/*
		 * Now, in a 4.2 system, to break them out of ECHOing
		 * (to the terminal) mode, we need to send a "WILL ECHO".
		 * Kludge upon kludge!
		 */
		if (myopts[TELOPT_ECHO] == OPT_YES) {
			dooption(TELOPT_ECHO);
		}
		fmt = dont;
		break;
	case TELOPT_TTYPE:
		settimer(ttypeopt);
		goto common;

	case TELOPT_NAWS:
		settimer(nawsopt);
		goto common;

	case TELOPT_XDISPLOC:
		settimer(xdisplocopt);
		goto common;

	case TELOPT_NEW_ENVIRON:
		settimer(environopt);
		goto common;

	case TELOPT_AUTHENTICATION:
		settimer(authopt);
		if (remopts[option] == OPT_NO ||
		    negotiate_auth_krb5 == 0)
			fmt = dont;
		else
			fmt = doopt;
		break;

	case TELOPT_OLD_ENVIRON:
		settimer(oenvironopt);
		goto common;
common:
		if (remopts[option] == OPT_YES_BUT_ALWAYS_LOOK) {
			remopts[option] = OPT_YES;
			return;
		}
		/*FALLTHRU*/
	case TELOPT_SGA:
		fmt = doopt;
		break;

	case TELOPT_TM:
		fmt = dont;
		break;

	case TELOPT_ENCRYPT:
		settimer(encropt); /* got response to do/dont */
		if (enc_debug)
			(void) fprintf(stderr,
				    "RCVD IAC WILL TELOPT_ENCRYPT\n");
		if (krb5_privacy_allowed()) {
			fmt = doopt;
			if (sent_do_encrypt)
				send_reply = B_FALSE;
			else
				sent_do_encrypt = B_TRUE;
		} else {
			fmt = dont;
		}
		break;

	default:
		fmt = dont;
		break;
	}
	if (fmt == doopt) {
		remopts[option] = OPT_YES;
	} else {
		remopts[option] = OPT_NO;
	}
	if (send_reply) {
		write_data((const char *)fmt, option);
		netflush();
	}
}

static void
wontoption(int option)
{
	uchar_t *fmt;
	int send_reply = 1;

	switch (option) {
	case TELOPT_ECHO:
		not42 = 1;		/* doesn't seem to be a 4.2 system */
		break;

	case TELOPT_BINARY:
		mode(0, O_RAW);
		break;

	case TELOPT_TTYPE:
		settimer(ttypeopt);
		break;

	case TELOPT_NAWS:
		settimer(nawsopt);
		break;

	case TELOPT_XDISPLOC:
		settimer(xdisplocopt);
		break;

	case TELOPT_NEW_ENVIRON:
		settimer(environopt);
		break;

	case TELOPT_OLD_ENVIRON:
		settimer(oenvironopt);
		break;

	case TELOPT_AUTHENTICATION:
		settimer(authopt);
		auth_finished(0, AUTH_REJECT);
		if (auth_debug)
			(void) fprintf(stderr,
				    "RCVD WONT TELOPT_AUTHENTICATE\n");

		remopts[option] = OPT_NO;
		send_reply = 0;
		break;

	case TELOPT_ENCRYPT:
		if (enc_debug)
			(void) fprintf(stderr,
				    "RCVD IAC WONT TELOPT_ENCRYPT\n");
		settimer(encropt); /* got response to will/wont */
		/*
		 * Remote side cannot send encryption. No reply necessary
		 * Treat this as if "IAC SB ENCRYPT END IAC SE" were
		 * received (RFC 2946) and disable crypto.
		 */
		encrypt_end(TELNET_DIR_DECRYPT);
		send_reply = 0;
		break;
	}

	fmt = dont;
	remopts[option] = OPT_NO;
	if (send_reply) {
		write_data((const char *)fmt, option);
	}
}

/*
 * We received an "IAC DO ..." message from the client, change our state
 * to OPT_YES.
 */
static void
dooption(int option)
{
	uchar_t *fmt;
	boolean_t send_reply = B_TRUE;

	switch (option) {

	case TELOPT_TM:
		fmt = wont;
		break;

	case TELOPT_ECHO:
		mode(O_ECHO|O_CRMOD, 0);
		fmt = will;
		break;

	case TELOPT_BINARY:
		mode(O_RAW, 0);
		fmt = will;
		break;

	case TELOPT_SGA:
		fmt = will;
		break;

	case TELOPT_LOGOUT:
		/*
		 * Options don't get much easier.  Acknowledge the option,
		 * and then clean up and exit.
		 */
		write_data((const char *)will, option);
		netflush();
		cleanup(0);
		/*NOTREACHED*/

	case TELOPT_ENCRYPT:
		if (enc_debug)
			(void) fprintf(stderr, "RCVD DO TELOPT_ENCRYPT\n");
		settimer(encropt);
		/*
		 * We received a "DO".  This indicates that the other side
		 * wants us to encrypt our data (pending negotiatoin).
		 * reply with "IAC WILL ENCRYPT" if we are able to send
		 * encrypted data.
		 */
		if (krb5_privacy_allowed() && negotiate_encrypt) {
			fmt = will;
			if (sent_will_encrypt)
				send_reply = B_FALSE;
			else
				sent_will_encrypt = B_TRUE;
			/* return if we already sent "WILL ENCRYPT" */
			if (myopts[option] == OPT_YES)
				return;
		} else {
			fmt = wont;
		}
		break;

	case TELOPT_AUTHENTICATION:
		if (auth_debug) {
			(void) fprintf(stderr,
				    "RCVD DO TELOPT_AUTHENTICATION\n");
		}
		/*
		 * RFC 2941 - only the server can send
		 * "DO TELOPT_AUTHENTICATION".
		 * if a server receives this, it must respond with WONT...
		 */
		fmt = wont;
		break;

	default:
		fmt = wont;
		break;
	}
	if (fmt == will) {
		myopts[option] = OPT_YES;
	} else {
		myopts[option] = OPT_NO;
	}
	if (send_reply) {
		write_data((const char *)fmt, option);
		netflush();
	}
}

/*
 * We received an "IAC DONT ..." message from client.
 * Client does not agree with the option so act accordingly.
 */
static void
dontoption(int option)
{
	int send_reply = 1;
	switch (option) {
	case TELOPT_ECHO:
		/*
		 * we should stop echoing, since the client side will be doing
		 * it, but keep mapping CR since CR-LF will be mapped to it.
		 */
		mode(0, O_ECHO);
		break;

	case TELOPT_ENCRYPT:
		if (enc_debug)
			(void) fprintf(stderr, "RCVD IAC DONT ENCRYPT\n");
		settimer(encropt);
		/*
		 * Remote side cannot receive any encrypted data,
		 * so dont send any.  No reply necessary.
		 */
		send_reply = 0;
		break;

	default:
		break;
	}

	myopts[option] = OPT_NO;

	if (send_reply) {
		write_data((const char *)wont, option);
	}
}

/*
 * suboption()
 *
 *	Look at the sub-option buffer, and try to be helpful to the other
 * side.
 *
 */
static void
suboption(void)
{
	int subchar;

	switch (subchar = SB_GET()) {
	case TELOPT_TTYPE: {		/* Yaaaay! */
		static char terminalname[5+41] = "TERM=";

		settimer(ttypesubopt);

		if (SB_GET() != TELQUAL_IS) {
			return;	/* ??? XXX but, this is the most robust */
		}

		terminaltype = terminalname+strlen(terminalname);

		while (terminaltype < (terminalname + sizeof (terminalname) -
		    1) && !SB_EOF()) {
			int c;

			c = SB_GET();
			if (isupper(c)) {
				c = tolower(c);
			}
			*terminaltype++ = c;    /* accumulate name */
		}
		*terminaltype = 0;
		terminaltype = terminalname;
		break;
	}

	case TELOPT_NAWS: {
		struct winsize ws;

		if (SB_EOF()) {
			return;
		}
		ws.ws_col = SB_GET() << 8;
		if (SB_EOF()) {
			return;
		}
		ws.ws_col |= SB_GET();
		if (SB_EOF()) {
			return;
		}
		ws.ws_row = SB_GET() << 8;
		if (SB_EOF()) {
			return;
		}
		ws.ws_row |= SB_GET();
		ws.ws_xpixel = 0; ws.ws_ypixel = 0;
		(void) ioctl(pty, TIOCSWINSZ, &ws);
		settimer(nawsopt);
		break;
	}

	case TELOPT_XDISPLOC: {
		if (SB_EOF() || SB_GET() != TELQUAL_IS) {
			return;
		}
		settimer(xdisplocsubopt);
		subpointer[SB_LEN()] = '\0';
		if ((new_env("DISPLAY", subpointer)) == 1)
			perror("malloc");
		break;
	}

	case TELOPT_NEW_ENVIRON:
	case TELOPT_OLD_ENVIRON: {
		int c;
		char *cp, *varp, *valp;

		if (SB_EOF())
			return;
		c = SB_GET();
		if (c == TELQUAL_IS) {
			if (subchar == TELOPT_OLD_ENVIRON)
				settimer(oenvironsubopt);
			else
				settimer(environsubopt);
		} else if (c != TELQUAL_INFO) {
			return;
		}

		if (subchar == TELOPT_NEW_ENVIRON) {
		    while (!SB_EOF()) {
			c = SB_GET();
			if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
				break;
		    }
		} else
		{
			while (!SB_EOF()) {
				c = SB_GET();
				if ((c == env_ovar) || (c == ENV_USERVAR))
					break;
			}
		}

		if (SB_EOF())
			return;

		cp = varp = (char *)subpointer;
		valp = 0;

		while (!SB_EOF()) {
			c = SB_GET();
			if (subchar == TELOPT_OLD_ENVIRON) {
				if (c == env_ovar)
					c = NEW_ENV_VAR;
				else if (c == env_ovalue)
					c = NEW_ENV_VALUE;
			}
			switch (c) {

			case NEW_ENV_VALUE:
				*cp = '\0';
				cp = valp = (char *)subpointer;
				break;

			case NEW_ENV_VAR:
			case ENV_USERVAR:
				*cp = '\0';
				if (valp) {
					if ((new_env(varp, valp)) == 1) {
						perror("malloc");
					}
				} else {
					(void) del_env(varp);
				}
				cp = varp = (char *)subpointer;
				valp = 0;
				break;

			case ENV_ESC:
				if (SB_EOF())
					break;
				c = SB_GET();
				/* FALL THROUGH */
			default:
				*cp++ = c;
				break;
			}
		}
		*cp = '\0';
		if (valp) {
			if ((new_env(varp, valp)) == 1) {
				perror("malloc");
			}
		} else {
			(void) del_env(varp);
		}
		break;
	}  /* end of case TELOPT_NEW_ENVIRON */

	case TELOPT_AUTHENTICATION:
		if (SB_EOF())
			break;
		switch (SB_GET()) {
		case TELQUAL_SEND:
		case TELQUAL_REPLY:
			/*
			 * These are sent server only and cannot be sent by the
			 * client.
			 */
			break;
		case TELQUAL_IS:
			if (auth_debug)
				(void) fprintf(stderr,
					    "RCVD AUTHENTICATION IS "
					    "(%d bytes)\n",
					    SB_LEN());
			if (!auth_negotiated)
				auth_is((uchar_t *)subpointer, SB_LEN());
			break;
		case TELQUAL_NAME:
			if (auth_debug)
				(void) fprintf(stderr,
					    "RCVD AUTHENTICATION NAME "
					    "(%d bytes)\n",
					    SB_LEN());
			if (!auth_negotiated)
				auth_name((uchar_t *)subpointer, SB_LEN());
			break;
		}
		break;

	case TELOPT_ENCRYPT: {
		int c;
		if (SB_EOF())
			break;
		c = SB_GET();
#ifdef ENCRYPT_NAMES
		if (enc_debug)
			(void) fprintf(stderr, "RCVD ENCRYPT %s\n",
				    ENCRYPT_NAME(c));
#endif /* ENCRYPT_NAMES */
		switch (c) {
		case ENCRYPT_SUPPORT:
			encrypt_support(subpointer, SB_LEN());
			break;
		case ENCRYPT_IS:
			encrypt_is((uchar_t *)subpointer, SB_LEN());
			break;
		case ENCRYPT_REPLY:
			(void) encrypt_reply(subpointer, SB_LEN());
			break;
		case ENCRYPT_START:
			encrypt_start();
			break;
		case ENCRYPT_END:
			encrypt_end(TELNET_DIR_DECRYPT);
			break;
		case ENCRYPT_REQSTART:
			encrypt_request_start();
			break;
		case ENCRYPT_REQEND:
			/*
			 * We can always send an REQEND so that we cannot
			 * get stuck encrypting.  We should only get this
			 * if we have been able to get in the correct mode
			 * anyhow.
			 */
			encrypt_request_end();
			break;
		case ENCRYPT_ENC_KEYID:
			encrypt_enc_keyid(subpointer, SB_LEN());
			break;
		case ENCRYPT_DEC_KEYID:
			encrypt_dec_keyid(subpointer, SB_LEN());
			break;
		default:
			break;
		}
	}
	break;

	default:
		break;
	}
}

static void
mode(int on, int off)
{
	struct termios  tios;

	ptyflush();
	if (tcgetattr(pty, &tios) < 0)
		syslog(LOG_INFO, "tcgetattr: %m\n");

	if (on & O_RAW) {
		tios.c_cflag |= CS8;
		tios.c_iflag &= ~IUCLC;
		tios.c_lflag &= ~(XCASE|IEXTEN);
	}
	if (off & O_RAW) {
		if ((tios.c_cflag & PARENB) != 0)
			tios.c_cflag &= ~CS8;
		tios.c_lflag |= IEXTEN;
	}

	if (on & O_ECHO)
		tios.c_lflag |= ECHO;
	if (off & O_ECHO)
		tios.c_lflag &= ~ECHO;

	if (on & O_CRMOD) {
		tios.c_iflag |= ICRNL;
		tios.c_oflag |= ONLCR;
	}
	/*
	 * Because "O_CRMOD" will never be set in "off" we don't have to
	 * handle this case here.
	 */

	if (tcsetattr(pty, TCSANOW, &tios) < 0)
		syslog(LOG_INFO, "tcsetattr: %m\n");
}

/*
 * Send interrupt to process on other side of pty.
 * If it is in raw mode, just write NULL;
 * otherwise, write intr char.
 */
static void
interrupt(void)
{
	struct sgttyb b;
	struct tchars tchars;

	ptyflush();	/* half-hearted */
	if (ioctl(pty, TIOCGETP, &b) == -1)
		syslog(LOG_INFO, "ioctl TIOCGETP: %m\n");
	if (b.sg_flags & O_RAW) {
		*pfrontp++ = '\0';
		return;
	}
	*pfrontp++ = ioctl(pty, TIOCGETC, &tchars) < 0 ?
		'\177' : tchars.t_intrc;
}

/*
 * Send quit to process on other side of pty.
 * If it is in raw mode, just write NULL;
 * otherwise, write quit char.
 */
static void
sendbrk(void)
{
	struct sgttyb b;
	struct tchars tchars;

	ptyflush();	/* half-hearted */
	(void) ioctl(pty, TIOCGETP, &b);
	if (b.sg_flags & O_RAW) {
		*pfrontp++ = '\0';
		return;
	}
	*pfrontp++ = ioctl(pty, TIOCGETC, &tchars) < 0 ?
		'\034' : tchars.t_quitc;
}

static void
ptyflush(void)
{
	int n;

	if ((n = pfrontp - pbackp) > 0)
		n = write(manager, pbackp, n);
	if (n < 0)
		return;
	pbackp += n;
	if (pbackp == pfrontp)
		pbackp = pfrontp = ptyobuf;
}

/*
 * nextitem()
 *
 *	Return the address of the next "item" in the TELNET data
 * stream.  This will be the address of the next character if
 * the current address is a user data character, or it will
 * be the address of the character following the TELNET command
 * if the current address is a TELNET IAC ("I Am a Command")
 * character.
 */

static char *
nextitem(char *current)
{
	if ((*current&0xff) != IAC) {
		return (current+1);
	}
	switch (*(current+1)&0xff) {
	case DO:
	case DONT:
	case WILL:
	case WONT:
		return (current+3);
	case SB:		/* loop forever looking for the SE */
	{
		char *look = current+2;

		for (;;) {
			if ((*look++&0xff) == IAC) {
				if ((*look++&0xff) == SE) {
					return (look);
				}
			}
		}
	}
	default:
		return (current+2);
	}
}


/*
 * netclear()
 *
 *	We are about to do a TELNET SYNCH operation.  Clear
 * the path to the network.
 *
 *	Things are a bit tricky since we may have sent the first
 * byte or so of a previous TELNET command into the network.
 * So, we have to scan the network buffer from the beginning
 * until we are up to where we want to be.
 *
 *	A side effect of what we do, just to keep things
 * simple, is to clear the urgent data pointer.  The principal
 * caller should be setting the urgent data pointer AFTER calling
 * us in any case.
 */
static void
netclear(void)
{
	char *thisitem, *next;
	char *good;
#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))

	thisitem = netobuf;

	while ((next = nextitem(thisitem)) <= nbackp) {
		thisitem = next;
	}

	/* Now, thisitem is first before/at boundary. */

	good = netobuf;	/* where the good bytes go */

	while (nfrontp > thisitem) {
		if (wewant(thisitem)) {
			int length;

			next = thisitem;
			do {
				next = nextitem(next);
			} while (wewant(next) && (nfrontp > next));
			length = next-thisitem;
			(void) memmove(good, thisitem, length);
			good += length;
			thisitem = next;
		} else {
			thisitem = nextitem(thisitem);
		}
	}

	nbackp = netobuf;
	nfrontp = good;		/* next byte to be sent */
	neturg = 0;
}


/*
 *  netflush
 *		Send as much data as possible to the network,
 *	handling requests for urgent data.
 */
static void
netflush(void)
{
	int n;

	if ((n = nfrontp - nbackp) > 0) {
		/*
		 * if no urgent data, or if the other side appears to be an
		 * old 4.2 client (and thus unable to survive TCP urgent data),
		 * write the entire buffer in non-OOB mode.
		 */
		if ((neturg == 0) || (not42 == 0)) {
			n = write(net, nbackp, n);	/* normal write */
		} else {
			n = neturg - nbackp;
			/*
			 * In 4.2 (and 4.3) systems, there is some question
			 * about what byte in a sendOOB operation is the "OOB"
			 * data.  To make ourselves compatible, we only send ONE
			 * byte out of band, the one WE THINK should be OOB
			 * (though we really have more the TCP philosophy of
			 * urgent data rather than the Unix philosophy of OOB
			 * data).
			 */
			if (n > 1) {
				/* send URGENT all by itself */
				n = write(net, nbackp, n-1);
			} else {
				/* URGENT data */
				n = send_oob(net, nbackp, n);
			}
		}
	}
	if (n < 0) {
		if (errno == EWOULDBLOCK)
			return;
		/* should blow this guy away... */
		return;
	}

	nbackp += n;

	if (nbackp >= neturg) {
		neturg = 0;
	}
	if (nbackp == nfrontp) {
		nbackp = nfrontp = netobuf;
	}
}

/* ARGSUSED */
static void
cleanup(int signum)
{
	/*
	 * If the TEL_IOC_ENABLE ioctl hasn't completed, then we need to
	 * handle closing differently.  We close "net" first and then
	 * "manager" in that order.  We do close(net) first because
	 * we have no other way to disconnect forwarding between the network
	 * and manager.  So by issuing the close()'s we ensure that no further
	 * data rises from TCP.  A more complex fix would be adding proper
	 * support for throwing a "stop" switch for forwarding data between
	 * logindmux peers.  It's possible to block in the close of the tty
	 * while the network still receives data and the telmod module is
	 * TEL_STOPPED.  A denial-of-service attack generates this case,
	 * see 4102102.
	 */

	if (!telmod_init_done) {
		(void) close(net);
		(void) close(manager);
	}
	rmut();

	exit(EXIT_FAILURE);
}

static void
rmut(void)
{
	pam_handle_t    *pamh;
	struct utmpx *up;
	char user[sizeof (up->ut_user) + 1];
	char ttyn[sizeof (up->ut_line) + 1];
	char rhost[sizeof (up->ut_host) + 1];

	/* while cleaning up don't allow disruption */
	(void) signal(SIGCHLD, SIG_IGN);

	setutxent();
	while (up = getutxent()) {
		if (up->ut_pid == pid) {
			if (up->ut_type == DEAD_PROCESS) {
				/*
				 * Cleaned up elsewhere.
				 */
				break;
			}

			/*
			 * call pam_close_session if login changed
			 * the utmpx user entry from type LOGIN_PROCESS
			 * to type USER_PROCESS, which happens
			 * after pam_open_session is called.
			 */
			if (up->ut_type == USER_PROCESS) {
				(void) strlcpy(user, up->ut_user,
					    sizeof (user));
				(void) strlcpy(ttyn, up->ut_line,
					    sizeof (ttyn));
				(void) strlcpy(rhost, up->ut_host,
					    sizeof (rhost));
				if ((pam_start("telnet", user, NULL, &pamh)) ==
				    PAM_SUCCESS) {
					(void) pam_set_item(pamh, PAM_TTY,
							    ttyn);
					(void) pam_set_item(pamh, PAM_RHOST,
							    rhost);
					(void) pam_close_session(pamh, 0);
					(void) pam_end(pamh, PAM_SUCCESS);
				}
			}

			up->ut_type = DEAD_PROCESS;
			up->ut_exit.e_termination = WTERMSIG(0);
			up->ut_exit.e_exit = WEXITSTATUS(0);
			(void) time(&up->ut_tv.tv_sec);

			if (modutx(up) == NULL) {
				/*
				 * Since modutx failed we'll
				 * write out the new entry
				 * ourselves.
				 */
				(void) pututxline(up);
				updwtmpx("wtmpx", up);
			}
			break;
		}
	}

	endutxent();

	(void) signal(SIGCHLD, (void (*)())cleanup);
}

static int
readstream(int fd, char *buf, int offset)
{
	struct strbuf ctlbuf, datbuf;
	union T_primitives tpi;
	int	ret = 0;
	int	flags = 0;
	int	bytes_avail, count;

	(void) memset((char *)&ctlbuf, 0, sizeof (ctlbuf));
	(void) memset((char *)&datbuf, 0, sizeof (datbuf));

	ctlbuf.buf = (char *)&tpi;
	ctlbuf.maxlen = sizeof (tpi);

	if (ioctl(fd, I_NREAD, &bytes_avail) < 0) {
		syslog(LOG_ERR, "I_NREAD returned error %m");
		return (-1);
	}
	if (bytes_avail > netibufsize - offset) {
		count = netip - netibuf;
		netibuf = (char *)realloc(netibuf,
		    (unsigned)netibufsize + bytes_avail);
		if (netibuf == NULL) {
			fatal(net, "netibuf realloc failed\n");
		}
		netibufsize += bytes_avail;
		netip = netibuf + count;
		buf = netibuf;
	}
	datbuf.buf = buf + offset;
	datbuf.maxlen = netibufsize;
	ret = getmsg(fd, &ctlbuf, &datbuf, &flags);
	if (ret < 0) {
		syslog(LOG_ERR, "getmsg returned -1, errno %d\n",
			errno);
		return (-1);
	}
	if (ctlbuf.len <= 0) {
		return (datbuf.len);
	}

	if (tpi.type == T_DATA_REQ) {
		return (0);
	}

	if ((tpi.type == T_ORDREL_IND) || (tpi.type == T_DISCON_IND))
		cleanup(0);
	fatal(fd, "no data or protocol element recognized");
	return (0);
}

static void
drainstream(int size)
{
	int	nbytes;
	int	tsize;

	tsize = netip - netibuf;

	if ((tsize + ncc + size) > netibufsize) {
		if (!(netibuf = (char *)realloc(netibuf,
		    (unsigned)tsize + ncc + size)))
			fatalperror(net, "netibuf realloc failed\n", errno);
		netibufsize = tsize + ncc + size;

		netip = netibuf + tsize;
	}

	if ((nbytes = read(net, (char *)netip + ncc, size)) != size)
		syslog(LOG_ERR, "read %d bytes\n", nbytes);
}

/*
 * TPI style replacement for socket send() primitive, so we don't require
 * sockmod to be on the stream.
 */
static int
send_oob(int fd, char *ptr, int count)
{
	struct T_exdata_req exd_req;
	struct strbuf hdr, dat;
	int ret;

	exd_req.PRIM_type = T_EXDATA_REQ;
	exd_req.MORE_flag = 0;

	hdr.buf = (char *)&exd_req;
	hdr.len = sizeof (exd_req);

	dat.buf = ptr;
	dat.len = count;

	ret = putmsg(fd, &hdr, &dat, 0);
	if (ret == 0) {
		ret = count;
	}
	return (ret);
}


/*
 * local_setenv --
 *	Set the value of the environmental variable "name" to be
 *	"value".  If rewrite is set, replace any current value.
 */
static int
local_setenv(const char *name, const char *value, int rewrite)
{
	static int alloced;			/* if allocated space before */
	char *c;
	int l_value, offset;

	/*
	 * Do not allow environment variables which begin with LD_ to be
	 * inserted into the environment.  While normally the dynamic linker
	 * protects the login program, that is based on the assumption hostile
	 * invocation of login are from non-root users.  However, since telnetd
	 * runs as root, this cannot be utilized.  So instead we simply
	 * prevent LD_* from being inserted into the environment.
	 * This also applies to other environment variables that
	 * are to be ignored in setugid apps.
	 * Note that at this point name can contain '='!
	 * Also, do not allow TTYPROMPT to be passed along here.
	 */
	if (strncmp(name, "LD_", 3) == 0 ||
	    strncmp(name, "NLSPATH", 7) == 0 ||
	    (strncmp(name, "TTYPROMPT", 9) == 0 &&
		(name[9] == '\0' || name[9] == '='))) {
		return (-1);
	}
	if (*value == '=')			/* no `=' in value */
		++value;
	l_value = strlen(value);
	if ((c = __findenv(name, &offset))) {	/* find if already exists */
		if (!rewrite)
			return (0);
		if ((int)strlen(c) >= l_value) { /* old larger; copy over */
			while (*c++ = *value++)
				;
			return (0);
		}
	} else {					/* create new slot */
		int cnt;
		char **p;

		for (p = environ, cnt = 0; *p; ++p, ++cnt)
			;
		if (alloced) {			/* just increase size */
			environ = (char **)realloc((char *)environ,
			    (size_t)(sizeof (char *) * (cnt + 2)));
			if (!environ)
				return (-1);
		} else {				/* get new space */
			alloced = 1;		/* copy old entries into it */
			p = (char **)malloc((size_t)(sizeof (char *)*
			    (cnt + 2)));
			if (!p)
				return (-1);
			(void) memcpy(p, environ, cnt * sizeof (char *));
			environ = p;
		}
		environ[cnt + 1] = NULL;
		offset = cnt;
	}
	for (c = (char *)name; *c && *c != '='; ++c)	/* no `=' in name */
		;
	if (!(environ[offset] =			/* name + `=' + value */
	    malloc((size_t)((int)(c - name) + l_value + 2))))
		return (-1);
	for (c = environ[offset]; ((*c = *name++) != 0) && (*c != '='); ++c)
		;
	for (*c++ = '='; *c++ = *value++; )
		;
	return (0);
}

/*
 * local_unsetenv(name) --
 *	Delete environmental variable "name".
 */
static void
local_unsetenv(const char *name)
{
	char **p;
	int offset;

	while (__findenv(name, &offset))	/* if set multiple times */
		for (p = &environ[offset]; ; ++p)
			if ((*p = *(p + 1)) == 0)
				break;
}

/*
 * __findenv --
 *	Returns pointer to value associated with name, if any, else NULL.
 *	Sets offset to be the offset of the name/value combination in the
 *	environmental array, for use by local_setenv() and local_unsetenv().
 *	Explicitly removes '=' in argument name.
 */
static char *
__findenv(const char *name, int *offset)
{
	extern char **environ;
	int len;
	const char *np;
	char **p, *c;

	if (name == NULL || environ == NULL)
		return (NULL);
	for (np = name; *np && *np != '='; ++np)
		continue;
	len = np - name;
	for (p = environ; (c = *p) != NULL; ++p)
		if (strncmp(c, name, len) == 0 && c[len] == '=') {
			*offset = p - environ;
			return (c + len + 1);
		}
	return (NULL);
}

static void
showbanner(void)
{
	char	*cp;
	char	evalbuf[BUFSIZ];

	if (defopen(defaultfile) == 0) {
		int	flags;

		/* ignore case */
		flags = defcntl(DC_GETFLAGS, 0);
		TURNOFF(flags, DC_CASE);
		(void) defcntl(DC_SETFLAGS, flags);
		if (cp = defread(bannervar)) {
			FILE	*fp;

			if (strlen(cp) + strlen("eval echo '") + strlen("'\n")
			    + 1 < sizeof (evalbuf)) {
				(void) strlcpy(evalbuf, "eval echo '",
					sizeof (evalbuf));
				(void) strlcat(evalbuf, cp, sizeof (evalbuf));
				(void) strlcat(evalbuf, "'\n",
						sizeof (evalbuf));

				if (fp = popen(evalbuf, "r")) {
					char	buf[BUFSIZ];
					size_t	size;

					/*
					 * Pipe I/O atomicity guarantees we
					 * need only one read.
					 */
					if ((size = fread(buf, 1,
							sizeof (buf) - 1,
							fp)) != 0) {
						char	*p;
						buf[size] = '\0';
						p = strrchr(buf, '\n');
						if (p != NULL)
							*p = '\0';
						if (strlen(buf)) {
							map_banner(buf);
							netflush();
						}
					}
					(void) pclose(fp);
					/* close default file */
					(void) defopen(NULL);
					return;
				}
			}
		}
		(void) defopen(NULL);	/* close default file */
	}

	defbanner();
	netflush();
}

static void
map_banner(char *p)
{
	char	*q;

	/*
	 *	Map the banner:  "\n" -> "\r\n" and "\r" -> "\r\0"
	 */
	for (q = nfrontp; p && *p && q < nfrontp + sizeof (netobuf) - 1; )
		if (*p == '\n') {
			*q++ = '\r';
			*q++ = '\n';
			p++;
		} else if (*p == '\r') {
			*q++ = '\r';
			*q++ = '\0';
			p++;
		} else
			*q++ = *p++;

	nfrontp += q - netobuf;
}

/*
 * Show banner that getty never gave.  By default, this is `uname -sr`.
 *
 * The banner includes some null's (for TELNET CR disambiguation),
 * so we have to be somewhat complicated.
 */
static void
defbanner(void)
{
	struct utsname u;

	/*
	 * Dont show this if the '-h' option was present
	 */
	if (!show_hostinfo)
		return;

	if (uname(&u) == -1)
		return;

	write_data_len((const char *) BANNER1, sizeof (BANNER1) - 1);
	write_data_len(u.sysname, strlen(u.sysname));
	write_data_len(" ", 1);
	write_data_len(u.release, strlen(u.release));
	write_data_len((const char *)BANNER2, sizeof (BANNER2) - 1);
}

/*
 * Verify that the named module is at the top of the stream
 * and then pop it off.
 */
static int
removemod(int f, char *modname)
{
	char topmodname[BUFSIZ];

	if (ioctl(f, I_LOOK, topmodname) < 0)
		return (-1);
	if (strcmp(modname, topmodname) != 0) {
		errno = ENXIO;
		return (-1);
	}
	if (ioctl(f, I_POP, 0) < 0)
		return (-1);
	return (0);
}

static void
write_data(const char *format, ...)
{
	va_list args;
	int		len;
	char	argp[BUFSIZ];

	va_start(args, format);

	if ((len = vsnprintf(argp, sizeof (argp), format, args)) == -1)
		return;

	write_data_len(argp, len);
	va_end(args);
}

static void
write_data_len(const char *buf, int len)
{
	int remaining, copied;

	remaining = BUFSIZ - (nfrontp - netobuf);
	while (len > 0) {
		/*
		 * If there's not enough space in netobuf then
		 * try to make some.
		 */
	if ((len > BUFSIZ ? BUFSIZ : len) > remaining) {
			netflush();
			remaining = BUFSIZ - (nfrontp - netobuf);
		}
		/* Copy as much as we can */
		copied = remaining > len ? len : remaining;
		(void) memmove(nfrontp, buf, copied);
		nfrontp += copied;
		len -= copied;
		remaining -= copied;
		buf += copied;
	}
}