# Telnet Connections

## Overview

KeeperPAM enables zero-trust privileged session management for target infrastructure using the Telnet protocol. This guide explains how to set up Telnet connections on your PAM Machine Records in the Keeper Vault. Secure sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.

## Prerequisites

Prior to following this guide, familiarize yourself with the prerequisites on the Connection's [Getting Started page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/getting-started).

The following PAM records are needed in order to successfully setup this protocol:

<table><thead><tr><th width="211">PAM Record</th><th>Definition</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>The PAM Configuration contains information of your target infrastructure</td></tr><tr><td>PAM Machine Record</td><td>The PAM Machine record contains information of the endpoint you want to establish an Telnet protocol connection to.</td></tr><tr><td>PAM User Record</td><td>The PAM User record contains the user credentials that will be used to connect to the endpoint</td></tr></tbody></table>

This guide will use a **Linux Machine**. For more details on how this is setup on the PAM Machine Record, visit the following page:

{% content-ref url="../../getting-started/pam-resources/pam-machine/example-linux-machine" %}
[example-linux-machine](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-machine/example-linux-machine)
{% endcontent-ref %}

## PAM Settings - Configuring Telnet Protocol

### **Accessing Connection Settings**

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:

1. Editing the PAM Record
2. Clicking on "Set Up" in the PAM Settings section
3. Navigate to the "Connection" section in the prompted window

### Configuring Connection Settings

Prior to configuring the Telnet protocol settings on the PAM Settings screen, the following fields are all **required** and need to be configured:

<table><thead><tr><th width="293">Field</th><th>Description</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.</td></tr><tr><td>Administrative Credential Record</td><td>This is the linked <a href="https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user">PAM User</a> that will be used to authenticate to the target and perform administrative operations on it.</td></tr></tbody></table>

The following table lists all the configurable connection settings for the Telnet protocol on the PAM Settings:

<table><thead><tr><th width="295">Field</th><th>Definition</th></tr></thead><tbody><tr><td>Protocol</td><td><p><strong>Required</strong></p><p>The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Telnet protocol should be selected</p></td></tr><tr><td>Enable Connection</td><td><p><strong>Required</strong></p><p>To enable connection for this record, this toggle needs to be enabled</p></td></tr><tr><td>Graphical Session Recording</td><td>When enabled, graphical session recordings will be enabled for this record</td></tr><tr><td>Text Session Recording (Typescript)</td><td>When enabled, text session recordings (typescript) will be enabled for this record</td></tr><tr><td>Include Key Events</td><td>When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.</td></tr><tr><td>Connection Port</td><td>The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port.<br><br>For Telnet, the port is 23</td></tr><tr><td>Launch Credentials</td><td>When configured, these credentials will be used to authenticate the connection. More details <a href="#connection-authentication-methods">here</a></td></tr><tr><td>Allow users to select credentials from their vault</td><td>When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details <a href="#connection-authentication-methods">here</a></td></tr><tr><td>Rotate launch credentials upon session termination</td><td>When enabled, the configured launch credentials will be automatically rotated when the session is closed</td></tr><tr><td>Username Regular Expression</td><td>The regular expression to use to detect the username prompt when the username cannot be provided. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by <code>egrep</code>).</td></tr><tr><td>Password Regular Expression</td><td>The regular expression to use to detect the password prompt. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by <code>egrep</code>).</td></tr><tr><td>Login Success Regular Expression</td><td>The regular expression to use when detecting that the login attempt has succeeded. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by <code>egrep</code>).</td></tr><tr><td>Login Failure Regular Expression</td><td>The regular expression to use when detecting that the login attempt has failed. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by <code>egrep</code>).</td></tr><tr><td>Can copy to clipboard</td><td>If enabled, text copied within the connected protocol session will be accessible by the user</td></tr><tr><td>Can paste from clipboard</td><td>If enabled, user can paste text from clipboard within the connected protocol session</td></tr><tr><td>Color Scheme</td><td><p>The color scheme to use for the terminal emulator used by Telnet connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:</p><ul><li>"black on white" - Black text over a white background</li><li>"gray on black" - Gray text over a black background (the default)</li><li>"green on black" - Green text over a black background</li><li>"white on black" - White text over a black background</li><li>"Custom" - custom color scheme</li></ul><p>Default value is "white-black"</p></td></tr><tr><td>Maximum scrollback size</td><td>The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.</td></tr><tr><td>Read-only</td><td>Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.</td></tr></tbody></table>

### Terminal behavior parameters <a href="#id-.sshv2.x-terminalbehaviorparameters" id="id-.sshv2.x-terminalbehaviorparameters"></a>

In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's telnet support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the `TERM` environment variable.

| Field               | Description                                                                                                                                                                                                                                                                                                                                                                               |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Backspace key sends | The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent. |
| Terminal type       | The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.                                                                                                         |

## Connection Authentication Methods

Keeper Connections can be authenticated using one of the following methods:

* [**Launch Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#launch-credential)\
  The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
* [**Personal/Private Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#personal-private-credentials)\
  When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
* [**Ephemeral Accounts**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#ephemeral-account)\
  When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for [Just-In-Time access](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/just-in-time-access-jit) with no persistent account on the target system.

## Session Recordings - Telnet Protocol

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F9sq5XKimBU882wtisft8%2FScreenshot%202025-01-21%20at%2012.38.15%E2%80%AFPM.png?alt=media&#x26;token=c796bae2-9fd8-4e7c-af80-af4f7bb4bebf" alt=""><figcaption><p>Telnet Session Recordings</p></figcaption></figure>

For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback).

* Learn more about [Session Recording and Playback](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback)

## Connection Templates

The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:

{% content-ref url="../connection-templates" %}
[connection-templates](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/connection-templates)
{% endcontent-ref %}