>Can someone explain what "-a valid" does? I do not understand what
>telnetd(8) is trying to say.

I've only ever seen those options used when you're using Kerberos telnetd.
In that case, what they mean (and I agree, the man page sucks) is:

-a valid means "A Kerberos authentication exchange was successful"
(AP_REQ/ AP_REP exchange)".  However, you're not necessarily authorized
to access the requested account, so there are cases where you can have
-a valid for telnetd and still get a login prompt (if you requested
encryption, then encryption is turned on, but it's not required).

-a user means "Kerberos exchange was successful, and you're authorized
to access the requested accound".  In other words, krb5_kuserok() returned
true.

--Ken