System Administration Commands in.ftpd(1M)
NAME
in.ftpd, ftpd - File Transfer Protocol Server
SYNOPSIS
in.ftpd [-4] [-A] [-a] [-C] [-d] [-I] [-i] [-K] [-L] [-l]
[-o] [-P dataport] [-p ctrlport] [-Q] [-q]
[-r rootdir] [-S] [-s] [-T maxtimeout] [-t timeout]
[-u umask] [-V] [-v] [-W] [-w] [-X]
DESCRIPTION
in.ftpd is the Internet File Transfer Protocol (FTP) server
process. The server may be invoked by the Internet daemon
inetd(1M) each time a connection to the FTP service is made
or run as a standalone server. See services(4).
OPTIONS
in.ftpd supports the following options:
-4 When running in standalone mode, listen for
connections on an AFINET type socket. The
default is to listen on an AFINET6 type
socket.
-a Enables use of the ftpaccess(4) file.
-A Disables use of the ftpaccess(4) file. Use
of ftpaccess is disabled by default.
-C Non-anonymous users need local credentials
(for example, to authenticate to remote
fileservers). So they should be prompted
for a password unless they forwarded
credentials as part of authentication.
-d Writes debugging information to
syslogd(1M).
-i Logs the names of all files received by the
FTP Server to xferlog(4). You can override
the -i option through use of the ftpac-
cess(4) file.
-I Disables the use of AUTH and ident to
determine the username on the client. See
RFC 931. The FTP Server is built not to use
SunOS 5.11 Last change: 10 Nov 2005 1
System Administration Commands in.ftpd(1M)
AUTH and ident.
-K Connections are only allowed for users who
can authenticate through the ftp AUTH
mechanism. (Anonymous ftp may also be
allowed if it is configured.) ftpd will ask
the user for a password if one is required.
-l Logs each FTP session to syslogd(1M).
-L Logs all commands sent to in.ftpd to
syslogd(1M). When the -L option is used,
command logging will be on by default, once
the FTP Server is invoked. Because the FTP
Server includes USER commands in those
logged, if a user accidentally enters a
password instead of the username, the pass-
word will be logged. You can override the
-L option through use of the ftpaccess(4)
file.
-o Logs the names of all files transmitted by
the FTP Server to xferlog(4). You can over-
ride the -o option through use of the
ftpaccess(4) file.
-P dataport The FTP Server determines the port number
by looking in the services(4) file for an
entry for the ftp-data service. If there is
no entry, the daemon uses the port just
prior to the control connection port. Use
the -P option to specify the data port
number.
-p ctrlport When run in standalone mode, the FTP Server
determines the control port number by look-
ing in the services(4) file for an entry
for the ftp service. Use the -p option to
specify the control port number.
-Q Disables PID files. This disables user lim-
its. Large, busy sites that do not want to
impose limits on the number of concurrent
users can use this option to disable PID
files.
SunOS 5.11 Last change: 10 Nov 2005 2
System Administration Commands in.ftpd(1M)
-q Uses PID files. The limit directive uses
PID files to determine the number of
current users in each access class. By
default, PID files are used.
-r rootdir chroot(2) to rootdir upon loading. Use this
option to improve system security. It lim-
its the files that can be damaged should a
break in occur through the daemon. This
option is similar to anonymous FTP. Addi-
tional files are needed, which vary from
system to system.
-S Places the daemon in standalone operation
mode. The daemon runs in the background.
This is useful for startup scripts that run
during system initialization. See
init.d(4).
-s Places the daemon in standalone operation
mode. The daemon runs in the foreground.
This is useful when run from /etc/inittab
by init(1M).
-T maxtimeout Sets the maximum allowable timeout period
to maxtimeout seconds. The default maximum
timeout limit is 7200 second (two hours).
You can override the -T option through use
of the ftpaccess(4) file.
-t timeout Sets the inactivity timeout period to
timeout seconds. The default timeout period
is 900 seconds (15 minutes). You can over-
ride the -t option through use of the
ftpaccess(4) file.
-u umask Sets the default umask to umask.
-V Displays copyright and version information,
then terminate.
-v Writes debugging information to
syslogd(1M).
SunOS 5.11 Last change: 10 Nov 2005 3
System Administration Commands in.ftpd(1M)
-W Does not record user login and logout in
the wtmpx(4) file.
-w Records each user login and logout in the
wtmpx(4) file. By default, logins and
logouts are recorded.
-X Writes the output from the -i and -o
options to the syslogd(1M) file instead of
xferlog(4). This allows the collection of
output from several hosts on one central
loghost. You can override the -X option
through use of the ftpaccess(4) file.
Requests
The FTP Server currently supports the following FTP
requests. Case is not distinguished.
ABOR Abort previous command.
ADAT Send an authentication protocol message.
ALO Allocate storage (vacuously).
AUTH Specify an authentication protocol to be performed.
Currently only "GSAPI" is supported.
APE Append to a file.
C Set the command channel protection mode to "Clear"
(no protection). Not allowed if data channel is pro-
tected.
CDUP Change to parent of current working directory.
CWD Change working directory.
DELE Delete a file.
SunOS 5.11 Last change: 10 Nov 2005 4
System Administration Commands in.ftpd(1M)
ENC Send a privacy and integrity protected command
(given in argument).
EPRT Specify extended address for the transport connec-
tion.
EPSV Extended passive command request.
HELP Give help information.
LIST Give list files in a directory (ls -lA).
LPRT Specify long address for the transport connection.
LPSV Long passive command request.
MIC Send an integrity protected command (given in argu-
ment).
MKD Make a directory.
MDTM Show last time file modified.
MODE Specify data transfer mode.
NLST Give name list of files in directory (ls).
NOP Do nothing.
PAS Specify password.
PASV Prepare for server-to-server transfer.
PBSZ Specify a protection buffer size.
SunOS 5.11 Last change: 10 Nov 2005 5
System Administration Commands in.ftpd(1M)
PROT Specify a protection level under which to protect
data transfers. Allowed arguments:
clear No protection.
safe Integrity protection
private Integrity and encryption protection
PORT Specify data connection port.
PWD Print the current working directory.
QUIT Terminate session.
REST Restart incomplete transfer.
RETR Retrieve a file.
RMD Remove a directory.
RNFR Specify rename-from file name.
RNTO Specify rename-to file name.
SITE Use nonstandard commands.
SIZE Return size of file.
STAT Return status of server.
STOR Store a file.
STOU Store a file with a unique name.
SunOS 5.11 Last change: 10 Nov 2005 6
System Administration Commands in.ftpd(1M)
STRU Specify data transfer structure.
SYST Show operating system type of server system.
TYPE Specify data transfer type.
USER Specify user name.
XCUP Change to parent of current working directory. This
request is deprecated.
XCWD Change working directory. This request is depre-
cated.
XMKD Make a directory. This request is deprecated.
XPWD Print the current working directory. This request is
deprecated.
XRMD Remove a directory. This request is deprecated.
The following nonstandard or UNIX specific commands are sup-
ported by the SITE request:
ALIAS List aliases.
CDPATH List the search path used when changing
directories.
CHECKMETHOD List or set the checksum method.
CHECKSUM Give the checksum of a file.
CHMOD Change mode of a file. For example, SITE
CHMOD 755 filename.
SunOS 5.11 Last change: 10 Nov 2005 7
System Administration Commands in.ftpd(1M)
EXEC Execute a program. For example, SITE EXEC
program params
GPAS Give special group access password. For exam-
ple, SITE GPAS bar.
GROUP Request special group access. For example,
SITE GROUP foo.
GROUPS List supplementary group membership.
HELP Give help information. For example, SITE
HELP.
IDLE Set idle-timer. For example, SITE IDLE 60.
UMASK Change umask. For example, SITE UMASK 002.
The remaining FTP requests specified in RFC 959 are recog-
nized, but not implemented.
The FTP server will abort an active file transfer only when
the ABOR command is preceded by a Telnet "Interrupt Process"
(IP) signal and a Telnet "Synch" signal in the command Tel-
net stream, as described in RFC 959. If a STAT command is
received during a data transfer that has been preceded by a
Telnet IP and Synch, transfer status will be returned.
in.ftpd interprets file names according to the "globbing"
conventions used by csh(1). This allows users to utilize the
metacharacters: * ? [ ] { } ~
in.ftpd authenticates users according to the following
rules:
First, the user name must be in the password data base, the
location of which is specified in nsswitch.conf(4). An
encrypted password (an authentication token in PAM) must be
present. A password must always be provided by the client
before any file operations can be performed. For non-
SunOS 5.11 Last change: 10 Nov 2005 8
System Administration Commands in.ftpd(1M)
anonymous users, the PAM framework is used to verify that
the correct password was entered. See SECURITY below.
Second, the user name must not appear in either the
/etc/ftpusers or the /etc/ftpd/ftpusers file. Use of the
/etc/ftpusers files is deprecated, although it is still sup-
ported.
Third, the users must have a standard shell returned by
getusershell(3C).
Fourth, if the user name is anonymous or ftp, an anonymous
ftp account must be present in the password file for user
ftp. Use ftpconfig(1M) to create the anonymous ftp account
and home directory tree.
Fifth, if the GS-API is used to authenticate the user, then
gssauthrules(5) determines user access without a password
needed.
The FTP Server supports virtual hosting, which can be con-
figured by using ftpaddhost(1M).
The FTP Server does not support sublogins.
General FTP Extensions
The FTP Server has certain extensions. If the user specifies
a filename that does not exist with a RETR (retrieve) com-
mand, the FTP Server looks for a conversion to change a file
or directory that does into the one requested. See
ftpconversions(4).
By convention, anonymous users supply their email address
when prompted for a password. The FTP Server attempts to
validate these email addresses. A user whose FTP client
hangs on a long reply, for example, a multiline response,
should use a dash (-) as the first character of the user's
password, as this disables the Server's lreply() function.
The FTP Server can also log all file transmission and recep-
tion. See xferlog(4) for details of the log file format.
SunOS 5.11 Last change: 10 Nov 2005 9
System Administration Commands in.ftpd(1M)
The SITE EXEC command may be used to execute commands in the
/bin/ftp-exec directory. Take care that you understand the
security implications before copying any command into the
/bin/ftp-exec directory. For example, do not copy in
/bin/sh. This would enable the user to execute other com-
mands through the use of sh -c. If you have doubts about
this feature, do not create the /bin/ftp-exec directory.
SECURITY
For non-anonymous users, in.ftpd uses pam(3PAM) for authen-
tication, account management, and session management, and
can use Kerberos v5 for authentication.
The PAM configuration policy, listed through /etc/pam.conf,
specifies the module to be used for in.ftpd. Here is a par-
tial pam.conf file with entries for the in.ftpd command
using the UNIX authentication, account management, and ses-
sion management module.
ftp auth requisite pamauthtokget.so.1
ftp auth required pamdhkeys.so.1
ftp auth required pamunixauth.so.1
ftp account required pamunixroles.so.1
ftp account required pamunixprojects.so.1
ftp account required pamunixaccount.so.1
ftp session required pamunixsession.so.1
If there are no entries for the ftp service, then the
entries for the "other" service will be used. Unlike login,
passwd, and other commands, the ftp protocol will only sup-
port a single password. Using multiple modules will prevent
in.ftpd from working properly.
To use Kerberos for authentication, a host/ Kerberos
principal must exist for each Fully Qualified Domain Name
associated with the in.ftpd server. Each of these
host/ principals must have a keytab entry in the
/etc/krb5/krb5.keytab file on the in.ftpd server. An example
principal might be:
host/bigmachine.eng.example.com
See kadmin(1M) or gkadmin(1M) for instructions on adding a
principal to a krb5.keytab file. See for a discussion of
SunOS 5.11 Last change: 10 Nov 2005 10
System Administration Commands in.ftpd(1M)
Kerberos authentication.
For anonymous users, who by convention supply their email
address as a password, in.ftpd validates passwords according
to the passwd-check capability in the ftpaccess file.
USAGE
The in.ftpd command is IPv6-enabled. See ip6(7P).
FILES
/etc/ftpd/ftpaccess
FTP Server configuration file
/etc/ftpd/ftpconversions
FTP Server conversions database
/etc/ftpd/ftpgroups
FTP Server enhanced group access file
/etc/ftpd/ftphosts
FTP Server individual user host access file
/etc/ftpd/ftpservers
FTP Server virtual hosting configuration file.
/etc/ftpd/ftpusers
File listing users for whom FTP login privileges are
disallowed.
/etc/ftpusers
File listing users for whom FTP login privileges are
disallowed. This use of this file is deprecated.
/var/log/xferlog
FTP Server transfer log file
SunOS 5.11 Last change: 10 Nov 2005 11
System Administration Commands in.ftpd(1M)
/var/run/ftp.pids-classname
/var/adm/wtmpx
Extended database files that contain the history of user
access and accounting information for the wtmpx data-
base.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWftpu
Interface Stability External
SEE ALSO
csh(1), ftp(1), ftpcount(1), ftpwho(1), ls(1), svcs(1),
ftpaddhost(1M), ftpconfig(1M), ftprestart(1M), ftpshut(1M),
gkadmin(1M), inetadm(1M), inetd(1M), kadmin(1M), svcadm(1M),
syslogd(1M), chroot(2), umask(2), getpwent(3C),
getusershell(3C), syslog(3C), ftpaccess(4), ftpconver-
sions(4), ftpgroups(4), ftphosts(4), ftpservers(4),
ftpusers(4), group(4), passwd(4), services(4), xferlog(4),
wtmpx(4), attributes(5), gssauthrules(5),
pamauthtokcheck(5), pamauthtokget(5),
pamauthtokstore(5), pamdhkeys(5), pampasswdauth(5),
pamunixaccount(5), pamunixauth(5), pamunixsession(5),
smf(5), ip6(7P)
Allman, M., Ostermann, S., and Metz, C. RFC 2428, FTP Exten-
sions for IPv6 and NATs. The Internet Society. September
1998.
Piscitello, D. RFC 1639, FTP Operation Over Big Address
Records (FOBAR). Network Working Group. June 1994.
SunOS 5.11 Last change: 10 Nov 2005 12
System Administration Commands in.ftpd(1M)
Postel, Jon, and Joyce Reynolds. RFC 959, File Transfer Pro-
tocol (FTP ). Network Information Center. October 1985.
St. Johns, Mike. RFC 931, Authentication Server. Network
Working Group. January 1985.
Linn, J., Generic Security Service Application Program
Interface Version 2, Update 1, RFC 2743. The Internet
Society, January 2000.
Horowitz, M., Lunt, S., FTP Security Extensions, RFC 2228.
The Internet Society, October 1997.
DIAGNOSTICS
in.ftpd logs various errors to syslogd(1M), with a facility
code of daemon.
NOTES
The anonymous FTP account is inherently dangerous and should
be avoided when possible.
The FTP Server must perform certain tasks as the superuser,
for example, the creation of sockets with privileged port
numbers. It maintains an effective user ID of the logged in
user, reverting to the superuser only when necessary.
The FTP Server no longer supports the /etc/default/ftpd
file. Instead of using UMASK=nnn to set the umask, use the
defumask capability in the ftpaccess file. The banner greet-
ing text capability is also now set through the ftpaccess
file by using the greeting text capability instead of by
using BANER="...". However, unlike the BANER string, the
greeting text string is not passed to the shell for evalua-
tion. See ftpaccess(4).
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixaccount(5), pamunixauth(5),
and pamunixsession(5).
The in.ftpd service is managed by the service management
facility, smf(5), under the service identifier:
svc:/network/ftp
SunOS 5.11 Last change: 10 Nov 2005 13
System Administration Commands in.ftpd(1M)
Administrative actions on this service, such as enabling,
disabling, or requesting restart, can be performed using
svcadm(1M). Responsibility for initiating and restarting
this service is delegated to inetd(1M). Use inetadm(1M) to
make configuration changes and to view configuration infor-
mation for this service. The service's status can be queried
using the svcs(1) command.
SunOS 5.11 Last change: 10 Nov 2005 14
|
