1in.ftpd(1M) System Administration Commands in.ftpd(1M)
2
6 in.ftpd, ftpd - File Transfer Protocol Server
7
9 in.ftpd [-4] [-A] [-a] [-C] [-d] [-I] [-i] [-K] [-L] [-l]
10 [-o] [-P dataport] [-p ctrlport] [-Q] [-q]
11 [-r rootdir] [-S] [-s] [-T maxtimeout] [-t timeout]
12 [-u umask] [-V] [-v] [-W] [-w] [-X]
13
16 in.ftpd is the Internet File Transfer Protocol (FTP) server process.
17 The server may be invoked by the Internet daemon inetd(1M) each time a
18 connection to the FTP service is made or run as a standalone server.
19 See services(4).
20
22 in.ftpd supports the following options:
23 -4 When running in standalone mode, listen for connec‐
25 tions on an AF_INET type socket. The default is to
26 listen on an AF_INET6 type socket.
27 -a Enables use of the ftpaccess(4) file.
30 -A Disables use of the ftpaccess(4) file. Use of ftpac‐
33 cess is disabled by default.
34 -C Non-anonymous users need local credentials (for exam‐
37 ple, to authenticate to remote fileservers). So they
38 should be prompted for a password unless they for‐
39 warded credentials as part of authentication.
40 -d Writes debugging information to syslogd(1M).
43 -i Logs the names of all files received by the FTP Server
46 to xferlog(4). You can override the -i option through
47 use of the ftpaccess(4) file.
48 -I Disables the use of AUTH and ident to determine the
51 username on the client. See RFC 931. The FTP Server is
52 built not to use AUTH and ident.
53 -K Connections are only allowed for users who can authen‐
56 ticate through the ftp AUTH mechanism. (Anonymous ftp
57 may also be allowed if it is configured.) ftpd will
58 ask the user for a password if one is required.
59 -l Logs each FTP session to syslogd(1M).
62 -L Logs all commands sent to in.ftpd to syslogd(1M). When
65 the -L option is used, command logging will be on by
66 default, once the FTP Server is invoked. Because the
67 FTP Server includes USER commands in those logged, if
68 a user accidentally enters a password instead of the
69 username, the password will be logged. You can over‐
70 ride the -L option through use of the ftpaccess(4)
71 file.
72 -o Logs the names of all files transmitted by the FTP
75 Server to xferlog(4). You can override the -o option
76 through use of the ftpaccess(4) file.
77 -P dataport The FTP Server determines the port number by looking
80 in the services(4) file for an entry for the ftp-data
81 service. If there is no entry, the daemon uses the
82 port just prior to the control connection port. Use
83 the -P option to specify the data port number.
84 -p ctrlport When run in standalone mode, the FTP Server determines
87 the control port number by looking in the services(4)
88 file for an entry for the ftp service. Use the -p
89 option to specify the control port number.
90 -Q Disables PID files. This disables user limits. Large,
93 busy sites that do not want to impose limits on the
94 number of concurrent users can use this option to dis‐
95 able PID files.
96 -q Uses PID files. The limit directive uses PID files to
99 determine the number of current users in each access
100 class. By default, PID files are used.
101 -r rootdir chroot(2) to rootdir upon loading. Use this option to
104 improve system security. It limits the files that can
105 be damaged should a break in occur through the daemon.
106 This option is similar to anonymous FTP. Additional
107 files are needed, which vary from system to system.
108 -S Places the daemon in standalone operation mode. The
111 daemon runs in the background. This is useful for
112 startup scripts that run during system initialization.
113 See init.d(4).
114 -s Places the daemon in standalone operation mode. The
117 daemon runs in the foreground. This is useful when run
118 from /etc/inittab by init(1M).
119 -T maxtimeout Sets the maximum allowable timeout period to maxtime‐
122 out seconds. The default maximum timeout limit is 7200
123 second (two hours). You can override the -T option
124 through use of the ftpaccess(4) file.
125 -t timeout Sets the inactivity timeout period to timeout seconds.
128 The default timeout period is 900 seconds (15 min‐
129 utes). You can override the -t option through use of
130 the ftpaccess(4) file.
131 -u umask Sets the default umask to umask.
134 -V Displays copyright and version information, then ter‐
137 minate.
138 -v Writes debugging information to syslogd(1M).
141 -W Does not record user login and logout in the wtmpx(4)
144 file.
145 -w Records each user login and logout in the wtmpx(4)
148 file. By default, logins and logouts are recorded.
149 -X Writes the output from the -i and -o options to the
152 syslogd(1M) file instead of xferlog(4). This allows
153 the collection of output from several hosts on one
154 central loghost. You can override the -X option
155 through use of the ftpaccess(4) file.
156 Requests
159 The FTP Server currently supports the following FTP requests. Case is
160 not distinguished.
161 ABOR Abort previous command.
163 ADAT Send an authentication protocol message.
166 ALLO Allocate storage (vacuously).
169 AUTH Specify an authentication protocol to be performed. Currently
172 only "GSSAPI" is supported.
173 APPE Append to a file.
176 CCC Set the command channel protection mode to "Clear" (no protec‐
179 tion). Not allowed if data channel is protected.
180 CDUP Change to parent of current working directory.
183 CWD Change working directory.
186 DELE Delete a file.
189 ENC Send a privacy and integrity protected command (given in argu‐
192 ment).
193 EPRT Specify extended address for the transport connection.
196 EPSV Extended passive command request.
199 HELP Give help information.
202 LIST Give list files in a directory (ls -lA).
205 LPRT Specify long address for the transport connection.
208 LPSV Long passive command request.
211 MIC Send an integrity protected command (given in argument).
214 MKD Make a directory.
217 MDTM Show last time file modified.
220 MODE Specify data transfer mode.
223 NLST Give name list of files in directory (ls).
226 NOOP Do nothing.
229 PASS Specify password.
232 PASV Prepare for server-to-server transfer.
235 PBSZ Specify a protection buffer size.
238 PROT Specify a protection level under which to protect data trans‐
241 fers. Allowed arguments:
242 clear No protection.
244 safe Integrity protection
247 private Integrity and encryption protection
250 PORT Specify data connection port.
254 PWD Print the current working directory.
257 QUIT Terminate session.
260 REST Restart incomplete transfer.
263 RETR Retrieve a file.
266 RMD Remove a directory.
269 RNFR Specify rename-from file name.
272 RNTO Specify rename-to file name.
275 SITE Use nonstandard commands.
278 SIZE Return size of file.
281 STAT Return status of server.
284 STOR Store a file.
287 STOU Store a file with a unique name.
290 STRU Specify data transfer structure.
293 SYST Show operating system type of server system.
296 TYPE Specify data transfer type.
299 USER Specify user name.
302 XCUP Change to parent of current working directory. This request is
305 deprecated.
306 XCWD Change working directory. This request is deprecated.
309 XMKD Make a directory. This request is deprecated.
312 XPWD Print the current working directory. This request is depre‐
315 cated.
316 XRMD Remove a directory. This request is deprecated.
319 The following nonstandard or UNIX specific commands are supported by
323 the SITE request:
324 ALIAS List aliases.
326 CDPATH List the search path used when changing directories.
329 CHECKMETHOD List or set the checksum method.
332 CHECKSUM Give the checksum of a file.
335 CHMOD Change mode of a file. For example, SITE CHMOD 755 file‐
338 name.
339 EXEC Execute a program. For example, SITE EXEC program params
342 GPASS Give special group access password. For example, SITE
345 GPASS bar.
346 GROUP Request special group access. For example, SITE GROUP
349 foo.
350 GROUPS List supplementary group membership.
353 HELP Give help information. For example, SITE HELP.
356 IDLE Set idle-timer. For example, SITE IDLE 60.
359 UMASK Change umask. For example, SITE UMASK 002.
362 The remaining FTP requests specified in RFC 959 are recognized, but not
366 implemented.
367 The FTP server will abort an active file transfer only when the ABOR
370 command is preceded by a Telnet "Interrupt Process" (IP) signal and a
371 Telnet "Synch" signal in the command Telnet stream, as described in RFC
372 959. If a STAT command is received during a data transfer that has been
373 preceded by a Telnet IP and Synch, transfer status will be returned.
374 in.ftpd interprets file names according to the "globbing" conventions
377 used by csh(1). This allows users to utilize the metacharacters: * ? [
378 ] { } ~
379 in.ftpd authenticates users according to the following rules:
382 First, the user name must be in the password data base, the location of
385 which is specified in nsswitch.conf(4). An encrypted password (an
386 authentication token in PAM) must be present. A password must always be
387 provided by the client before any file operations can be performed. For
388 non-anonymous users, the PAM framework is used to verify that the cor‐
389 rect password was entered. See SECURITY below.
390 Second, the user name must not appear in either the /etc/ftpusers or
393 the /etc/ftpd/ftpusers file. Use of the /etc/ftpusers files is depre‐
394 cated, although it is still supported.
395 Third, the users must have a standard shell returned by getuser‐
398 shell(3C).
399 Fourth, if the user name is anonymous or ftp, an anonymous ftp account
402 must be present in the password file for user ftp. Use ftpconfig(1M) to
403 create the anonymous ftp account and home directory tree.
404 Fifth, if the GSS-API is used to authenticate the user, then
407 gss_auth_rules(5) determines user access without a password needed.
408 The FTP Server supports virtual hosting, which can be configured by
411 using ftpaddhost(1M).
412 The FTP Server does not support sublogins.
415 General FTP Extensions
417 The FTP Server has certain extensions. If the user specifies a filename
418 that does not exist with a RETR (retrieve) command, the FTP Server
419 looks for a conversion to change a file or directory that does into the
420 one requested. See ftpconversions(4).
421 By convention, anonymous users supply their email address when prompted
424 for a password. The FTP Server attempts to validate these email
425 addresses. A user whose FTP client hangs on a long reply, for example,
426 a multiline response, should use a dash (-) as the first character of
427 the user's password, as this disables the Server's lreply() function.
428 The FTP Server can also log all file transmission and reception. See
431 xferlog(4) for details of the log file format.
432 The SITE EXEC command may be used to execute commands in the /bin/ftp-
435 exec directory. Take care that you understand the security implications
436 before copying any command into the /bin/ftp-exec directory. For exam‐
437 ple, do not copy in /bin/sh. This would enable the user to execute
438 other commands through the use of sh -c. If you have doubts about this
439 feature, do not create the /bin/ftp-exec directory.
440
442 For non-anonymous users, in.ftpd uses pam(3PAM) for authentication,
443 account management, and session management, and can use Kerberos v5 for
444 authentication.
445 The PAM configuration policy, listed through /etc/pam.conf, specifies
448 the module to be used for in.ftpd. Here is a partial pam.conf file with
449 entries for the in.ftpd command using the UNIX authentication, account
450 management, and session management module.
451 ftp auth requisite pam_authtok_get.so.1
453 ftp auth required pam_dhkeys.so.1
454 ftp auth required pam_unix_auth.so.1
455 ftp account required pam_unix_roles.so.1
457 ftp account required pam_unix_projects.so.1
458 ftp account required pam_unix_account.so.1
459 ftp session required pam_unix_session.so.1
461 If there are no entries for the ftp service, then the entries for the
465 "other" service will be used. Unlike login, passwd, and other commands,
466 the ftp protocol will only support a single password. Using multiple
467 modules will prevent in.ftpd from working properly.
468 To use Kerberos for authentication, a host/<FQDN> Kerberos principal
471 must exist for each Fully Qualified Domain Name associated with the
472 in.ftpd server. Each of these host/<FQDN> principals must have a keytab
473 entry in the /etc/krb5/krb5.keytab file on the in.ftpd server. An exam‐
474 ple principal might be:
475 host/bigmachine.eng.example.com
478 See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
481 a krb5.keytab file. See for a discussion of Kerberos authentication.
482 For anonymous users, who by convention supply their email address as a
485 password, in.ftpd validates passwords according to the passwd-check
486 capability in the ftpaccess file.
487
489 The in.ftpd command is IPv6-enabled. See ip6(7P).
490
492 /etc/ftpd/ftpaccess
493 FTP Server configuration file
495 /etc/ftpd/ftpconversions
498 FTP Server conversions database
500 /etc/ftpd/ftpgroups
503 FTP Server enhanced group access file
505 /etc/ftpd/ftphosts
508 FTP Server individual user host access file
510 /etc/ftpd/ftpservers
513 FTP Server virtual hosting configuration file.
515 /etc/ftpd/ftpusers
518 File listing users for whom FTP login privileges are disallowed.
520 /etc/ftpusers
523 File listing users for whom FTP login privileges are disallowed.
525 This use of this file is deprecated.
526 /var/log/xferlog
529 FTP Server transfer log file
531 /var/run/ftp.pids-classname
534 /var/adm/wtmpx
539 Extended database files that contain the history of user access and
541 accounting information for the wtmpx database.
542
545 See attributes(5) for descriptions of the following attributes:
546 ┌─────────────────────────────┬─────────────────────────────┐
551 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
552 ├─────────────────────────────┼─────────────────────────────┤
553 │Availability │SUNWftpu │
554 ├─────────────────────────────┼─────────────────────────────┤
555 │Interface Stability │External │
556 └─────────────────────────────┴─────────────────────────────┘
557
559 csh(1), ftp(1), ftpcount(1), ftpwho(1), ls(1), svcs(1), ftpaddhost(1M),
560 ftpconfig(1M), ftprestart(1M), ftpshut(1M), gkadmin(1M), inetadm(1M),
561 inetd(1M), kadmin(1M), svcadm(1M), syslogd(1M), chroot(2), umask(2),
562 getpwent(3C), getusershell(3C), syslog(3C), ftpaccess(4), ftpconver‐
563 sions(4), ftpgroups(4), ftphosts(4), ftpservers(4), ftpusers(4),
564 group(4), passwd(4), services(4), xferlog(4), wtmpx(4), attributes(5),
565 gss_auth_rules(5), pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
566 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
567 pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)
568 Allman, M., Ostermann, S., and Metz, C. RFC 2428, FTP Extensions for
574 IPv6 and NATs. The Internet Society. September 1998.
575 Piscitello, D. RFC 1639, FTP Operation Over Big Address Records (FOO‐
578 BAR). Network Working Group. June 1994.
579 Postel, Jon, and Joyce Reynolds. RFC 959, File Transfer Protocol (FTP
582 ). Network Information Center. October 1985.
583 St. Johns, Mike. RFC 931, Authentication Server. Network Working Group.
586 January 1985.
587 Linn, J., Generic Security Service Application Program Interface Ver‐
590 sion 2, Update 1, RFC 2743. The Internet Society, January 2000.
591 Horowitz, M., Lunt, S., FTP Security Extensions, RFC 2228. The Internet
594 Society, October 1997.
595
597 in.ftpd logs various errors to syslogd(1M), with a facility code of
598 daemon.
599
601 The anonymous FTP account is inherently dangerous and should be avoided
602 when possible.
603 The FTP Server must perform certain tasks as the superuser, for exam‐
606 ple, the creation of sockets with privileged port numbers. It maintains
607 an effective user ID of the logged in user, reverting to the superuser
608 only when necessary.
609 The FTP Server no longer supports the /etc/default/ftpd file. Instead
612 of using UMASK=nnn to set the umask, use the defumask capability in the
613 ftpaccess file. The banner greeting text capability is also now set
614 through the ftpaccess file by using the greeting text capability
615 instead of by using BANNER="...". However, unlike the BANNER string,
616 the greeting text string is not passed to the shell for evaluation. See
617 ftpaccess(4).
618 The pam_unix(5) module is no longer supported. Similar functionality is
621 provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
622 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
623 pam_unix_auth(5), and pam_unix_session(5).
624 The in.ftpd service is managed by the service management facility,
627 smf(5), under the service identifier:
628 svc:/network/ftp
630 Administrative actions on this service, such as enabling, disabling, or
635 requesting restart, can be performed using svcadm(1M). Responsibility
636 for initiating and restarting this service is delegated to inetd(1M).
637 Use inetadm(1M) to make configuration changes and to view configuration
638 information for this service. The service's status can be queried using
639 the svcs(1) command.
640SunOS 5.11 10 Nov 2005 in.ftpd(1M)