1in.ftpd(1M)             System Administration Commands             in.ftpd(1M)
2
3
4

NAME

6       in.ftpd, ftpd - File Transfer Protocol Server
7

SYNOPSIS

9       in.ftpd [-4] [-A] [-a] [-C] [-d] [-I] [-i] [-K] [-L] [-l]
10            [-o] [-P dataport] [-p ctrlport] [-Q] [-q]
11            [-r rootdir] [-S] [-s] [-T maxtimeout] [-t timeout]
12            [-u umask] [-V] [-v] [-W] [-w] [-X]
13
14

DESCRIPTION

16       in.ftpd  is  the  Internet File Transfer Protocol (FTP) server process.
17       The server may be invoked by the Internet daemon inetd(1M) each time  a
18       connection  to  the  FTP service is made or run as a standalone server.
19       See services(4).
20

OPTIONS

22       in.ftpd supports the following options:
23
24       -4               When running in standalone mode,  listen  for  connec‐
25                        tions  on  an  AF_INET  type socket. The default is to
26                        listen on an AF_INET6 type socket.
27
28
29       -a               Enables use of the ftpaccess(4) file.
30
31
32       -A               Disables use of the ftpaccess(4) file. Use  of  ftpac‐
33                        cess is disabled by default.
34
35
36       -C               Non-anonymous  users need local credentials (for exam‐
37                        ple, to authenticate to remote fileservers).  So  they
38                        should  be  prompted  for  a password unless they for‐
39                        warded credentials as part of authentication.
40
41
42       -d               Writes debugging information to syslogd(1M).
43
44
45       -i               Logs the names of all files received by the FTP Server
46                        to  xferlog(4). You can override the -i option through
47                        use of the ftpaccess(4) file.
48
49
50       -I               Disables the use of AUTH and ident  to  determine  the
51                        username on the client. See RFC 931. The FTP Server is
52                        built not to use AUTH and ident.
53
54
55       -K               Connections are only allowed for users who can authen‐
56                        ticate  through the ftp AUTH mechanism. (Anonymous ftp
57                        may also be allowed if it is  configured.)  ftpd  will
58                        ask the user for a password if one is required.
59
60
61       -l               Logs each FTP session to syslogd(1M).
62
63
64       -L               Logs all commands sent to in.ftpd to syslogd(1M). When
65                        the -L option is used, command logging will be  on  by
66                        default,  once  the FTP Server is invoked. Because the
67                        FTP Server includes USER commands in those logged,  if
68                        a  user  accidentally enters a password instead of the
69                        username, the password will be logged. You  can  over‐
70                        ride  the  -L  option  through use of the ftpaccess(4)
71                        file.
72
73
74       -o               Logs the names of all files  transmitted  by  the  FTP
75                        Server  to  xferlog(4). You can override the -o option
76                        through use of the ftpaccess(4) file.
77
78
79       -P dataport      The FTP Server determines the port number  by  looking
80                        in  the services(4) file for an entry for the ftp-data
81                        service. If there is no entry,  the  daemon  uses  the
82                        port  just  prior  to the control connection port. Use
83                        the -P option to specify the data port number.
84
85
86       -p ctrlport      When run in standalone mode, the FTP Server determines
87                        the  control port number by looking in the services(4)
88                        file for an entry for the  ftp  service.  Use  the  -p
89                        option to specify the control port number.
90
91
92       -Q               Disables  PID files. This disables user limits. Large,
93                        busy sites that do not want to impose  limits  on  the
94                        number of concurrent users can use this option to dis‐
95                        able PID files.
96
97
98       -q               Uses PID files. The limit directive uses PID files  to
99                        determine  the  number of current users in each access
100                        class. By default, PID files are used.
101
102
103       -r rootdir       chroot(2) to rootdir upon loading. Use this option  to
104                        improve  system security. It limits the files that can
105                        be damaged should a break in occur through the daemon.
106                        This  option  is  similar to anonymous FTP. Additional
107                        files are needed, which vary from system to system.
108
109
110       -S               Places the daemon in standalone  operation  mode.  The
111                        daemon  runs  in  the  background.  This is useful for
112                        startup scripts that run during system initialization.
113                        See init.d(4).
114
115
116       -s               Places  the  daemon  in standalone operation mode. The
117                        daemon runs in the foreground. This is useful when run
118                        from /etc/inittab by init(1M).
119
120
121       -T maxtimeout    Sets  the maximum allowable timeout period to maxtime‐
122                        out seconds. The default maximum timeout limit is 7200
123                        second  (two  hours).  You  can override the -T option
124                        through use of the ftpaccess(4) file.
125
126
127       -t timeout       Sets the inactivity timeout period to timeout seconds.
128                        The  default  timeout  period  is 900 seconds (15 min‐
129                        utes). You can override the -t option through  use  of
130                        the ftpaccess(4) file.
131
132
133       -u umask         Sets the default umask to umask.
134
135
136       -V               Displays  copyright and version information, then ter‐
137                        minate.
138
139
140       -v               Writes debugging information to syslogd(1M).
141
142
143       -W               Does not record user login and logout in the  wtmpx(4)
144                        file.
145
146
147       -w               Records  each  user  login  and logout in the wtmpx(4)
148                        file. By default, logins and logouts are recorded.
149
150
151       -X               Writes the output from the -i and -o  options  to  the
152                        syslogd(1M)  file  instead  of xferlog(4). This allows
153                        the collection of output from  several  hosts  on  one
154                        central  loghost.  You  can  override  the  -X  option
155                        through use of the ftpaccess(4) file.
156
157
158   Requests
159       The FTP Server currently supports the following FTP requests.  Case  is
160       not distinguished.
161
162       ABOR    Abort previous command.
163
164
165       ADAT    Send an authentication protocol message.
166
167
168       ALLO    Allocate storage (vacuously).
169
170
171       AUTH    Specify  an  authentication protocol to be performed. Currently
172               only "GSSAPI" is supported.
173
174
175       APPE    Append to a file.
176
177
178       CCC     Set the command channel protection mode to "Clear" (no  protec‐
179               tion). Not allowed if data channel is protected.
180
181
182       CDUP    Change to parent of current working directory.
183
184
185       CWD     Change working directory.
186
187
188       DELE    Delete a file.
189
190
191       ENC     Send  a privacy and integrity protected command (given in argu‐
192               ment).
193
194
195       EPRT    Specify extended address for the transport connection.
196
197
198       EPSV    Extended passive command request.
199
200
201       HELP    Give help information.
202
203
204       LIST    Give list files in a directory (ls -lA).
205
206
207       LPRT    Specify long address for the transport connection.
208
209
210       LPSV    Long passive command request.
211
212
213       MIC     Send an integrity protected command (given in argument).
214
215
216       MKD     Make a directory.
217
218
219       MDTM    Show last time file modified.
220
221
222       MODE    Specify data transfer mode.
223
224
225       NLST    Give name list of files in directory (ls).
226
227
228       NOOP    Do nothing.
229
230
231       PASS    Specify password.
232
233
234       PASV    Prepare for server-to-server transfer.
235
236
237       PBSZ    Specify a protection buffer size.
238
239
240       PROT    Specify a protection level under which to protect  data  trans‐
241               fers. Allowed arguments:
242
243               clear      No protection.
244
245
246               safe       Integrity protection
247
248
249               private    Integrity and encryption protection
250
251
252
253       PORT    Specify data connection port.
254
255
256       PWD     Print the current working directory.
257
258
259       QUIT    Terminate session.
260
261
262       REST    Restart incomplete transfer.
263
264
265       RETR    Retrieve a file.
266
267
268       RMD     Remove a directory.
269
270
271       RNFR    Specify rename-from file name.
272
273
274       RNTO    Specify rename-to file name.
275
276
277       SITE    Use nonstandard commands.
278
279
280       SIZE    Return size of file.
281
282
283       STAT    Return status of server.
284
285
286       STOR    Store a file.
287
288
289       STOU    Store a file with a unique name.
290
291
292       STRU    Specify data transfer structure.
293
294
295       SYST    Show operating system type of server system.
296
297
298       TYPE    Specify data transfer type.
299
300
301       USER    Specify user name.
302
303
304       XCUP    Change  to parent of current working directory. This request is
305               deprecated.
306
307
308       XCWD    Change working directory. This request is deprecated.
309
310
311       XMKD    Make a directory. This request is deprecated.
312
313
314       XPWD    Print the current working directory.  This  request  is  depre‐
315               cated.
316
317
318       XRMD    Remove a directory. This request is deprecated.
319
320
321
322       The  following  nonstandard  or UNIX specific commands are supported by
323       the SITE request:
324
325       ALIAS          List aliases.
326
327
328       CDPATH         List the search path used when changing directories.
329
330
331       CHECKMETHOD    List or set the checksum method.
332
333
334       CHECKSUM       Give the checksum of a file.
335
336
337       CHMOD          Change mode of a file. For example, SITE CHMOD 755 file‐
338                      name.
339
340
341       EXEC           Execute a program. For example, SITE EXEC program params
342
343
344       GPASS          Give  special  group  access password. For example, SITE
345                      GPASS bar.
346
347
348       GROUP          Request special group access. For  example,  SITE  GROUP
349                      foo.
350
351
352       GROUPS         List supplementary group membership.
353
354
355       HELP           Give help information. For example, SITE HELP.
356
357
358       IDLE           Set idle-timer. For example, SITE IDLE 60.
359
360
361       UMASK          Change umask. For example, SITE UMASK 002.
362
363
364
365       The remaining FTP requests specified in RFC 959 are recognized, but not
366       implemented.
367
368
369       The FTP server will abort an active file transfer only  when  the  ABOR
370       command  is  preceded by a Telnet "Interrupt Process" (IP) signal and a
371       Telnet "Synch" signal in the command Telnet stream, as described in RFC
372       959. If a STAT command is received during a data transfer that has been
373       preceded by a Telnet IP and Synch, transfer status will be returned.
374
375
376       in.ftpd interprets file names according to the  "globbing"  conventions
377       used  by csh(1). This allows users to utilize the metacharacters: * ? [
378       ] { } ~
379
380
381       in.ftpd authenticates users according to the following rules:
382
383
384       First, the user name must be in the password data base, the location of
385       which  is  specified  in  nsswitch.conf(4).  An  encrypted password (an
386       authentication token in PAM) must be present. A password must always be
387       provided by the client before any file operations can be performed. For
388       non-anonymous users, the PAM framework is used to verify that the  cor‐
389       rect password was entered. See SECURITY below.
390
391
392       Second,  the  user  name must not appear in either the /etc/ftpusers or
393       the /etc/ftpd/ftpusers file. Use of the /etc/ftpusers files  is  depre‐
394       cated, although it is still supported.
395
396
397       Third,  the  users  must  have  a  standard  shell returned by getuser‐
398       shell(3C).
399
400
401       Fourth, if the user name is anonymous or ftp, an anonymous ftp  account
402       must be present in the password file for user ftp. Use ftpconfig(1M) to
403       create the anonymous ftp account and home directory tree.
404
405
406       Fifth,  if  the  GSS-API  is  used  to  authenticate  the  user,   then
407       gss_auth_rules(5) determines user access without a password needed.
408
409
410       The  FTP  Server  supports  virtual hosting, which can be configured by
411       using ftpaddhost(1M).
412
413
414       The FTP Server does not support sublogins.
415
416   General FTP Extensions
417       The FTP Server has certain extensions. If the user specifies a filename
418       that  does  not  exist  with  a RETR (retrieve) command, the FTP Server
419       looks for a conversion to change a file or directory that does into the
420       one requested. See ftpconversions(4).
421
422
423       By convention, anonymous users supply their email address when prompted
424       for a password.  The  FTP  Server  attempts  to  validate  these  email
425       addresses.  A user whose FTP client hangs on a long reply, for example,
426       a multiline response, should use a dash (-) as the first  character  of
427       the user's password, as this disables the Server's lreply() function.
428
429
430       The  FTP  Server  can also log all file transmission and reception. See
431       xferlog(4) for details of the log file format.
432
433
434       The SITE EXEC command may be used to execute commands in the  /bin/ftp-
435       exec directory. Take care that you understand the security implications
436       before copying any command into the /bin/ftp-exec directory. For  exam‐
437       ple,  do  not  copy  in  /bin/sh. This would enable the user to execute
438       other commands through the use of sh -c. If you have doubts about  this
439       feature, do not create the /bin/ftp-exec directory.
440

SECURITY

442       For  non-anonymous  users,  in.ftpd  uses pam(3PAM) for authentication,
443       account management, and session management, and can use Kerberos v5 for
444       authentication.
445
446
447       The  PAM  configuration policy, listed through /etc/pam.conf, specifies
448       the module to be used for in.ftpd. Here is a partial pam.conf file with
449       entries  for the in.ftpd command using the UNIX authentication, account
450       management, and session management module.
451
452         ftp  auth        requisite   pam_authtok_get.so.1
453         ftp  auth        required    pam_dhkeys.so.1
454         ftp  auth        required    pam_unix_auth.so.1
455
456         ftp  account     required    pam_unix_roles.so.1
457         ftp  account     required    pam_unix_projects.so.1
458         ftp  account     required    pam_unix_account.so.1
459
460         ftp  session     required    pam_unix_session.so.1
461
462
463
464       If there are no entries for the ftp service, then the entries  for  the
465       "other" service will be used. Unlike login, passwd, and other commands,
466       the ftp protocol will only support a single  password.  Using  multiple
467       modules will prevent in.ftpd from working properly.
468
469
470       To  use  Kerberos  for authentication, a host/<FQDN> Kerberos principal
471       must exist for each Fully Qualified Domain  Name  associated  with  the
472       in.ftpd server. Each of these host/<FQDN> principals must have a keytab
473       entry in the /etc/krb5/krb5.keytab file on the in.ftpd server. An exam‐
474       ple principal might be:
475
476
477       host/bigmachine.eng.example.com
478
479
480       See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
481       a krb5.keytab file. See  for a discussion of Kerberos authentication.
482
483
484       For anonymous users, who by convention supply their email address as  a
485       password,  in.ftpd  validates  passwords  according to the passwd-check
486       capability in the ftpaccess file.
487

USAGE

489       The in.ftpd command is IPv6-enabled. See ip6(7P).
490

FILES

492       /etc/ftpd/ftpaccess
493
494           FTP Server configuration file
495
496
497       /etc/ftpd/ftpconversions
498
499           FTP Server conversions database
500
501
502       /etc/ftpd/ftpgroups
503
504           FTP Server enhanced group access file
505
506
507       /etc/ftpd/ftphosts
508
509           FTP Server individual user host access file
510
511
512       /etc/ftpd/ftpservers
513
514           FTP Server virtual hosting configuration file.
515
516
517       /etc/ftpd/ftpusers
518
519           File listing users for whom FTP login privileges are disallowed.
520
521
522       /etc/ftpusers
523
524           File listing users for whom FTP login  privileges  are  disallowed.
525           This use of this file is deprecated.
526
527
528       /var/log/xferlog
529
530           FTP Server transfer log file
531
532
533       /var/run/ftp.pids-classname
534
535
536
537
538       /var/adm/wtmpx
539
540           Extended database files that contain the history of user access and
541           accounting information for the wtmpx database.
542
543

ATTRIBUTES

545       See attributes(5) for descriptions of the following attributes:
546
547
548
549
550       ┌─────────────────────────────┬─────────────────────────────┐
551       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
552       ├─────────────────────────────┼─────────────────────────────┤
553       │Availability                 │SUNWftpu                     │
554       ├─────────────────────────────┼─────────────────────────────┤
555       │Interface Stability          │External                     │
556       └─────────────────────────────┴─────────────────────────────┘
557

SEE ALSO

559       csh(1), ftp(1), ftpcount(1), ftpwho(1), ls(1), svcs(1), ftpaddhost(1M),
560       ftpconfig(1M),  ftprestart(1M),  ftpshut(1M), gkadmin(1M), inetadm(1M),
561       inetd(1M), kadmin(1M), svcadm(1M),  syslogd(1M),  chroot(2),  umask(2),
562       getpwent(3C),  getusershell(3C),  syslog(3C),  ftpaccess(4), ftpconver‐
563       sions(4),  ftpgroups(4),   ftphosts(4),   ftpservers(4),   ftpusers(4),
564       group(4),  passwd(4), services(4), xferlog(4), wtmpx(4), attributes(5),
565       gss_auth_rules(5), pam_authtok_check(5), pam_authtok_get(5),  pam_auth‐
566       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
567       pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)
568
569
570
571
572
573       Allman, M., Ostermann, S., and Metz, C. RFC 2428,  FTP  Extensions  for
574       IPv6 and NATs. The Internet Society. September 1998.
575
576
577       Piscitello,  D.  RFC 1639, FTP Operation Over Big Address Records (FOO‐
578       BAR). Network Working Group. June 1994.
579
580
581       Postel, Jon, and Joyce Reynolds. RFC 959, File Transfer  Protocol  (FTP
582       ). Network Information Center. October 1985.
583
584
585       St. Johns, Mike. RFC 931, Authentication Server. Network Working Group.
586       January 1985.
587
588
589       Linn, J., Generic Security Service Application Program  Interface  Ver‐
590       sion 2, Update 1, RFC 2743. The Internet Society, January 2000.
591
592
593       Horowitz, M., Lunt, S., FTP Security Extensions, RFC 2228. The Internet
594       Society, October 1997.
595

DIAGNOSTICS

597       in.ftpd logs various errors to syslogd(1M), with  a  facility  code  of
598       daemon.
599

NOTES

601       The anonymous FTP account is inherently dangerous and should be avoided
602       when possible.
603
604
605       The FTP Server must perform certain tasks as the superuser,  for  exam‐
606       ple, the creation of sockets with privileged port numbers. It maintains
607       an effective user ID of the logged in user, reverting to the  superuser
608       only when necessary.
609
610
611       The  FTP  Server no longer supports the /etc/default/ftpd file. Instead
612       of using UMASK=nnn to set the umask, use the defumask capability in the
613       ftpaccess  file.  The  banner  greeting text capability is also now set
614       through the ftpaccess  file  by  using  the  greeting  text  capability
615       instead  of  by  using BANNER="...". However, unlike the BANNER string,
616       the greeting text string is not passed to the shell for evaluation. See
617       ftpaccess(4).
618
619
620       The pam_unix(5) module is no longer supported. Similar functionality is
621       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
622       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
623       pam_unix_auth(5), and pam_unix_session(5).
624
625
626       The in.ftpd service is managed  by  the  service  management  facility,
627       smf(5), under the service identifier:
628
629         svc:/network/ftp
630
631
632
633
634       Administrative actions on this service, such as enabling, disabling, or
635       requesting restart, can be performed using  svcadm(1M).  Responsibility
636       for  initiating  and restarting this service is delegated to inetd(1M).
637       Use inetadm(1M) to make configuration changes and to view configuration
638       information for this service. The service's status can be queried using
639       the svcs(1) command.
640
641
642
643SunOS 5.11                        10 Nov 2005                      in.ftpd(1M)
Impressum