1 '\" te
2 .\" Copyright (C) 2004, Sun Microsystems, Inc. All Rights Reserved
3 .\" Copyright 1989 AT&T
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH IN.FTPD 1M "Nov 10, 2005"
8 .SH NAME
9 in.ftpd, ftpd \- File Transfer Protocol Server
10 .SH SYNOPSIS
11 .LP
12 .nf
13 \fBin.ftpd\fR [\fB-4\fR] [\fB-A\fR] [\fB-a\fR] [\fB-C\fR] [\fB-d\fR] [\fB-I\fR] [\fB-i\fR] [\fB-K\fR] [\fB-L\fR] [\fB-l\fR]
14 [\fB-o\fR] [\fB-P\fR \fIdataport\fR] [\fB-p\fR \fIctrlport\fR] [\fB-Q\fR] [\fB-q\fR]
15 [\fB-r\fR \fIrootdir\fR] [\fB-S\fR] [\fB-s\fR] [\fB-T\fR \fImaxtimeout\fR] [\fB-t\fR \fItimeout\fR]
16 [\fB-u\fR \fIumask\fR] [\fB-V\fR] [\fB-v\fR] [\fB-W\fR] [\fB-w\fR] [\fB-X\fR]
17 .fi
18
19 .SH DESCRIPTION
20 .sp
21 .LP
22 \fBin.ftpd\fR is the Internet File Transfer Protocol (FTP) server process. The
23 server may be invoked by the Internet daemon \fBinetd\fR(1M) each time a
24 connection to the FTP service is made or run as a standalone server. See
25 \fBservices\fR(4).
26 .SH OPTIONS
27 .sp
28 .LP
29 \fBin.ftpd\fR supports the following options:
30 .sp
31 .ne 2
32 .na
33 \fB\fB-4\fR\fR
34 .ad
35 .RS 17n
36 When running in standalone mode, listen for connections on an \fBAF_INET\fR
37 type socket. The default is to listen on an \fBAF_INET6\fR type socket.
38 .RE
39
40 .sp
41 .ne 2
42 .na
43 \fB\fB-a\fR\fR
44 .ad
45 .RS 17n
46 Enables use of the \fBftpaccess\fR(4) file.
47 .RE
48
49 .sp
50 .ne 2
51 .na
52 \fB\fB-A\fR\fR
53 .ad
54 .RS 17n
55 Disables use of the \fBftpaccess\fR(4) file. Use of \fBftpaccess\fR is disabled
56 by default.
57 .RE
58
59 .sp
60 .ne 2
61 .na
62 \fB\fB-C\fR\fR
63 .ad
64 .RS 17n
65 Non-anonymous users need local credentials (for example, to authenticate to
66 remote fileservers). So they should be prompted for a password unless they
67 forwarded credentials as part of authentication.
68 .RE
69
70 .sp
71 .ne 2
72 .na
73 \fB\fB-d\fR\fR
74 .ad
75 .RS 17n
76 Writes debugging information to \fBsyslogd\fR(1M).
77 .RE
78
79 .sp
80 .ne 2
81 .na
82 \fB\fB-i\fR\fR
83 .ad
84 .RS 17n
85 Logs the names of all files received by the \fBFTP\fR Server to
86 \fBxferlog\fR(4). You can override the \fB-i\fR option through use of the
87 \fBftpaccess\fR(4) file.
88 .RE
89
90 .sp
91 .ne 2
92 .na
93 \fB\fB-I\fR\fR
94 .ad
95 .RS 17n
96 Disables the use of \fBAUTH\fR and \fBident\fR to determine the username on the
97 client. See \fIRFC 931\fR. The \fBFTP\fR Server is built not to use \fBAUTH\fR
98 and \fBident\fR.
99 .RE
100
101 .sp
102 .ne 2
103 .na
104 \fB\fB-K\fR\fR
105 .ad
106 .RS 17n
107 Connections are only allowed for users who can authenticate through the
108 \fBftp\fR \fBAUTH\fR mechanism. (Anonymous \fBftp\fR may also be allowed if it
109 is configured.) \fBftpd\fR will ask the user for a password if one is required.
110 .RE
111
112 .sp
113 .ne 2
114 .na
115 \fB\fB-l\fR\fR
116 .ad
117 .RS 17n
118 Logs each \fBFTP\fR session to \fBsyslogd\fR(1M).
119 .RE
120
121 .sp
122 .ne 2
123 .na
124 \fB\fB-L\fR\fR
125 .ad
126 .RS 17n
127 Logs all commands sent to \fBin.ftpd\fR to \fBsyslogd\fR(1M). When the \fB-L\fR
128 option is used, command logging will be on by default, once the FTP Server is
129 invoked. Because the \fBFTP\fR Server includes \fBUSER\fR commands in those
130 logged, if a user accidentally enters a password instead of the username, the
131 password will be logged. You can override the \fB-L\fR option through use of
132 the \fBftpaccess\fR(4) file.
133 .RE
134
135 .sp
136 .ne 2
137 .na
138 \fB\fB-o\fR\fR
139 .ad
140 .RS 17n
141 Logs the names of all files transmitted by the FTP Server to \fBxferlog\fR(4).
142 You can override the \fB-o\fR option through use of the \fBftpaccess\fR(4)
143 file.
144 .RE
145
146 .sp
147 .ne 2
148 .na
149 \fB\fB-P\fR \fIdataport\fR\fR
150 .ad
151 .RS 17n
152 The FTP Server determines the port number by looking in the \fBservices\fR(4)
153 file for an entry for the \fBftp-data\fR service. If there is no entry, the
154 daemon uses the port just prior to the control connection port. Use the
155 \fB-P\fR option to specify the data port number.
156 .RE
157
158 .sp
159 .ne 2
160 .na
161 \fB\fB-p\fR \fIctrlport\fR\fR
162 .ad
163 .RS 17n
164 When run in standalone mode, the \fBFTP\fR Server determines the control port
165 number by looking in the \fBservices\fR(4) file for an entry for the \fBftp\fR
166 service. Use the \fB-p\fR option to specify the control port number.
167 .RE
168
169 .sp
170 .ne 2
171 .na
172 \fB\fB-Q\fR\fR
173 .ad
174 .RS 17n
175 Disables \fBPID\fR files. This disables user limits. Large, busy sites that do
176 not want to impose limits on the number of concurrent users can use this option
177 to disable \fBPID\fR files.
178 .RE
179
180 .sp
181 .ne 2
182 .na
183 \fB\fB-q\fR\fR
184 .ad
185 .RS 17n
186 Uses \fBPID\fR files. The \fBlimit\fR directive uses \fBPID\fR files to
187 determine the number of current users in each access class. By default,
188 \fBPID\fR files are used.
189 .RE
190
191 .sp
192 .ne 2
193 .na
194 \fB\fB-r\fR \fIrootdir\fR\fR
195 .ad
196 .RS 17n
197 \fBchroot\fR(2) to \fIrootdir\fR upon loading. Use this option to improve
198 system security. It limits the files that can be damaged should a break in
199 occur through the daemon. This option is similar to anonymous \fBFTP\fR.
200 Additional files are needed, which vary from system to system.
201 .RE
202
203 .sp
204 .ne 2
205 .na
206 \fB\fB-S\fR\fR
207 .ad
208 .RS 17n
209 Places the daemon in standalone operation mode. The daemon runs in the
210 background. This is useful for startup scripts that run during system
211 initialization. See \fBinit.d\fR(4).
212 .RE
213
214 .sp
215 .ne 2
216 .na
217 \fB\fB-s\fR\fR
218 .ad
219 .RS 17n
220 Places the daemon in standalone operation mode. The daemon runs in the
221 foreground. This is useful when run from \fB/etc/inittab\fR by \fBinit\fR(1M).
222 .RE
223
224 .sp
225 .ne 2
226 .na
227 \fB\fB-T\fR \fImaxtimeout\fR\fR
228 .ad
229 .RS 17n
230 Sets the maximum allowable timeout period to \fImaxtimeout\fR seconds. The
231 default maximum timeout limit is 7200 second (two hours). You can override the
232 \fB-T\fR option through use of the \fBftpaccess\fR(4) file.
233 .RE
234
235 .sp
236 .ne 2
237 .na
238 \fB\fB-t\fR \fItimeout\fR\fR
239 .ad
240 .RS 17n
241 Sets the inactivity timeout period to \fItimeout\fR seconds. The default
242 timeout period is 900 seconds (15 minutes). You can override the \fB-t\fR
243 option through use of the \fBftpaccess\fR(4) file.
244 .RE
245
246 .sp
247 .ne 2
248 .na
249 \fB\fB-u\fR \fIumask\fR\fR
250 .ad
251 .RS 17n
252 Sets the default \fBumask\fR to \fIumask\fR.
253 .RE
254
255 .sp
256 .ne 2
257 .na
258 \fB\fB-V\fR\fR
259 .ad
260 .RS 17n
261 Displays copyright and version information, then terminate.
262 .RE
263
264 .sp
265 .ne 2
266 .na
267 \fB\fB-v\fR\fR
268 .ad
269 .RS 17n
270 Writes debugging information to \fBsyslogd\fR(1M).
271 .RE
272
273 .sp
274 .ne 2
275 .na
276 \fB\fB-W\fR\fR
277 .ad
278 .RS 17n
279 Does not record user \fBlogin\fR and \fBlogout\fR in the \fBwtmpx\fR(4) file.
280 .RE
281
282 .sp
283 .ne 2
284 .na
285 \fB\fB-w\fR\fR
286 .ad
287 .RS 17n
288 Records each user \fBlogin\fR and \fBlogout\fR in the \fBwtmpx\fR(4) file. By
289 default, logins and logouts are recorded.
290 .RE
291
292 .sp
293 .ne 2
294 .na
295 \fB\fB-X\fR\fR
296 .ad
297 .RS 17n
298 Writes the output from the \fB-i\fR and \fB-o\fR options to the
299 \fBsyslogd\fR(1M) file instead of \fBxferlog\fR(4). This allows the collection
300 of output from several hosts on one central loghost. You can override the
301 \fB-X\fR option through use of the \fBftpaccess\fR(4) file.
302 .RE
303
304 .SS "Requests"
305 .sp
306 .LP
307 The FTP Server currently supports the following \fBFTP\fR requests. Case is not
308 distinguished.
309 .sp
310 .ne 2
311 .na
312 \fB\fBABOR\fR\fR
313 .ad
314 .RS 8n
315 Abort previous command.
316 .RE
317
318 .sp
319 .ne 2
320 .na
321 \fB\fBADAT\fR\fR
322 .ad
323 .RS 8n
324 Send an authentication protocol message.
325 .RE
326
327 .sp
328 .ne 2
329 .na
330 \fB\fBALLO\fR\fR
331 .ad
332 .RS 8n
333 Allocate storage (vacuously).
334 .RE
335
336 .sp
337 .ne 2
338 .na
339 \fB\fBAUTH\fR\fR
340 .ad
341 .RS 8n
342 Specify an authentication protocol to be performed. Currently only
343 "\fBGSSAPI\fR" is supported.
344 .RE
345
346 .sp
347 .ne 2
348 .na
349 \fB\fBAPPE\fR\fR
350 .ad
351 .RS 8n
352 Append to a file.
353 .RE
354
355 .sp
356 .ne 2
357 .na
358 \fB\fBCCC\fR\fR
359 .ad
360 .RS 8n
361 Set the command channel protection mode to "\fBClear\fR" (no protection). Not
362 allowed if data channel is protected.
363 .RE
364
365 .sp
366 .ne 2
367 .na
368 \fB\fBCDUP\fR\fR
369 .ad
370 .RS 8n
371 Change to parent of current working directory.
372 .RE
373
374 .sp
375 .ne 2
376 .na
377 \fB\fBCWD\fR\fR
378 .ad
379 .RS 8n
380 Change working directory.
381 .RE
382
383 .sp
384 .ne 2
385 .na
386 \fB\fBDELE\fR\fR
387 .ad
388 .RS 8n
389 Delete a file.
390 .RE
391
392 .sp
393 .ne 2
394 .na
395 \fB\fBENC\fR\fR
396 .ad
397 .RS 8n
398 Send a privacy and integrity protected command (given in argument).
399 .RE
400
401 .sp
402 .ne 2
403 .na
404 \fB\fBEPRT\fR\fR
405 .ad
406 .RS 8n
407 Specify extended address for the transport connection.
408 .RE
409
410 .sp
411 .ne 2
412 .na
413 \fB\fBEPSV\fR\fR
414 .ad
415 .RS 8n
416 Extended passive command request.
417 .RE
418
419 .sp
420 .ne 2
421 .na
422 \fB\fBHELP\fR\fR
423 .ad
424 .RS 8n
425 Give help information.
426 .RE
427
428 .sp
429 .ne 2
430 .na
431 \fB\fBLIST\fR\fR
432 .ad
433 .RS 8n
434 Give list files in a directory (\fBls\fR \fB-lA\fR).
435 .RE
436
437 .sp
438 .ne 2
439 .na
440 \fB\fBLPRT\fR\fR
441 .ad
442 .RS 8n
443 Specify long address for the transport connection.
444 .RE
445
446 .sp
447 .ne 2
448 .na
449 \fB\fBLPSV\fR\fR
450 .ad
451 .RS 8n
452 Long passive command request.
453 .RE
454
455 .sp
456 .ne 2
457 .na
458 \fB\fBMIC\fR\fR
459 .ad
460 .RS 8n
461 Send an integrity protected command (given in argument).
462 .RE
463
464 .sp
465 .ne 2
466 .na
467 \fB\fBMKD\fR\fR
468 .ad
469 .RS 8n
470 Make a directory.
471 .RE
472
473 .sp
474 .ne 2
475 .na
476 \fB\fBMDTM\fR\fR
477 .ad
478 .RS 8n
479 Show last time file modified.
480 .RE
481
482 .sp
483 .ne 2
484 .na
485 \fB\fBMODE\fR\fR
486 .ad
487 .RS 8n
488 Specify data transfer \fImode\fR.
489 .RE
490
491 .sp
492 .ne 2
493 .na
494 \fB\fBNLST\fR\fR
495 .ad
496 .RS 8n
497 Give name list of files in directory (\fBls\fR).
498 .RE
499
500 .sp
501 .ne 2
502 .na
503 \fB\fBNOOP\fR\fR
504 .ad
505 .RS 8n
506 Do nothing.
507 .RE
508
509 .sp
510 .ne 2
511 .na
512 \fB\fBPASS\fR\fR
513 .ad
514 .RS 8n
515 Specify password.
516 .RE
517
518 .sp
519 .ne 2
520 .na
521 \fB\fBPASV\fR\fR
522 .ad
523 .RS 8n
524 Prepare for server-to-server transfer.
525 .RE
526
527 .sp
528 .ne 2
529 .na
530 \fB\fBPBSZ\fR\fR
531 .ad
532 .RS 8n
533 Specify a protection buffer size.
534 .RE
535
536 .sp
537 .ne 2
538 .na
539 \fB\fBPROT\fR\fR
540 .ad
541 .RS 8n
542 Specify a protection level under which to protect data transfers. Allowed
543 arguments:
544 .sp
545 .ne 2
546 .na
547 \fB\fBclear\fR\fR
548 .ad
549 .RS 11n
550 No protection.
551 .RE
552
553 .sp
554 .ne 2
555 .na
556 \fB\fBsafe\fR\fR
557 .ad
558 .RS 11n
559 Integrity protection
560 .RE
561
562 .sp
563 .ne 2
564 .na
565 \fB\fBprivate\fR\fR
566 .ad
567 .RS 11n
568 Integrity and encryption protection
569 .RE
570
571 .RE
572
573 .sp
574 .ne 2
575 .na
576 \fB\fBPORT\fR\fR
577 .ad
578 .RS 8n
579 Specify data connection port.
580 .RE
581
582 .sp
583 .ne 2
584 .na
585 \fB\fBPWD\fR\fR
586 .ad
587 .RS 8n
588 Print the current working directory.
589 .RE
590
591 .sp
592 .ne 2
593 .na
594 \fB\fBQUIT\fR\fR
595 .ad
596 .RS 8n
597 Terminate session.
598 .RE
599
600 .sp
601 .ne 2
602 .na
603 \fB\fBREST\fR\fR
604 .ad
605 .RS 8n
606 Restart incomplete transfer.
607 .RE
608
609 .sp
610 .ne 2
611 .na
612 \fB\fBRETR\fR\fR
613 .ad
614 .RS 8n
615 Retrieve a file.
616 .RE
617
618 .sp
619 .ne 2
620 .na
621 \fB\fBRMD\fR\fR
622 .ad
623 .RS 8n
624 Remove a directory.
625 .RE
626
627 .sp
628 .ne 2
629 .na
630 \fB\fBRNFR\fR\fR
631 .ad
632 .RS 8n
633 Specify rename-from file name.
634 .RE
635
636 .sp
637 .ne 2
638 .na
639 \fB\fBRNTO\fR\fR
640 .ad
641 .RS 8n
642 Specify rename-to file name.
643 .RE
644
645 .sp
646 .ne 2
647 .na
648 \fB\fBSITE\fR\fR
649 .ad
650 .RS 8n
651 Use nonstandard commands.
652 .RE
653
654 .sp
655 .ne 2
656 .na
657 \fB\fBSIZE\fR\fR
658 .ad
659 .RS 8n
660 Return size of file.
661 .RE
662
663 .sp
664 .ne 2
665 .na
666 \fB\fBSTAT\fR\fR
667 .ad
668 .RS 8n
669 Return status of server.
670 .RE
671
672 .sp
673 .ne 2
674 .na
675 \fB\fBSTOR\fR\fR
676 .ad
677 .RS 8n
678 Store a file.
679 .RE
680
681 .sp
682 .ne 2
683 .na
684 \fB\fBSTOU\fR\fR
685 .ad
686 .RS 8n
687 Store a file with a unique name.
688 .RE
689
690 .sp
691 .ne 2
692 .na
693 \fB\fBSTRU\fR\fR
694 .ad
695 .RS 8n
696 Specify data transfer \fIstructure\fR.
697 .RE
698
699 .sp
700 .ne 2
701 .na
702 \fB\fBSYST\fR\fR
703 .ad
704 .RS 8n
705 Show operating system type of server system.
706 .RE
707
708 .sp
709 .ne 2
710 .na
711 \fB\fBTYPE\fR\fR
712 .ad
713 .RS 8n
714 Specify data transfer \fBtype\fR.
715 .RE
716
717 .sp
718 .ne 2
719 .na
720 \fB\fBUSER\fR\fR
721 .ad
722 .RS 8n
723 Specify user name.
724 .RE
725
726 .sp
727 .ne 2
728 .na
729 \fB\fBXCUP\fR\fR
730 .ad
731 .RS 8n
732 Change to parent of current working directory. This request is deprecated.
733 .RE
734
735 .sp
736 .ne 2
737 .na
738 \fB\fBXCWD\fR\fR
739 .ad
740 .RS 8n
741 Change working directory. This request is deprecated.
742 .RE
743
744 .sp
745 .ne 2
746 .na
747 \fB\fBXMKD\fR\fR
748 .ad
749 .RS 8n
750 Make a directory. This request is deprecated.
751 .RE
752
753 .sp
754 .ne 2
755 .na
756 \fB\fBXPWD\fR\fR
757 .ad
758 .RS 8n
759 Print the current working directory. This request is deprecated.
760 .RE
761
762 .sp
763 .ne 2
764 .na
765 \fB\fBXRMD\fR\fR
766 .ad
767 .RS 8n
768 Remove a directory. This request is deprecated.
769 .RE
770
771 .sp
772 .LP
773 The following nonstandard or UNIX specific commands are supported by the
774 \fBSITE\fR request:
775 .sp
776 .ne 2
777 .na
778 \fB\fBALIAS\fR\fR
779 .ad
780 .RS 15n
781 List aliases.
782 .RE
783
784 .sp
785 .ne 2
786 .na
787 \fB\fBCDPATH\fR\fR
788 .ad
789 .RS 15n
790 List the search path used when changing directories.
791 .RE
792
793 .sp
794 .ne 2
795 .na
796 \fB\fBCHECKMETHOD\fR\fR
797 .ad
798 .RS 15n
799 List or set the \fBchecksum\fR method.
800 .RE
801
802 .sp
803 .ne 2
804 .na
805 \fB\fBCHECKSUM\fR\fR
806 .ad
807 .RS 15n
808 Give the \fBchecksum\fR of a file.
809 .RE
810
811 .sp
812 .ne 2
813 .na
814 \fB\fBCHMOD\fR\fR
815 .ad
816 .RS 15n
817 Change mode of a file. For example, \fBSITE CHMOD 755 \fIfilename\fR\fR.
818 .RE
819
820 .sp
821 .ne 2
822 .na
823 \fB\fBEXEC\fR\fR
824 .ad
825 .RS 15n
826 Execute a program. For example, \fBSITE EXEC program params\fR
827 .RE
828
829 .sp
830 .ne 2
831 .na
832 \fB\fBGPASS\fR\fR
833 .ad
834 .RS 15n
835 Give special group access password. For example, \fBSITE GPASS bar\fR.
836 .RE
837
838 .sp
839 .ne 2
840 .na
841 \fB\fBGROUP\fR\fR
842 .ad
843 .RS 15n
844 Request special group access. For example, \fBSITE GROUP foo\fR.
845 .RE
846
847 .sp
848 .ne 2
849 .na
850 \fB\fBGROUPS\fR\fR
851 .ad
852 .RS 15n
853 List supplementary group membership.
854 .RE
855
856 .sp
857 .ne 2
858 .na
859 \fB\fBHELP\fR\fR
860 .ad
861 .RS 15n
862 Give help information. For example, \fBSITE HELP\fR.
863 .RE
864
865 .sp
866 .ne 2
867 .na
868 \fB\fBIDLE\fR\fR
869 .ad
870 .RS 15n
871 Set idle-timer. For example, \fBSITE IDLE 60\fR.
872 .RE
873
874 .sp
875 .ne 2
876 .na
877 \fB\fBUMASK\fR\fR
878 .ad
879 .RS 15n
880 Change \fBumask\fR. For example, \fBSITE UMASK 002\fR.
881 .RE
882
883 .sp
884 .LP
885 The remaining FTP requests specified in \fIRFC 959\fR are recognized, but not
886 implemented.
887 .sp
888 .LP
889 The \fBFTP\fR server will abort an active file transfer only when the
890 \fBABOR\fR command is preceded by a Telnet "Interrupt Process" (IP) signal and
891 a Telnet "Synch" signal in the command Telnet stream, as described in \fIRFC
892 959\fR. If a \fBSTAT\fR command is received during a data transfer that has
893 been preceded by a Telnet IP and Synch, transfer status will be returned.
894 .sp
895 .LP
896 \fBin.ftpd\fR interprets file names according to the "globbing" conventions
897 used by \fBcsh\fR(1). This allows users to utilize the metacharacters: \fB* ? [
898 ] { } ~\fR
899 .sp
900 .LP
901 \fBin.ftpd\fR authenticates users according to the following rules:
902 .sp
903 .LP
904 First, the user name must be in the password data base, the location of which
905 is specified in \fBnsswitch.conf\fR(4). An encrypted password (an
906 authentication token in PAM) must be present. A password must always be
907 provided by the client before any file operations can be performed. For
908 non-anonymous users, the PAM framework is used to verify that the correct
909 password was entered. See \fBSECURITY\fR below.
910 .sp
911 .LP
912 Second, the user name must not appear in either the \fB/etc/ftpusers\fR or the
913 \fB/etc/ftpd/ftpusers\fR file. Use of the \fB/etc/ftpusers\fR files is
914 deprecated, although it is still supported.
915 .sp
916 .LP
917 Third, the users must have a standard shell returned by \fBgetusershell\fR(3C).
918 .sp
919 .LP
920 Fourth, if the user name is \fBanonymous\fR or \fBftp\fR, an anonymous ftp
921 account must be present in the password file for user \fBftp\fR. Use
922 \fBftpconfig\fR(1M) to create the anonymous \fBftp\fR account and home
923 directory tree.
924 .sp
925 .LP
926 Fifth, if the GSS-API is used to authenticate the user, then
927 \fBgss_auth_rules\fR(5) determines user access without a password needed.
928 .sp
929 .LP
930 The FTP Server supports virtual hosting, which can be configured by using
931 \fBftpaddhost\fR(1M).
932 .sp
933 .LP
934 The FTP Server does not support sublogins.
935 .SS "General FTP Extensions"
936 .sp
937 .LP
938 The FTP Server has certain extensions. If the user specifies a filename that
939 does not exist with a \fBRETR\fR (retrieve) command, the FTP Server looks for a
940 conversion to change a file or directory that does into the one requested. See
941 \fBftpconversions\fR(4).
942 .sp
943 .LP
944 By convention, anonymous users supply their email address when prompted for a
945 password. The FTP Server attempts to validate these email addresses. A user
946 whose FTP client hangs on a long reply, for example, a multiline response,
947 should use a dash (-) as the first character of the user's password, as this
948 disables the Server's \fBlreply()\fR function.
949 .sp
950 .LP
951 The FTP Server can also log all file transmission and reception. See
952 \fBxferlog\fR(4) for details of the log file format.
953 .sp
954 .LP
955 The \fBSITE EXEC\fR command may be used to execute commands in the
956 \fB/bin/ftp-exec\fR directory. Take care that you understand the security
957 implications before copying any command into the \fB/bin/ftp-exec\fR directory.
958 For example, do not copy in \fB/bin/sh\fR. This would enable the user to
959 execute other commands through the use of \fBsh -c\fR. If you have doubts about
960 this feature, do not create the \fB/bin/ftp-exec\fR directory.
961 .SH SECURITY
962 .sp
963 .LP
964 For non-anonymous users, \fBin.ftpd\fR uses \fBpam\fR(3PAM) for authentication,
965 account management, and session management, and can use Kerberos v5 for
966 authentication.
967 .sp
968 .LP
969 The \fBPAM\fR configuration policy, listed through \fB/etc/pam.conf\fR,
970 specifies the module to be used for \fBin.ftpd\fR. Here is a partial
971 \fBpam.conf\fR file with entries for the \fBin.ftpd\fR command using the UNIX
972 authentication, account management, and session management module.
973 .sp
974 .in +2
975 .nf
976 ftp auth requisite pam_authtok_get.so.1
977 ftp auth required pam_dhkeys.so.1
978 ftp auth required pam_unix_auth.so.1
979
980 ftp account required pam_unix_roles.so.1
981 ftp account required pam_unix_projects.so.1
982 ftp account required pam_unix_account.so.1
983
984 ftp session required pam_unix_session.so.1
985 .fi
986 .in -2
987
988 .sp
989 .LP
990 If there are no entries for the \fBftp\fR service, then the entries for the
991 "other" service will be used. Unlike \fBlogin\fR, \fBpasswd\fR, and other
992 commands, the \fBftp\fR protocol will only support a single password. Using
993 multiple modules will prevent \fBin.ftpd\fR from working properly.
994 .sp
995 .LP
996 To use Kerberos for authentication, a \fBhost/\fR\fI<FQDN>\fR Kerberos
997 principal must exist for each Fully Qualified Domain Name associated with the
998 \fBin.ftpd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals must
999 have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the
1000 \fBin.ftpd\fR server. An example principal might be:
1001 .sp
1002 .LP
1003 \fBhost/bigmachine.eng.example.com\fR
1004 .sp
1005 .LP
1006 See \fBkadmin\fR(1M) or \fBgkadmin\fR(1M) for instructions on adding a
1007 principal to a \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos
1008 authentication.
1009 .sp
1010 .LP
1011 For anonymous users, who by convention supply their email address as a
1012 password, \fBin.ftpd\fR validates passwords according to the \fBpasswd-check\fR
1013 capability in the \fBftpaccess\fR file.
1014 .SH USAGE
1015 .sp
1016 .LP
1017 The \fBin.ftpd\fR command is IPv6-enabled. See \fBip6\fR(7P).
1018 .SH FILES
1019 .sp
1020 .ne 2
1021 .na
1022 \fB\fB/etc/ftpd/ftpaccess\fR\fR
1023 .ad
1024 .sp .6
1025 .RS 4n
1026 FTP Server configuration file
1027 .RE
1028
1029 .sp
1030 .ne 2
1031 .na
1032 \fB\fB/etc/ftpd/ftpconversions\fR\fR
1033 .ad
1034 .sp .6
1035 .RS 4n
1036 FTP Server conversions database
1037 .RE
1038
1039 .sp
1040 .ne 2
1041 .na
1042 \fB\fB/etc/ftpd/ftpgroups\fR\fR
1043 .ad
1044 .sp .6
1045 .RS 4n
1046 FTP Server enhanced group access file
1047 .RE
1048
1049 .sp
1050 .ne 2
1051 .na
1052 \fB\fB/etc/ftpd/ftphosts\fR\fR
1053 .ad
1054 .sp .6
1055 .RS 4n
1056 FTP Server individual user host access file
1057 .RE
1058
1059 .sp
1060 .ne 2
1061 .na
1062 \fB\fB/etc/ftpd/ftpservers\fR\fR
1063 .ad
1064 .sp .6
1065 .RS 4n
1066 FTP Server virtual hosting configuration file.
1067 .RE
1068
1069 .sp
1070 .ne 2
1071 .na
1072 \fB\fB/etc/ftpd/ftpusers\fR\fR
1073 .ad
1074 .sp .6
1075 .RS 4n
1076 File listing users for whom FTP login privileges are disallowed.
1077 .RE
1078
1079 .sp
1080 .ne 2
1081 .na
1082 \fB\fB/etc/ftpusers\fR\fR
1083 .ad
1084 .sp .6
1085 .RS 4n
1086 File listing users for whom FTP login privileges are disallowed. This use of
1087 this file is deprecated.
1088 .RE
1089
1090 .sp
1091 .ne 2
1092 .na
1093 \fB\fB/var/log/xferlog\fR\fR
1094 .ad
1095 .sp .6
1096 .RS 4n
1097 FTP Server transfer log file
1098 .RE
1099
1100 .sp
1101 .ne 2
1102 .na
1103 \fB\fB/var/run/ftp.pids-\fIclassname\fR\fR\fR
1104 .ad
1105 .sp .6
1106 .RS 4n
1107
1108 .RE
1109
1110 .sp
1111 .ne 2
1112 .na
1113 \fB\fB/var/adm/wtmpx\fR\fR
1114 .ad
1115 .sp .6
1116 .RS 4n
1117 Extended database files that contain the history of user access and accounting
1118 information for the \fBwtmpx\fR database.
1119 .RE
1120
1121 .SH ATTRIBUTES
1122 .sp
1123 .LP
1124 See \fBattributes\fR(5) for descriptions of the following attributes:
1125 .sp
1126
1127 .sp
1128 .TS
1129 box;
1130 c | c
1131 l | l .
1132 ATTRIBUTE TYPE ATTRIBUTE VALUE
1133 _
1134 Interface Stability External
1135 .TE
1136
1137 .SH SEE ALSO
1138 .sp
1139 .LP
1140 \fBcsh\fR(1), \fBftp\fR(1), \fBftpcount\fR(1), \fBftpwho\fR(1), \fBls\fR(1),
1141 \fBsvcs\fR(1), \fBftpaddhost\fR(1M), \fBftpconfig\fR(1M), \fBftprestart\fR(1M),
1142 \fBftpshut\fR(1M), \fBgkadmin\fR(1M), \fBinetadm\fR(1M), \fBinetd\fR(1M),
1143 \fBkadmin\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBchroot\fR(2),
1144 \fBumask\fR(2), \fBgetpwent\fR(3C), \fBgetusershell\fR(3C), \fBsyslog\fR(3C),
1145 \fBftpaccess\fR(4), \fBftpconversions\fR(4), \fBftpgroups\fR(4),
1146 \fBftphosts\fR(4), \fBftpservers\fR(4), \fBftpusers\fR(4), \fBgroup\fR(4),
1147 \fBpasswd\fR(4), \fBservices\fR(4), \fBxferlog\fR(4), \fBwtmpx\fR(4),
1148 \fBattributes\fR(5), \fBgss_auth_rules\fR(5), \fBpam_authtok_check\fR(5),
1149 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5),
1150 \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
1151 \fBpam_unix_session\fR(5), \fBsmf\fR(5), \fBip6\fR(7P)
1152 .sp
1153 .LP
1154 \fI\fR
1155 .sp
1156 .LP
1157 Allman, M., Ostermann, S., and Metz, C. \fIRFC 2428, FTP Extensions for IPv6
1158 and NATs\fR. The Internet Society. September 1998.
1159 .sp
1160 .LP
1161 Piscitello, D. \fIRFC 1639, FTP Operation Over Big Address Records (FOOBAR)\fR.
1162 Network Working Group. June 1994.
1163 .sp
1164 .LP
1165 Postel, Jon, and Joyce Reynolds. \fIRFC 959, File Transfer Protocol (FTP )\fR.
1166 Network Information Center. October 1985.
1167 .sp
1168 .LP
1169 St. Johns, Mike. \fIRFC 931, Authentication Server\fR. Network Working Group.
1170 January 1985.
1171 .sp
1172 .LP
1173 Linn, J., \fIGeneric Security Service Application Program Interface Version 2,
1174 Update 1, RFC 2743.\fR The Internet Society, January 2000.
1175 .sp
1176 .LP
1177 Horowitz, M., Lunt, S., \fIFTP Security Extensions, RFC 2228\fR. The Internet
1178 Society, October 1997.
1179 .SH DIAGNOSTICS
1180 .sp
1181 .LP
1182 \fBin.ftpd\fR logs various errors to \fBsyslogd\fR(1M), with a facility code of
1183 daemon.
1184 .SH NOTES
1185 .sp
1186 .LP
1187 The anonymous \fBFTP\fR account is inherently dangerous and should be avoided
1188 when possible.
1189 .sp
1190 .LP
1191 The \fBFTP\fR Server must perform certain tasks as the superuser, for example,
1192 the creation of sockets with privileged port numbers. It maintains an effective
1193 user \fBID\fR of the logged in user, reverting to the superuser only when
1194 necessary.
1195 .sp
1196 .LP
1197 The \fBFTP\fR Server no longer supports the \fB/etc/default/ftpd\fR file.
1198 Instead of using \fBUMASK=nnn\fR to set the umask, use the \fBdefumask\fR
1199 capability in the \fBftpaccess\fR file. The banner greeting text capability is
1200 also now set through the \fBftpaccess\fR file by using the greeting text
1201 capability instead of by using \fBBANNER="..."\fR. However, unlike the
1202 \fBBANNER\fR string, the greeting text string is not passed to the shell for
1203 evaluation. See \fBftpaccess\fR(4).
1204 .sp
1205 .LP
1206 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
1207 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
1208 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
1209 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
1210 \fBpam_unix_session\fR(5).
1211 .sp
1212 .LP
1213 The \fBin.ftpd\fR service is managed by the service management facility,
1214 \fBsmf\fR(5), under the service identifier:
1215 .sp
1216 .in +2
1217 .nf
1218 svc:/network/ftp
1219 .fi
1220 .in -2
1221 .sp
1222
1223 .sp
1224 .LP
1225 Administrative actions on this service, such as enabling, disabling, or
1226 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for
1227 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use
1228 \fBinetadm\fR(1M) to make configuration changes and to view configuration
1229 information for this service. The service's status can be queried using the
1230 \fBsvcs\fR(1) command.