1 '\" te 2 .\" Copyright (C) 2004, Sun Microsystems, Inc. All Rights Reserved 3 .\" Copyright 1989 AT&T 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH IN.FTPD 1M "Nov 10, 2005" 8 .SH NAME 9 in.ftpd, ftpd \- File Transfer Protocol Server 10 .SH SYNOPSIS 11 .LP 12 .nf 13 \fBin.ftpd\fR [\fB-4\fR] [\fB-A\fR] [\fB-a\fR] [\fB-C\fR] [\fB-d\fR] [\fB-I\fR] [\fB-i\fR] [\fB-K\fR] [\fB-L\fR] [\fB-l\fR] 14 [\fB-o\fR] [\fB-P\fR \fIdataport\fR] [\fB-p\fR \fIctrlport\fR] [\fB-Q\fR] [\fB-q\fR] 15 [\fB-r\fR \fIrootdir\fR] [\fB-S\fR] [\fB-s\fR] [\fB-T\fR \fImaxtimeout\fR] [\fB-t\fR \fItimeout\fR] 16 [\fB-u\fR \fIumask\fR] [\fB-V\fR] [\fB-v\fR] [\fB-W\fR] [\fB-w\fR] [\fB-X\fR] 17 .fi 18 19 .SH DESCRIPTION 20 .sp 21 .LP 22 \fBin.ftpd\fR is the Internet File Transfer Protocol (FTP) server process. The 23 server may be invoked by the Internet daemon \fBinetd\fR(1M) each time a 24 connection to the FTP service is made or run as a standalone server. See 25 \fBservices\fR(4). 26 .SH OPTIONS 27 .sp 28 .LP 29 \fBin.ftpd\fR supports the following options: 30 .sp 31 .ne 2 32 .na 33 \fB\fB-4\fR\fR 34 .ad 35 .RS 17n 36 When running in standalone mode, listen for connections on an \fBAF_INET\fR 37 type socket. The default is to listen on an \fBAF_INET6\fR type socket. 38 .RE 39 40 .sp 41 .ne 2 42 .na 43 \fB\fB-a\fR\fR 44 .ad 45 .RS 17n 46 Enables use of the \fBftpaccess\fR(4) file. 47 .RE 48 49 .sp 50 .ne 2 51 .na 52 \fB\fB-A\fR\fR 53 .ad 54 .RS 17n 55 Disables use of the \fBftpaccess\fR(4) file. Use of \fBftpaccess\fR is disabled 56 by default. 57 .RE 58 59 .sp 60 .ne 2 61 .na 62 \fB\fB-C\fR\fR 63 .ad 64 .RS 17n 65 Non-anonymous users need local credentials (for example, to authenticate to 66 remote fileservers). So they should be prompted for a password unless they 67 forwarded credentials as part of authentication. 68 .RE 69 70 .sp 71 .ne 2 72 .na 73 \fB\fB-d\fR\fR 74 .ad 75 .RS 17n 76 Writes debugging information to \fBsyslogd\fR(1M). 77 .RE 78 79 .sp 80 .ne 2 81 .na 82 \fB\fB-i\fR\fR 83 .ad 84 .RS 17n 85 Logs the names of all files received by the \fBFTP\fR Server to 86 \fBxferlog\fR(4). You can override the \fB-i\fR option through use of the 87 \fBftpaccess\fR(4) file. 88 .RE 89 90 .sp 91 .ne 2 92 .na 93 \fB\fB-I\fR\fR 94 .ad 95 .RS 17n 96 Disables the use of \fBAUTH\fR and \fBident\fR to determine the username on the 97 client. See \fIRFC 931\fR. The \fBFTP\fR Server is built not to use \fBAUTH\fR 98 and \fBident\fR. 99 .RE 100 101 .sp 102 .ne 2 103 .na 104 \fB\fB-K\fR\fR 105 .ad 106 .RS 17n 107 Connections are only allowed for users who can authenticate through the 108 \fBftp\fR \fBAUTH\fR mechanism. (Anonymous \fBftp\fR may also be allowed if it 109 is configured.) \fBftpd\fR will ask the user for a password if one is required. 110 .RE 111 112 .sp 113 .ne 2 114 .na 115 \fB\fB-l\fR\fR 116 .ad 117 .RS 17n 118 Logs each \fBFTP\fR session to \fBsyslogd\fR(1M). 119 .RE 120 121 .sp 122 .ne 2 123 .na 124 \fB\fB-L\fR\fR 125 .ad 126 .RS 17n 127 Logs all commands sent to \fBin.ftpd\fR to \fBsyslogd\fR(1M). When the \fB-L\fR 128 option is used, command logging will be on by default, once the FTP Server is 129 invoked. Because the \fBFTP\fR Server includes \fBUSER\fR commands in those 130 logged, if a user accidentally enters a password instead of the username, the 131 password will be logged. You can override the \fB-L\fR option through use of 132 the \fBftpaccess\fR(4) file. 133 .RE 134 135 .sp 136 .ne 2 137 .na 138 \fB\fB-o\fR\fR 139 .ad 140 .RS 17n 141 Logs the names of all files transmitted by the FTP Server to \fBxferlog\fR(4). 142 You can override the \fB-o\fR option through use of the \fBftpaccess\fR(4) 143 file. 144 .RE 145 146 .sp 147 .ne 2 148 .na 149 \fB\fB-P\fR \fIdataport\fR\fR 150 .ad 151 .RS 17n 152 The FTP Server determines the port number by looking in the \fBservices\fR(4) 153 file for an entry for the \fBftp-data\fR service. If there is no entry, the 154 daemon uses the port just prior to the control connection port. Use the 155 \fB-P\fR option to specify the data port number. 156 .RE 157 158 .sp 159 .ne 2 160 .na 161 \fB\fB-p\fR \fIctrlport\fR\fR 162 .ad 163 .RS 17n 164 When run in standalone mode, the \fBFTP\fR Server determines the control port 165 number by looking in the \fBservices\fR(4) file for an entry for the \fBftp\fR 166 service. Use the \fB-p\fR option to specify the control port number. 167 .RE 168 169 .sp 170 .ne 2 171 .na 172 \fB\fB-Q\fR\fR 173 .ad 174 .RS 17n 175 Disables \fBPID\fR files. This disables user limits. Large, busy sites that do 176 not want to impose limits on the number of concurrent users can use this option 177 to disable \fBPID\fR files. 178 .RE 179 180 .sp 181 .ne 2 182 .na 183 \fB\fB-q\fR\fR 184 .ad 185 .RS 17n 186 Uses \fBPID\fR files. The \fBlimit\fR directive uses \fBPID\fR files to 187 determine the number of current users in each access class. By default, 188 \fBPID\fR files are used. 189 .RE 190 191 .sp 192 .ne 2 193 .na 194 \fB\fB-r\fR \fIrootdir\fR\fR 195 .ad 196 .RS 17n 197 \fBchroot\fR(2) to \fIrootdir\fR upon loading. Use this option to improve 198 system security. It limits the files that can be damaged should a break in 199 occur through the daemon. This option is similar to anonymous \fBFTP\fR. 200 Additional files are needed, which vary from system to system. 201 .RE 202 203 .sp 204 .ne 2 205 .na 206 \fB\fB-S\fR\fR 207 .ad 208 .RS 17n 209 Places the daemon in standalone operation mode. The daemon runs in the 210 background. This is useful for startup scripts that run during system 211 initialization. See \fBinit.d\fR(4). 212 .RE 213 214 .sp 215 .ne 2 216 .na 217 \fB\fB-s\fR\fR 218 .ad 219 .RS 17n 220 Places the daemon in standalone operation mode. The daemon runs in the 221 foreground. This is useful when run from \fB/etc/inittab\fR by \fBinit\fR(1M). 222 .RE 223 224 .sp 225 .ne 2 226 .na 227 \fB\fB-T\fR \fImaxtimeout\fR\fR 228 .ad 229 .RS 17n 230 Sets the maximum allowable timeout period to \fImaxtimeout\fR seconds. The 231 default maximum timeout limit is 7200 second (two hours). You can override the 232 \fB-T\fR option through use of the \fBftpaccess\fR(4) file. 233 .RE 234 235 .sp 236 .ne 2 237 .na 238 \fB\fB-t\fR \fItimeout\fR\fR 239 .ad 240 .RS 17n 241 Sets the inactivity timeout period to \fItimeout\fR seconds. The default 242 timeout period is 900 seconds (15 minutes). You can override the \fB-t\fR 243 option through use of the \fBftpaccess\fR(4) file. 244 .RE 245 246 .sp 247 .ne 2 248 .na 249 \fB\fB-u\fR \fIumask\fR\fR 250 .ad 251 .RS 17n 252 Sets the default \fBumask\fR to \fIumask\fR. 253 .RE 254 255 .sp 256 .ne 2 257 .na 258 \fB\fB-V\fR\fR 259 .ad 260 .RS 17n 261 Displays copyright and version information, then terminate. 262 .RE 263 264 .sp 265 .ne 2 266 .na 267 \fB\fB-v\fR\fR 268 .ad 269 .RS 17n 270 Writes debugging information to \fBsyslogd\fR(1M). 271 .RE 272 273 .sp 274 .ne 2 275 .na 276 \fB\fB-W\fR\fR 277 .ad 278 .RS 17n 279 Does not record user \fBlogin\fR and \fBlogout\fR in the \fBwtmpx\fR(4) file. 280 .RE 281 282 .sp 283 .ne 2 284 .na 285 \fB\fB-w\fR\fR 286 .ad 287 .RS 17n 288 Records each user \fBlogin\fR and \fBlogout\fR in the \fBwtmpx\fR(4) file. By 289 default, logins and logouts are recorded. 290 .RE 291 292 .sp 293 .ne 2 294 .na 295 \fB\fB-X\fR\fR 296 .ad 297 .RS 17n 298 Writes the output from the \fB-i\fR and \fB-o\fR options to the 299 \fBsyslogd\fR(1M) file instead of \fBxferlog\fR(4). This allows the collection 300 of output from several hosts on one central loghost. You can override the 301 \fB-X\fR option through use of the \fBftpaccess\fR(4) file. 302 .RE 303 304 .SS "Requests" 305 .sp 306 .LP 307 The FTP Server currently supports the following \fBFTP\fR requests. Case is not 308 distinguished. 309 .sp 310 .ne 2 311 .na 312 \fB\fBABOR\fR\fR 313 .ad 314 .RS 8n 315 Abort previous command. 316 .RE 317 318 .sp 319 .ne 2 320 .na 321 \fB\fBADAT\fR\fR 322 .ad 323 .RS 8n 324 Send an authentication protocol message. 325 .RE 326 327 .sp 328 .ne 2 329 .na 330 \fB\fBALLO\fR\fR 331 .ad 332 .RS 8n 333 Allocate storage (vacuously). 334 .RE 335 336 .sp 337 .ne 2 338 .na 339 \fB\fBAUTH\fR\fR 340 .ad 341 .RS 8n 342 Specify an authentication protocol to be performed. Currently only 343 "\fBGSSAPI\fR" is supported. 344 .RE 345 346 .sp 347 .ne 2 348 .na 349 \fB\fBAPPE\fR\fR 350 .ad 351 .RS 8n 352 Append to a file. 353 .RE 354 355 .sp 356 .ne 2 357 .na 358 \fB\fBCCC\fR\fR 359 .ad 360 .RS 8n 361 Set the command channel protection mode to "\fBClear\fR" (no protection). Not 362 allowed if data channel is protected. 363 .RE 364 365 .sp 366 .ne 2 367 .na 368 \fB\fBCDUP\fR\fR 369 .ad 370 .RS 8n 371 Change to parent of current working directory. 372 .RE 373 374 .sp 375 .ne 2 376 .na 377 \fB\fBCWD\fR\fR 378 .ad 379 .RS 8n 380 Change working directory. 381 .RE 382 383 .sp 384 .ne 2 385 .na 386 \fB\fBDELE\fR\fR 387 .ad 388 .RS 8n 389 Delete a file. 390 .RE 391 392 .sp 393 .ne 2 394 .na 395 \fB\fBENC\fR\fR 396 .ad 397 .RS 8n 398 Send a privacy and integrity protected command (given in argument). 399 .RE 400 401 .sp 402 .ne 2 403 .na 404 \fB\fBEPRT\fR\fR 405 .ad 406 .RS 8n 407 Specify extended address for the transport connection. 408 .RE 409 410 .sp 411 .ne 2 412 .na 413 \fB\fBEPSV\fR\fR 414 .ad 415 .RS 8n 416 Extended passive command request. 417 .RE 418 419 .sp 420 .ne 2 421 .na 422 \fB\fBHELP\fR\fR 423 .ad 424 .RS 8n 425 Give help information. 426 .RE 427 428 .sp 429 .ne 2 430 .na 431 \fB\fBLIST\fR\fR 432 .ad 433 .RS 8n 434 Give list files in a directory (\fBls\fR \fB-lA\fR). 435 .RE 436 437 .sp 438 .ne 2 439 .na 440 \fB\fBLPRT\fR\fR 441 .ad 442 .RS 8n 443 Specify long address for the transport connection. 444 .RE 445 446 .sp 447 .ne 2 448 .na 449 \fB\fBLPSV\fR\fR 450 .ad 451 .RS 8n 452 Long passive command request. 453 .RE 454 455 .sp 456 .ne 2 457 .na 458 \fB\fBMIC\fR\fR 459 .ad 460 .RS 8n 461 Send an integrity protected command (given in argument). 462 .RE 463 464 .sp 465 .ne 2 466 .na 467 \fB\fBMKD\fR\fR 468 .ad 469 .RS 8n 470 Make a directory. 471 .RE 472 473 .sp 474 .ne 2 475 .na 476 \fB\fBMDTM\fR\fR 477 .ad 478 .RS 8n 479 Show last time file modified. 480 .RE 481 482 .sp 483 .ne 2 484 .na 485 \fB\fBMODE\fR\fR 486 .ad 487 .RS 8n 488 Specify data transfer \fImode\fR. 489 .RE 490 491 .sp 492 .ne 2 493 .na 494 \fB\fBNLST\fR\fR 495 .ad 496 .RS 8n 497 Give name list of files in directory (\fBls\fR). 498 .RE 499 500 .sp 501 .ne 2 502 .na 503 \fB\fBNOOP\fR\fR 504 .ad 505 .RS 8n 506 Do nothing. 507 .RE 508 509 .sp 510 .ne 2 511 .na 512 \fB\fBPASS\fR\fR 513 .ad 514 .RS 8n 515 Specify password. 516 .RE 517 518 .sp 519 .ne 2 520 .na 521 \fB\fBPASV\fR\fR 522 .ad 523 .RS 8n 524 Prepare for server-to-server transfer. 525 .RE 526 527 .sp 528 .ne 2 529 .na 530 \fB\fBPBSZ\fR\fR 531 .ad 532 .RS 8n 533 Specify a protection buffer size. 534 .RE 535 536 .sp 537 .ne 2 538 .na 539 \fB\fBPROT\fR\fR 540 .ad 541 .RS 8n 542 Specify a protection level under which to protect data transfers. Allowed 543 arguments: 544 .sp 545 .ne 2 546 .na 547 \fB\fBclear\fR\fR 548 .ad 549 .RS 11n 550 No protection. 551 .RE 552 553 .sp 554 .ne 2 555 .na 556 \fB\fBsafe\fR\fR 557 .ad 558 .RS 11n 559 Integrity protection 560 .RE 561 562 .sp 563 .ne 2 564 .na 565 \fB\fBprivate\fR\fR 566 .ad 567 .RS 11n 568 Integrity and encryption protection 569 .RE 570 571 .RE 572 573 .sp 574 .ne 2 575 .na 576 \fB\fBPORT\fR\fR 577 .ad 578 .RS 8n 579 Specify data connection port. 580 .RE 581 582 .sp 583 .ne 2 584 .na 585 \fB\fBPWD\fR\fR 586 .ad 587 .RS 8n 588 Print the current working directory. 589 .RE 590 591 .sp 592 .ne 2 593 .na 594 \fB\fBQUIT\fR\fR 595 .ad 596 .RS 8n 597 Terminate session. 598 .RE 599 600 .sp 601 .ne 2 602 .na 603 \fB\fBREST\fR\fR 604 .ad 605 .RS 8n 606 Restart incomplete transfer. 607 .RE 608 609 .sp 610 .ne 2 611 .na 612 \fB\fBRETR\fR\fR 613 .ad 614 .RS 8n 615 Retrieve a file. 616 .RE 617 618 .sp 619 .ne 2 620 .na 621 \fB\fBRMD\fR\fR 622 .ad 623 .RS 8n 624 Remove a directory. 625 .RE 626 627 .sp 628 .ne 2 629 .na 630 \fB\fBRNFR\fR\fR 631 .ad 632 .RS 8n 633 Specify rename-from file name. 634 .RE 635 636 .sp 637 .ne 2 638 .na 639 \fB\fBRNTO\fR\fR 640 .ad 641 .RS 8n 642 Specify rename-to file name. 643 .RE 644 645 .sp 646 .ne 2 647 .na 648 \fB\fBSITE\fR\fR 649 .ad 650 .RS 8n 651 Use nonstandard commands. 652 .RE 653 654 .sp 655 .ne 2 656 .na 657 \fB\fBSIZE\fR\fR 658 .ad 659 .RS 8n 660 Return size of file. 661 .RE 662 663 .sp 664 .ne 2 665 .na 666 \fB\fBSTAT\fR\fR 667 .ad 668 .RS 8n 669 Return status of server. 670 .RE 671 672 .sp 673 .ne 2 674 .na 675 \fB\fBSTOR\fR\fR 676 .ad 677 .RS 8n 678 Store a file. 679 .RE 680 681 .sp 682 .ne 2 683 .na 684 \fB\fBSTOU\fR\fR 685 .ad 686 .RS 8n 687 Store a file with a unique name. 688 .RE 689 690 .sp 691 .ne 2 692 .na 693 \fB\fBSTRU\fR\fR 694 .ad 695 .RS 8n 696 Specify data transfer \fIstructure\fR. 697 .RE 698 699 .sp 700 .ne 2 701 .na 702 \fB\fBSYST\fR\fR 703 .ad 704 .RS 8n 705 Show operating system type of server system. 706 .RE 707 708 .sp 709 .ne 2 710 .na 711 \fB\fBTYPE\fR\fR 712 .ad 713 .RS 8n 714 Specify data transfer \fBtype\fR. 715 .RE 716 717 .sp 718 .ne 2 719 .na 720 \fB\fBUSER\fR\fR 721 .ad 722 .RS 8n 723 Specify user name. 724 .RE 725 726 .sp 727 .ne 2 728 .na 729 \fB\fBXCUP\fR\fR 730 .ad 731 .RS 8n 732 Change to parent of current working directory. This request is deprecated. 733 .RE 734 735 .sp 736 .ne 2 737 .na 738 \fB\fBXCWD\fR\fR 739 .ad 740 .RS 8n 741 Change working directory. This request is deprecated. 742 .RE 743 744 .sp 745 .ne 2 746 .na 747 \fB\fBXMKD\fR\fR 748 .ad 749 .RS 8n 750 Make a directory. This request is deprecated. 751 .RE 752 753 .sp 754 .ne 2 755 .na 756 \fB\fBXPWD\fR\fR 757 .ad 758 .RS 8n 759 Print the current working directory. This request is deprecated. 760 .RE 761 762 .sp 763 .ne 2 764 .na 765 \fB\fBXRMD\fR\fR 766 .ad 767 .RS 8n 768 Remove a directory. This request is deprecated. 769 .RE 770 771 .sp 772 .LP 773 The following nonstandard or UNIX specific commands are supported by the 774 \fBSITE\fR request: 775 .sp 776 .ne 2 777 .na 778 \fB\fBALIAS\fR\fR 779 .ad 780 .RS 15n 781 List aliases. 782 .RE 783 784 .sp 785 .ne 2 786 .na 787 \fB\fBCDPATH\fR\fR 788 .ad 789 .RS 15n 790 List the search path used when changing directories. 791 .RE 792 793 .sp 794 .ne 2 795 .na 796 \fB\fBCHECKMETHOD\fR\fR 797 .ad 798 .RS 15n 799 List or set the \fBchecksum\fR method. 800 .RE 801 802 .sp 803 .ne 2 804 .na 805 \fB\fBCHECKSUM\fR\fR 806 .ad 807 .RS 15n 808 Give the \fBchecksum\fR of a file. 809 .RE 810 811 .sp 812 .ne 2 813 .na 814 \fB\fBCHMOD\fR\fR 815 .ad 816 .RS 15n 817 Change mode of a file. For example, \fBSITE CHMOD 755 \fIfilename\fR\fR. 818 .RE 819 820 .sp 821 .ne 2 822 .na 823 \fB\fBEXEC\fR\fR 824 .ad 825 .RS 15n 826 Execute a program. For example, \fBSITE EXEC program params\fR 827 .RE 828 829 .sp 830 .ne 2 831 .na 832 \fB\fBGPASS\fR\fR 833 .ad 834 .RS 15n 835 Give special group access password. For example, \fBSITE GPASS bar\fR. 836 .RE 837 838 .sp 839 .ne 2 840 .na 841 \fB\fBGROUP\fR\fR 842 .ad 843 .RS 15n 844 Request special group access. For example, \fBSITE GROUP foo\fR. 845 .RE 846 847 .sp 848 .ne 2 849 .na 850 \fB\fBGROUPS\fR\fR 851 .ad 852 .RS 15n 853 List supplementary group membership. 854 .RE 855 856 .sp 857 .ne 2 858 .na 859 \fB\fBHELP\fR\fR 860 .ad 861 .RS 15n 862 Give help information. For example, \fBSITE HELP\fR. 863 .RE 864 865 .sp 866 .ne 2 867 .na 868 \fB\fBIDLE\fR\fR 869 .ad 870 .RS 15n 871 Set idle-timer. For example, \fBSITE IDLE 60\fR. 872 .RE 873 874 .sp 875 .ne 2 876 .na 877 \fB\fBUMASK\fR\fR 878 .ad 879 .RS 15n 880 Change \fBumask\fR. For example, \fBSITE UMASK 002\fR. 881 .RE 882 883 .sp 884 .LP 885 The remaining FTP requests specified in \fIRFC 959\fR are recognized, but not 886 implemented. 887 .sp 888 .LP 889 The \fBFTP\fR server will abort an active file transfer only when the 890 \fBABOR\fR command is preceded by a Telnet "Interrupt Process" (IP) signal and 891 a Telnet "Synch" signal in the command Telnet stream, as described in \fIRFC 892 959\fR. If a \fBSTAT\fR command is received during a data transfer that has 893 been preceded by a Telnet IP and Synch, transfer status will be returned. 894 .sp 895 .LP 896 \fBin.ftpd\fR interprets file names according to the "globbing" conventions 897 used by \fBcsh\fR(1). This allows users to utilize the metacharacters: \fB* ? [ 898 ] { } ~\fR 899 .sp 900 .LP 901 \fBin.ftpd\fR authenticates users according to the following rules: 902 .sp 903 .LP 904 First, the user name must be in the password data base, the location of which 905 is specified in \fBnsswitch.conf\fR(4). An encrypted password (an 906 authentication token in PAM) must be present. A password must always be 907 provided by the client before any file operations can be performed. For 908 non-anonymous users, the PAM framework is used to verify that the correct 909 password was entered. See \fBSECURITY\fR below. 910 .sp 911 .LP 912 Second, the user name must not appear in either the \fB/etc/ftpusers\fR or the 913 \fB/etc/ftpd/ftpusers\fR file. Use of the \fB/etc/ftpusers\fR files is 914 deprecated, although it is still supported. 915 .sp 916 .LP 917 Third, the users must have a standard shell returned by \fBgetusershell\fR(3C). 918 .sp 919 .LP 920 Fourth, if the user name is \fBanonymous\fR or \fBftp\fR, an anonymous ftp 921 account must be present in the password file for user \fBftp\fR. Use 922 \fBftpconfig\fR(1M) to create the anonymous \fBftp\fR account and home 923 directory tree. 924 .sp 925 .LP 926 Fifth, if the GSS-API is used to authenticate the user, then 927 \fBgss_auth_rules\fR(5) determines user access without a password needed. 928 .sp 929 .LP 930 The FTP Server supports virtual hosting, which can be configured by using 931 \fBftpaddhost\fR(1M). 932 .sp 933 .LP 934 The FTP Server does not support sublogins. 935 .SS "General FTP Extensions" 936 .sp 937 .LP 938 The FTP Server has certain extensions. If the user specifies a filename that 939 does not exist with a \fBRETR\fR (retrieve) command, the FTP Server looks for a 940 conversion to change a file or directory that does into the one requested. See 941 \fBftpconversions\fR(4). 942 .sp 943 .LP 944 By convention, anonymous users supply their email address when prompted for a 945 password. The FTP Server attempts to validate these email addresses. A user 946 whose FTP client hangs on a long reply, for example, a multiline response, 947 should use a dash (-) as the first character of the user's password, as this 948 disables the Server's \fBlreply()\fR function. 949 .sp 950 .LP 951 The FTP Server can also log all file transmission and reception. See 952 \fBxferlog\fR(4) for details of the log file format. 953 .sp 954 .LP 955 The \fBSITE EXEC\fR command may be used to execute commands in the 956 \fB/bin/ftp-exec\fR directory. Take care that you understand the security 957 implications before copying any command into the \fB/bin/ftp-exec\fR directory. 958 For example, do not copy in \fB/bin/sh\fR. This would enable the user to 959 execute other commands through the use of \fBsh -c\fR. If you have doubts about 960 this feature, do not create the \fB/bin/ftp-exec\fR directory. 961 .SH SECURITY 962 .sp 963 .LP 964 For non-anonymous users, \fBin.ftpd\fR uses \fBpam\fR(3PAM) for authentication, 965 account management, and session management, and can use Kerberos v5 for 966 authentication. 967 .sp 968 .LP 969 The \fBPAM\fR configuration policy, listed through \fB/etc/pam.conf\fR, 970 specifies the module to be used for \fBin.ftpd\fR. Here is a partial 971 \fBpam.conf\fR file with entries for the \fBin.ftpd\fR command using the UNIX 972 authentication, account management, and session management module. 973 .sp 974 .in +2 975 .nf 976 ftp auth requisite pam_authtok_get.so.1 977 ftp auth required pam_dhkeys.so.1 978 ftp auth required pam_unix_auth.so.1 979 980 ftp account required pam_unix_roles.so.1 981 ftp account required pam_unix_projects.so.1 982 ftp account required pam_unix_account.so.1 983 984 ftp session required pam_unix_session.so.1 985 .fi 986 .in -2 987 988 .sp 989 .LP 990 If there are no entries for the \fBftp\fR service, then the entries for the 991 "other" service will be used. Unlike \fBlogin\fR, \fBpasswd\fR, and other 992 commands, the \fBftp\fR protocol will only support a single password. Using 993 multiple modules will prevent \fBin.ftpd\fR from working properly. 994 .sp 995 .LP 996 To use Kerberos for authentication, a \fBhost/\fR\fI<FQDN>\fR Kerberos 997 principal must exist for each Fully Qualified Domain Name associated with the 998 \fBin.ftpd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals must 999 have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the 1000 \fBin.ftpd\fR server. An example principal might be: 1001 .sp 1002 .LP 1003 \fBhost/bigmachine.eng.example.com\fR 1004 .sp 1005 .LP 1006 See \fBkadmin\fR(1M) or \fBgkadmin\fR(1M) for instructions on adding a 1007 principal to a \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos 1008 authentication. 1009 .sp 1010 .LP 1011 For anonymous users, who by convention supply their email address as a 1012 password, \fBin.ftpd\fR validates passwords according to the \fBpasswd-check\fR 1013 capability in the \fBftpaccess\fR file. 1014 .SH USAGE 1015 .sp 1016 .LP 1017 The \fBin.ftpd\fR command is IPv6-enabled. See \fBip6\fR(7P). 1018 .SH FILES 1019 .sp 1020 .ne 2 1021 .na 1022 \fB\fB/etc/ftpd/ftpaccess\fR\fR 1023 .ad 1024 .sp .6 1025 .RS 4n 1026 FTP Server configuration file 1027 .RE 1028 1029 .sp 1030 .ne 2 1031 .na 1032 \fB\fB/etc/ftpd/ftpconversions\fR\fR 1033 .ad 1034 .sp .6 1035 .RS 4n 1036 FTP Server conversions database 1037 .RE 1038 1039 .sp 1040 .ne 2 1041 .na 1042 \fB\fB/etc/ftpd/ftpgroups\fR\fR 1043 .ad 1044 .sp .6 1045 .RS 4n 1046 FTP Server enhanced group access file 1047 .RE 1048 1049 .sp 1050 .ne 2 1051 .na 1052 \fB\fB/etc/ftpd/ftphosts\fR\fR 1053 .ad 1054 .sp .6 1055 .RS 4n 1056 FTP Server individual user host access file 1057 .RE 1058 1059 .sp 1060 .ne 2 1061 .na 1062 \fB\fB/etc/ftpd/ftpservers\fR\fR 1063 .ad 1064 .sp .6 1065 .RS 4n 1066 FTP Server virtual hosting configuration file. 1067 .RE 1068 1069 .sp 1070 .ne 2 1071 .na 1072 \fB\fB/etc/ftpd/ftpusers\fR\fR 1073 .ad 1074 .sp .6 1075 .RS 4n 1076 File listing users for whom FTP login privileges are disallowed. 1077 .RE 1078 1079 .sp 1080 .ne 2 1081 .na 1082 \fB\fB/etc/ftpusers\fR\fR 1083 .ad 1084 .sp .6 1085 .RS 4n 1086 File listing users for whom FTP login privileges are disallowed. This use of 1087 this file is deprecated. 1088 .RE 1089 1090 .sp 1091 .ne 2 1092 .na 1093 \fB\fB/var/log/xferlog\fR\fR 1094 .ad 1095 .sp .6 1096 .RS 4n 1097 FTP Server transfer log file 1098 .RE 1099 1100 .sp 1101 .ne 2 1102 .na 1103 \fB\fB/var/run/ftp.pids-\fIclassname\fR\fR\fR 1104 .ad 1105 .sp .6 1106 .RS 4n 1107 1108 .RE 1109 1110 .sp 1111 .ne 2 1112 .na 1113 \fB\fB/var/adm/wtmpx\fR\fR 1114 .ad 1115 .sp .6 1116 .RS 4n 1117 Extended database files that contain the history of user access and accounting 1118 information for the \fBwtmpx\fR database. 1119 .RE 1120 1121 .SH ATTRIBUTES 1122 .sp 1123 .LP 1124 See \fBattributes\fR(5) for descriptions of the following attributes: 1125 .sp 1126 1127 .sp 1128 .TS 1129 box; 1130 c | c 1131 l | l . 1132 ATTRIBUTE TYPE ATTRIBUTE VALUE 1133 _ 1134 Interface Stability External 1135 .TE 1136 1137 .SH SEE ALSO 1138 .sp 1139 .LP 1140 \fBcsh\fR(1), \fBftp\fR(1), \fBftpcount\fR(1), \fBftpwho\fR(1), \fBls\fR(1), 1141 \fBsvcs\fR(1), \fBftpaddhost\fR(1M), \fBftpconfig\fR(1M), \fBftprestart\fR(1M), 1142 \fBftpshut\fR(1M), \fBgkadmin\fR(1M), \fBinetadm\fR(1M), \fBinetd\fR(1M), 1143 \fBkadmin\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBchroot\fR(2), 1144 \fBumask\fR(2), \fBgetpwent\fR(3C), \fBgetusershell\fR(3C), \fBsyslog\fR(3C), 1145 \fBftpaccess\fR(4), \fBftpconversions\fR(4), \fBftpgroups\fR(4), 1146 \fBftphosts\fR(4), \fBftpservers\fR(4), \fBftpusers\fR(4), \fBgroup\fR(4), 1147 \fBpasswd\fR(4), \fBservices\fR(4), \fBxferlog\fR(4), \fBwtmpx\fR(4), 1148 \fBattributes\fR(5), \fBgss_auth_rules\fR(5), \fBpam_authtok_check\fR(5), 1149 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), 1150 \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), 1151 \fBpam_unix_session\fR(5), \fBsmf\fR(5), \fBip6\fR(7P) 1152 .sp 1153 .LP 1154 \fI\fR 1155 .sp 1156 .LP 1157 Allman, M., Ostermann, S., and Metz, C. \fIRFC 2428, FTP Extensions for IPv6 1158 and NATs\fR. The Internet Society. September 1998. 1159 .sp 1160 .LP 1161 Piscitello, D. \fIRFC 1639, FTP Operation Over Big Address Records (FOOBAR)\fR. 1162 Network Working Group. June 1994. 1163 .sp 1164 .LP 1165 Postel, Jon, and Joyce Reynolds. \fIRFC 959, File Transfer Protocol (FTP )\fR. 1166 Network Information Center. October 1985. 1167 .sp 1168 .LP 1169 St. Johns, Mike. \fIRFC 931, Authentication Server\fR. Network Working Group. 1170 January 1985. 1171 .sp 1172 .LP 1173 Linn, J., \fIGeneric Security Service Application Program Interface Version 2, 1174 Update 1, RFC 2743.\fR The Internet Society, January 2000. 1175 .sp 1176 .LP 1177 Horowitz, M., Lunt, S., \fIFTP Security Extensions, RFC 2228\fR. The Internet 1178 Society, October 1997. 1179 .SH DIAGNOSTICS 1180 .sp 1181 .LP 1182 \fBin.ftpd\fR logs various errors to \fBsyslogd\fR(1M), with a facility code of 1183 daemon. 1184 .SH NOTES 1185 .sp 1186 .LP 1187 The anonymous \fBFTP\fR account is inherently dangerous and should be avoided 1188 when possible. 1189 .sp 1190 .LP 1191 The \fBFTP\fR Server must perform certain tasks as the superuser, for example, 1192 the creation of sockets with privileged port numbers. It maintains an effective 1193 user \fBID\fR of the logged in user, reverting to the superuser only when 1194 necessary. 1195 .sp 1196 .LP 1197 The \fBFTP\fR Server no longer supports the \fB/etc/default/ftpd\fR file. 1198 Instead of using \fBUMASK=nnn\fR to set the umask, use the \fBdefumask\fR 1199 capability in the \fBftpaccess\fR file. The banner greeting text capability is 1200 also now set through the \fBftpaccess\fR file by using the greeting text 1201 capability instead of by using \fBBANNER="..."\fR. However, unlike the 1202 \fBBANNER\fR string, the greeting text string is not passed to the shell for 1203 evaluation. See \fBftpaccess\fR(4). 1204 .sp 1205 .LP 1206 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is 1207 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 1208 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), 1209 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and 1210 \fBpam_unix_session\fR(5). 1211 .sp 1212 .LP 1213 The \fBin.ftpd\fR service is managed by the service management facility, 1214 \fBsmf\fR(5), under the service identifier: 1215 .sp 1216 .in +2 1217 .nf 1218 svc:/network/ftp 1219 .fi 1220 .in -2 1221 .sp 1222 1223 .sp 1224 .LP 1225 Administrative actions on this service, such as enabling, disabling, or 1226 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for 1227 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use 1228 \fBinetadm\fR(1M) to make configuration changes and to view configuration 1229 information for this service. The service's status can be queried using the 1230 \fBsvcs\fR(1) command.