Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
in.ftpd(1M)		System Administration Commands		   in.ftpd(1M)

       in.ftpd,	ftpd - File Transfer Protocol Server

       in.ftpd [-4] [-A] [-a] [-C] [-d]	[-I] [-i] [-K] [-L] [-l] [-o] [-P dat-
       aport] [-p ctrlport] [-Q] [-q] [-r rootdir] [-S]	[-s]  [-T  maxtimeout]
       [-t timeout] [-u	umask] [-V] [-v] [-W] [-w] [-X]

       in.ftpd	is  the	 Internet File Transfer	Protocol (FTP) server process.
       The server may be invoked by the	Internet daemon	inetd(1M) each time  a
       connection  to  the  FTP	service	is made	or run as a standalone server.
       See services(4).

       in.ftpd supports	the following options:

       -4	       When running in standalone mode,	listen for connections
		       on  an AF_INET type socket. The default is to listen on
		       an AF_INET6 type	socket.

       -a	       Enables use of the ftpaccess(4) file.

       -A	       Disables	use of the ftpaccess(4)	file. Use of ftpaccess
		       is disabled by default.

       -C	       Non-anonymous  users  need local	credentials (for exam-
		       ple, to authenticate to remote  fileservers).  So  they
		       should be prompted for a	password unless	they forwarded
		       credentials as part of authentication.

       -d	       Writes debugging	information to syslogd(1M).

       -i	       Logs the	names of all files received by the FTP	Server
		       to  xferlog(4).	You can	override the -i	option through
		       use of the ftpaccess(4) file.

       -I	       Disables	the use	of AUTH	and  ident  to	determine  the
		       username	 on the	client.	See RFC	931. The FTP Server is
		       built not to use	AUTH and ident.

       -K	       Connections are only allowed for	users who can  authen-
		       ticate  through	the ftp	AUTH mechanism.	(Anonymous ftp
		       may also	be allowed if it is configured.) ftpd will ask
		       the user	for a password if one is required.

       -l	       Logs each FTP session to	syslogd(1M).

       -L	       Logs  all commands sent to in.ftpd to syslogd(1M). When
		       the -L option is	used, command logging will  be	on  by
		       default,	 once  the  FTP	Server is invoked. Because the
		       FTP Server includes USER	commands in those logged, if a
		       user  accidentally  enters  a  password	instead	of the
		       username, the password will be logged. You can override
		       the -L option through use of the	ftpaccess(4) file.

       -o	       Logs  the  names	 of  all  files	transmitted by the FTP
		       Server to xferlog(4). You can override  the  -o	option
		       through use of the ftpaccess(4) file.

       -P dataport     The FTP Server determines the port number by looking in
		       the services(4) file for	an entry for the ftp-data ser-
		       vice.  If  there	 is no entry, the daemon uses the port
		       just prior to the control connection port. Use  the  -P
		       option to specify the data port number.

       -p ctrlport     When  run in standalone mode, the FTP Server determines
		       the control port	number by looking in  the  services(4)
		       file  for  an entry for the ftp service.	Use the	-p op-
		       tion to specify the control port	number.

       -Q	       Disables	PID files. This	disables user  limits.	Large,
		       busy  sites  that  do  not want to impose limits	on the
		       number of concurrent users can use this option to  dis-
		       able PID	files.

       -q	       Uses  PID  files. The limit directive uses PID files to
		       determine the number of current users  in  each	access
		       class. By default, PID files are	used.

       -r rootdir      chroot(2)  to  rootdir upon loading. Use	this option to
		       improve system security.	It limits the files  that  can
		       be  damaged should a break in occur through the daemon.
		       This option is similar  to  anonymous  FTP.  Additional
		       files are needed, which vary from system	to system.

       -S	       Places  the  daemon  in	standalone operation mode. The
		       daemon runs in  the  background.	 This  is  useful  for
		       startup	scripts	that run during	system initialization.
		       See init.d(4).

       -s	       Places the daemon in  standalone	 operation  mode.  The
		       daemon  runs in the foreground. This is useful when run
		       from /etc/inittab by init(1M).

       -T maxtimeout   Sets the	maximum	allowable timeout period to maxtimeout
		       seconds.	The default maximum timeout limit is 7200 sec-
		       ond (two	hours).	You can	override the -T	option through
		       use of the ftpaccess(4) file.

       -t timeout      Sets  the inactivity timeout period to timeout seconds.
		       The default timeout period is 900 seconds (15 minutes).
		       You  can	 override the -t option	through	use of the ft-
		       paccess(4) file.

       -u umask	       Sets the	default	umask to umask.

       -V	       Displays	copyright and version information, then	termi-

       -v	       Writes debugging	information to syslogd(1M).

       -W	       Does  not  record user login and	logout in the wtmpx(4)

       -w	       Records each user login	and  logout  in	 the  wtmpx(4)
		       file. By	default, logins	and logouts are	recorded.

       -X	       Writes  the  output  from  the -i and -o	options	to the
		       syslogd(1M) file	instead	of xferlog(4). This allows the
		       collection  of output from several hosts	on one central
		       loghost.	You can	override the -X	option through use  of
		       the ftpaccess(4)	file.

       The  FTP	 Server	currently supports the following FTP requests. Case is
       not distinguished.

       ABOR	Abort previous command.

       ADAT	Send an	authentication protocol	message.

       ALLO	Allocate storage (vacuously).

       AUTH	Specify	an authentication protocol to be performed.  Currently
		only "GSSAPI" is supported.

       APPE	Append to a file.

       CCC	Set the	command	channel	protection mode	to "Clear" (no protec-
		tion). Not allowed if data channel is protected.

       CDUP	Change to parent of current working directory.

       CWD	Change working directory.

       DELE	Delete a file.

       ENC	Send a privacy and integrity protected command (given in argu-

       EPRT	Specify	extended address for the transport connection.

       EPSV	Extended passive command request.

       HELP	Give help information.

       LIST	Give list files	in a directory (ls -lA).

       LPRT	Specify	long address for the transport connection.

       LPSV	Long passive command request.

       MIC	Send an	integrity protected command (given in argument).

       MKD	Make a directory.

       MDTM	Show last time file modified.

       MODE	Specify	data transfer mode.

       NLST	Give name list of files	in directory (ls).

       NOOP	Do nothing.

       PASS	Specify	password.

       PASV	Prepare	for server-to-server transfer.

       PBSZ	Specify	a protection buffer size.

       PROT	Specify	 a protection level under which	to protect data	trans-
		fers. Allowed arguments:

		clear		No protection.

		safe		Integrity protection

		private		Integrity and encryption protection

       PORT	Specify	data connection	port.

       PWD	Print the current working directory.

       QUIT	Terminate session.

       REST	Restart	incomplete transfer.

       RETR	Retrieve a file.

       RMD	Remove a directory.

       RNFR	Specify	rename-from file name.

       RNTO	Specify	rename-to file name.

       SITE	Use nonstandard	commands.

       SIZE	Return size of file.

       STAT	Return status of server.

       STOR	Store a	file.

       STOU	Store a	file with a unique name.

       STRU	Specify	data transfer structure.

       SYST	Show operating system type of server system.

       TYPE	Specify	data transfer type.

       USER	Specify	user name.

       XCUP	Change to parent of current working directory. This request is

       XCWD	Change working directory. This request is deprecated.

       XMKD	Make a directory. This request is deprecated.

       XPWD	Print  the  current  working directory.	This request is	depre-

       XRMD	Remove a directory. This request is deprecated.

       The following nonstandard or UNIX specific commands  are	 supported  by
       the SITE	request:

       ALIAS	       List aliases.

       CDPATH	       List the	search path used when changing directories.

       CHECKMETHOD     List or set the checksum	method.

       CHECKSUM	       Give the	checksum of a file.

       CHMOD	       Change  mode  of	 a  file.  For example,	SITE CHMOD 755

       EXEC	       Execute a  program.  For	 example,  SITE	 EXEC  program

       GPASS	       Give  special  group access password. For example, SITE
		       GPASS bar.

       GROUP	       Request special group access. For example,  SITE	 GROUP

       GROUPS	       List supplementary group	membership.

       HELP	       Give help information. For example, SITE	HELP.

       IDLE	       Set idle-timer. For example, SITE IDLE 60.

       UMASK	       Change umask. For example, SITE UMASK 002.

       The remaining FTP requests specified in RFC 959 are recognized, but not

       The FTP server will abort an active file	transfer only  when  the  ABOR
       command	is  preceded by	a Telnet "Interrupt Process" (IP) signal and a
       Telnet "Synch" signal in	the command Telnet stream, as described	in RFC
       959. If a STAT command is received during a data	transfer that has been
       preceded	by a Telnet IP and Synch, transfer status will be returned.

       in.ftpd interprets file names according to the  "globbing"  conventions
       used  by	csh(1).	This allows users to utilize the metacharacters: * ? [
       ] { } ~

       in.ftpd authenticates users according to	the following rules:

       First, the user name must be in the password data base, the location of
       which  is  specified in nsswitch.conf(4). An encrypted password (an au-
       thentication token in PAM) must be present. A password must  always  be
       provided	by the client before any file operations can be	performed. For
       non-anonymous users, the	PAM framework is used to verify	that the  cor-
       rect password was entered. See SECURITY below.

       Second,	the  user  name	must not appear	in either the /etc/ftpusers or
       the /etc/ftpd/ftpusers file. Use	of the /etc/ftpusers files  is	depre-
       cated, although it is still supported.

       Third,  the  users  must	 have  a  standard  shell returned by getuser-

       Fourth, if the user name	is anonymous or	ftp, an	anonymous ftp  account
       must be present in the password file for	user ftp. Use ftpconfig(1M) to
       create the anonymous ftp	account	and home directory tree.

       Fifth,  if  the	GSS-API	 is  used  to  authenticate  the  user,	  then
       gss_auth_rules(5) determines user access	without	a password needed.

       The FTP Server supports virtual hosting,	which can be configured	by us-
       ing ftpaddhost(1M).

       The FTP Server does not support sublogins.

   General FTP Extensions
       The FTP Server has certain extensions. If the user specifies a filename
       that  does  not	exist  with  a RETR (retrieve) command,	the FTP	Server
       looks for a conversion to change	a file or directory that does into the
       one requested. See ftpconversions(4).

       By convention, anonymous	users supply their email address when prompted
       for a password. The FTP Server attempts to  validate  these  email  ad-
       dresses.	 A user	whose FTP client hangs on a long reply,	for example, a
       multiline response, should use a	dash (-) as the	first character	of the
       user's password,	as this	disables the Server's lreply() function.

       The  FTP	 Server	 can also log all file transmission and	reception. See
       xferlog(4) for details of the log file format.

       The SITE	EXEC command may be used to execute commands in	the  /bin/ftp-
       exec directory. Take care that you understand the security implications
       before copying any command into the /bin/ftp-exec directory. For	 exam-
       ple,  do	 not  copy  in	/bin/sh. This would enable the user to execute
       other commands through the use of sh -c.	If you have doubts about  this
       feature,	do not create the /bin/ftp-exec	directory.

       For non-anonymous users,	in.ftpd	uses pam(3PAM) for authentication, ac-
       count management, and session management. The PAM configuration policy,
       listed  through	/etc/pam.conf,	specifies  the	module	to be used for
       in.ftpd.	Here is	a partial pam.conf file	with entries for  the  in.ftpd
       command	using the UNIX authentication, account management, and session
       management module.

       ftp  auth	requisite
       ftp  auth	required
       ftp  auth	required

       ftp  account	required
       ftp  account	required
       ftp  account	required

       ftp  session	required

       If there	are no entries for the ftp service, then the entries  for  the
       "other" service will be used. Unlike login, passwd, and other commands,
       the ftp protocol	will only support a single  password.  Using  multiple
       modules will prevent in.ftpd from working properly.

       For  anonymous users, who by convention supply their email address as a
       password, in.ftpd validates passwords according to the passwd-check ca-
       pability	in the ftpaccess file.

       The in.ftpd command is IPv6-enabled. See	ip6(7P).

       /etc/ftpd/ftpaccess	       FTP Server configuration	file

       /etc/ftpd/ftpconversions	       FTP Server conversions database

       /etc/ftpd/ftpgroups	       FTP Server enhanced group access	file

       /etc/ftpd/ftphosts	       FTP  Server individual user host	access

       /etc/ftpd/ftpservers	       FTP Server virtual  hosting  configura-
				       tion file.

       /etc/ftpd/ftpusers	       File  listing  users for	whom FTP login
				       privileges are disallowed.

       /etc/ftpusers		       File listing users for whom  FTP	 login
				       privileges  are disallowed. This	use of
				       this file is deprecated.

       /var/log/xferlog		       FTP Server transfer log file


       /var/adm/wtmpx		       Extended	database  files	 that  contain
				       the history of user access and account-
				       ing information for the wtmpx database.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWftpu			   |
       |Interface Stability	     |External			   |

       csh(1), ftp(1), ftpcount(1), ftpwho(1), ls(1), svcs(1), ftpaddhost(1M),
       ftpconfig(1M), ftprestart(1M), ftpshut(1M), inetadm(1M),	inetd(1M), sv-
       cadm(1M),  syslogd(1M),	chroot(2),  umask(2),  getpwent(3C),  getuser-
       shell(3C),  syslog(3C),	ftpaccess(4), ftpconversions(4), ftpgroups(4),
       ftphosts(4),  ftpservers(4),  ftpusers(4),  group(4),  passwd(4),  ser-
       vices(4),   xferlog(4),	 wtmpx(4),  attributes(5),  gss_auth_rules(5),
       pam_authtok_check(5),	 pam_authtok_get(5),	 pam_authtok_store(5),
       pam_dhkeys(5),	      pam_passwd_auth(5),	  pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)

       Allman, M., Ostermann, S., and Metz, C. RFC 2428,  FTP  Extensions  for
       IPv6 and	NATs. The Internet Society. September 1998.

       Piscitello,  D.	RFC 1639, FTP Operation	Over Big Address Records (FOO-
       BAR). Network Working Group. June 1994.

       Postel, Jon, and	Joyce Reynolds.	RFC 959, File Transfer	Protocol  (FTP
       ). Network Information Center. October 1985.

       St. Johns, Mike.	RFC 931, Authentication	Server.	Network	Working	Group.
       January 1985.

       Linn, J., Generic Security Service Application Program  Interface  Ver-
       sion 2, Update 1, RFC 2743. The Internet	Society, January 2000.

       Horowitz, M., Lunt, S., FTP Security Extensions,	RFC 2228. The Internet
       Society,	October	1997.

       in.ftpd logs various errors to syslogd(1M), with	 a  facility  code  of

       The anonymous FTP account is inherently dangerous and should be avoided
       when possible.

       The FTP Server must perform certain tasks as the	superuser,  for	 exam-
       ple, the	creation of sockets with privileged port numbers. It maintains
       an effective user ID of the logged in user, reverting to	the  superuser
       only when necessary.

       The  FTP	 Server	no longer supports the /etc/default/ftpd file. Instead
       of using	UMASK=nnn to set the umask, use	the defumask capability	in the
       ftpaccess  file.	 The  banner  greeting text capability is also now set
       through the ftpaccess file by using the greeting	 text  capability  in-
       stead  of by using BANNER="...".	However, unlike	the BANNER string, the
       greeting	text string is not passed to the shell for evaluation. See ft-

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

       The in.ftpd service is managed  by  the	service	 management  facility,
       smf(5), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed using  svcadm(1M).	Responsibility
       for  initiating	and restarting this service is delegated to inetd(1M).
       Use inetadm(1M) to make configuration changes and to view configuration
       information for this service. The service's status can be queried using
       the svcs(1) command.

SunOS 5.10			  4 Aug	2004			   in.ftpd(1M)


Want to link to this manual page? Use this URL:

home | help