Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     in.ftpd, ftpd - File Transfer Protocol Server

     in.ftpd [-4] [-A] [-a] [-C] [-d] [-I] [-i]  [-K]  [-L]  [-l]
     [-o] [-P dataport] [-p ctrlport] [-Q] [-q] [-r rootdir] [-S]
     [-s] [-T maxtimeout] [-t timeout] [-u umask] [-V] [-v]  [-W]
     [-w] [-X]

     in.ftpd is the Internet File Transfer Protocol (FTP)  server
     process.  The  server  may be invoked by the Internet daemon
     inetd(1M) each time a connection to the FTP service is  made
     or run as a standalone server. See services(4).

     in.ftpd supports the following options:

     -4              When running in standalone mode, listen  for
                     connections  on  an AF_INET type socket. The
                     default is to listen  on  an  AF_INET6  type

     -a              Enables use of the ftpaccess(4) file.

     -A              Disables use of the ftpaccess(4)  file.  Use
                     of ftpaccess is disabled by default.

     -C              Non-anonymous users need  local  credentials
                     (for  example,  to  authenticate  to  remote
                     fileservers). So they should be prompted for
                     a password unless they forwarded credentials
                     as part of authentication.

     -d              Writes debugging information to syslogd(1M).

     -i              Logs the names of all files received by  the
                     FTP  Server  to xferlog(4). You can override
                     the -i option  through  use  of  the  ftpac-
                     cess(4) file.

     -I              Disables the use of AUTH and ident to deter-
                     mine  the  username  on  the client. See RFC
                     931. The FTP Server is built not to use AUTH
                     and ident.

     -K              Connections are only allowed for  users  who
                     can   authenticate   through  the  ftp  AUTH
                     mechanism.  (Anonymous  ftp  may   also   be
                     allowed  if it is configured.) ftpd will ask
                     the user for a password if one is required.

     -l              Logs each FTP session to syslogd(1M).

     -L              Logs  all  commands  sent  to   in.ftpd   to
                     syslogd(1M).  When  the  -L  option is used,
                     command logging will be on by default,  once
                     the  FTP  Server is invoked. Because the FTP
                     Server  includes  USER  commands  in   those
                     logged,  if  a  user  accidentally  enters a
                     password instead of the username, the  pass-
                     word will be logged. You can override the -L
                     option through use of the ftpaccess(4) file.

     -o              Logs the names of all files  transmitted  by
                     the  FTP Server to xferlog(4). You can over-
                     ride the -o option through use of the ftpac-
                     cess(4) file.

     -P dataport     The FTP Server determines the port number by
                     looking in the services(4) file for an entry
                     for the ftp-data service.  If  there  is  no
                     entry,  the  daemon uses the port just prior
                     to the control connection port. Use  the  -P
                     option to specify the data port number.

     -p ctrlport     When run in standalone mode, the FTP  Server
                     determines  the control port number by look-
                     ing in the services(4) file for an entry for
                     the  ftp  service.  Use  the  -p  option  to
                     specify the control port number.

     -Q              Disables PID files. This disables user  lim-
                     its.  Large,  busy sites that do not want to
                     impose limits on the  number  of  concurrent
                     users  can  use  this  option to disable PID

     -q              Uses PID files. The limit directive uses PID
                     files  to  determine  the  number of current
                     users in each access class. By default,  PID
                     files are used.

     -r rootdir      chroot(2) to rootdir upon loading. Use  this
                     option to improve system security. It limits
                     the files that can be damaged should a break
                     in  occur through the daemon. This option is
                     similar to anonymous FTP.  Additional  files
                     are  needed,  which vary from system to sys-

     -S              Places the daemon  in  standalone  operation
                     mode.  The  daemon  runs  in the background.
                     This is useful for startup scripts that  run
                     during system initialization. See init.d(4).

     -s              Places the daemon  in  standalone  operation
                     mode.  The  daemon  runs  in the foreground.
                     This is useful when run from /etc/inittab by

     -T maxtimeout   Sets the maximum allowable timeout period to
                     maxtimeout   seconds.  The  default  maximum
                     timeout limit is 7200  second  (two  hours).
                     You  can  override the -T option through use
                     of the ftpaccess(4) file.

     -t timeout      Sets  the  inactivity  timeout   period   to
                     timeout  seconds. The default timeout period
                     is 900 seconds (15 minutes). You  can  over-
                     ride the -t option through use of the ftpac-
                     cess(4) file.

     -u umask        Sets the default umask to umask.

     -V              Displays copyright and version  information,
                     then terminate.

     -v              Writes debugging information to syslogd(1M).

     -W              Does not record user login and logout in the
                     wtmpx(4) file.

     -w              Records each user login and  logout  in  the
                     wtmpx(4)   file.   By  default,  logins  and
                     logouts are recorded.

     -X              Writes the output from the -i and -o options
                     to  the  syslogd(1M)  file  instead of xfer-
                     log(4). This allows the collection of output
                     from  several  hosts on one central loghost.
                     You can override the -X option  through  use
                     of the ftpaccess(4) file.

     The  FTP  Server  currently  supports  the   following   FTP
     requests. Case is not distinguished.

     ABOR     Abort previous command.

     ADAT     Send an authentication protocol message.

     ALLO     Allocate storage (vacuously).

     AUTH     Specify an authentication protocol to be performed.
              Currently only "GSSAPI" is supported.

     APPE     Append to a file.

     CCC      Set the command channel protection mode to  "Clear"
              (no  protection).  Not  allowed  if data channel is

     CDUP     Change to parent of current working directory.

     CWD      Change working directory.

     DELE     Delete a file.

     ENC      Send a  privacy  and  integrity  protected  command
              (given in argument).

     EPRT     Specify extended address for the transport  connec-

     EPSV     Extended passive command request.

     HELP     Give help information.

     LIST     Give list files in a directory (ls -lA).

     LPRT     Specify long address for the transport connection.

     LPSV     Long passive command request.

     MIC      Send an integrity protected command (given in argu-

     MKD      Make a directory.

     MDTM     Show last time file modified.

     MODE     Specify data transfer mode.

     NLST     Give name list of files in directory (ls).

     NOOP     Do nothing.

     PASS     Specify password.

     PASV     Prepare for server-to-server transfer.

     PBSZ     Specify a protection buffer size.

     PROT     Specify a protection level under which  to  protect
              data transfers. Allowed arguments:

              clear           No protection.

              safe            Integrity protection

              private         Integrity and encryption protection

     PORT     Specify data connection port.

     PWD      Print the current working directory.

     QUIT     Terminate session.

     REST     Restart incomplete transfer.

     RETR     Retrieve a file.

     RMD      Remove a directory.

     RNFR     Specify rename-from file name.

     RNTO     Specify rename-to file name.

     SITE     Use nonstandard commands.

     SIZE     Return size of file.

     STAT     Return status of server.

     STOR     Store a file.

     STOU     Store a file with a unique name.

     STRU     Specify data transfer structure.

     SYST     Show operating system type of server system.

     TYPE     Specify data transfer type.

     USER     Specify user name.

     XCUP     Change to parent of current working directory. This
              request is deprecated.

     XCWD     Change working directory. This  request  is  depre-

     XMKD     Make a directory. This request is deprecated.

     XPWD     Print the current working directory.  This  request
              is deprecated.

     XRMD     Remove a directory. This request is deprecated.

     The following nonstandard or UNIX specific commands are sup-
     ported by the SITE request:

     ALIAS           List aliases.

     CDPATH          List the  search  path  used  when  changing

     CHECKMETHOD     List or set the checksum method.

     CHECKSUM        Give the checksum of a file.

     CHMOD           Change mode of a  file.  For  example,  SITE
                     CHMOD 755 filename.

     EXEC            Execute a program. For  example,  SITE  EXEC
                     program params

     GPASS           Give  special  group  access  password.  For
                     example, SITE GPASS bar.

     GROUP           Request special group access.  For  example,
                     SITE GROUP foo.

     GROUPS          List supplementary group membership.

     HELP            Give help  information.  For  example,  SITE

     IDLE            Set idle-timer. For example, SITE IDLE 60.

     UMASK           Change umask. For example, SITE UMASK 002.

     The remaining FTP requests specified in RFC 959  are  recog-
     nized, but not implemented.

     The FTP server will abort an active file transfer only  when
     the ABOR command is preceded by a Telnet "Interrupt Process"
     (IP) signal and a Telnet "Synch" signal in the command  Tel-
     net  stream,  as  described in RFC 959. If a STAT command is
     received during a data transfer that has been preceded by  a
     Telnet IP and Synch, transfer status will be returned.

     in.ftpd interprets file names according  to  the  "globbing"
     conventions used by csh(1). This allows users to utilize the
     metacharacters: * ? [ ] { } ~

     in.ftpd  authenticates  users  according  to  the  following

     First, the user name must be in the password data base,  the
     location  of  which  is  specified  in  nsswitch.conf(4). An
     encrypted password (an authentication token in PAM) must  be
     present.  A  password  must always be provided by the client
     before any  file  operations  can  be  performed.  For  non-
     anonymous  users,  the  PAM framework is used to verify that
     the correct password was entered. See SECURITY below.

     Second,  the  user  name  must  not  appear  in  either  the
     /etc/ftpusers  or  the  /etc/ftpd/ftpusers  file. Use of the
     /etc/ftpusers files is deprecated, although it is still sup-

     Third, the users must have  a  standard  shell  returned  by

     Fourth, if the user name is anonymous or ftp,  an  anonymous
     ftp  account  must  be present in the password file for user
     ftp. Use ftpconfig(1M) to create the anonymous  ftp  account
     and home directory tree.

     Fifth, if the GSS-API is used to authenticate the user, then
     gss_auth_rules(5)  determines user access without a password

     The FTP Server supports virtual hosting, which can  be  con-
     figured by using ftpaddhost(1M).

     The FTP Server does not support sublogins.

  General FTP Extensions
     The FTP Server has certain extensions. If the user specifies
     a  filename  that does not exist with a RETR (retrieve) com-
     mand, the FTP Server looks for a conversion to change a file
     or   directory   that  does  into  the  one  requested.  See

     By convention, anonymous users supply  their  email  address
     when  prompted  for  a  password. The FTP Server attempts to
     validate these email addresses.  A  user  whose  FTP  client
     hangs  on  a  long reply, for example, a multiline response,
     should use a dash (-) as the first character of  the  user's
     password, as this disables the Server's lreply() function.

     The FTP Server can also log all file transmission and recep-
     tion. See xferlog(4) for details of the log file format.

     The SITE EXEC command may be used to execute commands in the
     /bin/ftp-exec  directory.  Take care that you understand the
     security implications before copying any  command  into  the
     /bin/ftp-exec   directory.  For  example,  do  not  copy  in
     /bin/sh. This would enable the user to  execute  other  com-
     mands  through  the  use  of sh -c. If you have doubts about
     this feature, do not create the /bin/ftp-exec directory.

     For non-anonymous users, in.ftpd uses pam(3PAM) for  authen-
     tication,  account  management,  and session management, and
     can use Kerberos v5 for authentication.

     The PAM configuration policy, listed through  /etc/pam.conf,
     specifies  the module to be used for in.ftpd. Here is a par-
     tial pam.conf file with  entries  for  the  in.ftpd  command
     using  the UNIX authentication, account management, and ses-
     sion management module.

     ftp  auth        requisite   pam_authtok_get.so.1
     ftp  auth        required    pam_dhkeys.so.1
     ftp  auth        required    pam_unix_auth.so.1

     ftp  account     required    pam_unix_roles.so.1
     ftp  account     required    pam_unix_projects.so.1
     ftp  account     required    pam_unix_account.so.1

     ftp  session     required    pam_unix_session.so.1

     If there are no  entries  for  the  ftp  service,  then  the
     entries  for the "other" service will be used. Unlike login,
     passwd, and other commands, the ftp protocol will only  sup-
     port  a single password. Using multiple modules will prevent
     in.ftpd from working properly.

     To use Kerberos for authentication, a  host/<FQDN>  Kerberos
     principal  must  exist  for each Fully Qualified Domain Name
     associated  with  the  in.ftpd   server.   Each   of   these
     host/<FQDN>  principals  must  have  a  keytab  entry in the
     /etc/krb5/krb5.keytab file on the in.ftpd server. An example
     principal might be:


     See kadmin(1M) or gkadmin(1M) for instructions on  adding  a
     principal  to  a krb5.keytab file. See System Administration
     Guide:  Security  Services  for  a  discussion  of  Kerberos

     For anonymous users, who by convention  supply  their  email
     address as a password, in.ftpd validates passwords according
     to the passwd-check capability in the ftpaccess file.

     The in.ftpd command is IPv6-enabled. See ip6(7P).

     /etc/ftpd/ftpaccess             FTP   Server   configuration

     /etc/ftpd/ftpconversions        FTP Server conversions data-

     /etc/ftpd/ftpgroups             FTP  Server  enhanced  group
                                     access file

     /etc/ftpd/ftphosts              FTP Server  individual  user
                                     host access file

     /etc/ftpd/ftpservers            FTP Server  virtual  hosting
                                     configuration file.

     /etc/ftpd/ftpusers              File listing users for  whom
                                     FTP   login  privileges  are

     /etc/ftpusers                   File listing users for  whom
                                     FTP   login  privileges  are
                                     disallowed. This use of this
                                     file is deprecated.

     /var/log/xferlog                FTP Server transfer log file


     /var/adm/wtmpx                  Extended database files that
                                     contain  the history of user
                                     access and accounting infor-
                                     mation  for  the wtmpx data-

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWftpu                    |
    | Interface Stability         | External                    |

     csh(1),  ftp(1),  ftpcount(1),  ftpwho(1),  ls(1),  svcs(1),
     ftpaddhost(1M),  ftpconfig(1M), ftprestart(1M), ftpshut(1M),
     gkadmin(1M), inetadm(1M), inetd(1M), kadmin(1M), svcadm(1M),
     syslogd(1M),      chroot(2),     umask(2),     getpwent(3C),
     getusershell(3C),   syslog(3C),   ftpaccess(4),   ftpconver-
     sions(4),    ftpgroups(4),    ftphosts(4),    ftpservers(4),
     ftpusers(4), group(4), passwd(4),  services(4),  xferlog(4),
     wtmpx(4),          attributes(5),         gss_auth_rules(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),
     smf(5), ip6(7P)

     System Administration Guide: Security Services

     Allman, M., Ostermann, S., and Metz, C. RFC 2428, FTP Exten-
     sions  for  IPv6  and  NATs. The Internet Society. September

     Piscitello, D. RFC 1639,  FTP  Operation  Over  Big  Address
     Records (FOOBAR). Network Working Group. June 1994.

     Postel, Jon, and Joyce Reynolds. RFC 959, File Transfer Pro-
     tocol (FTP ). Network Information Center. October 1985.

     St. Johns, Mike. RFC  931,  Authentication  Server.  Network
     Working Group. January 1985.

     Linn,  J.,  Generic  Security  Service  Application  Program
     Interface  Version  2,  Update  1,  RFC  2743.  The Internet
     Society, January 2000.

     Horowitz, M., Lunt, S., FTP Security Extensions,  RFC  2228.
     The Internet Society, October 1997.

     in.ftpd logs various errors to syslogd(1M), with a  facility
     code of daemon.

     The anonymous FTP account is inherently dangerous and should
     be avoided when possible.

     The FTP Server must perform certain tasks as the  superuser,
     for  example,  the  creation of sockets with privileged port
     numbers. It maintains an effective user ID of the logged  in
     user, reverting to the superuser only when necessary.

     The FTP Server  no  longer  supports  the  /etc/default/ftpd
     file.  Instead  of using UMASK=nnn to set the umask, use the
     defumask capability in the ftpaccess file. The banner greet-
     ing  text  capability  is also now set through the ftpaccess
     file by using the greeting text  capability  instead  of  by
     using  BANNER="...".  However, unlike the BANNER string, the
     greeting text string is not passed to the shell for  evalua-
     tion. See ftpaccess(4).

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided    by    pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_passwd_auth(5),  pam_unix_account(5),  pam_unix_auth(5),
     and pam_unix_session(5).

     The in.ftpd service is managed  by  the  service  management
     facility, smf(5), under the service identifier:


     Administrative actions on this service,  such  as  enabling,
     disabling,  or  requesting  restart,  can be performed using
     svcadm(1M). Responsibility  for  initiating  and  restarting
     this  service  is delegated to inetd(1M). Use inetadm(1M) to
     make configuration changes and to view configuration  infor-
     mation for this service. The service's status can be queried
     using the svcs(1) command.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.