ftpd Daemon

Purpose

Provides the server function for the Internet FTP protocol.

Syntax

Note: The ftpd daemon is usually started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

/usr/sbin/ftpd [ -d ] [ -D DataConnTimeOut ] [-e][ -f ] [ -ff ] [ -k ] [ -l ] [ -U ] [ -t TimeOut ] [ -T MaxTimeOut ] [ -s ] [ -u OctalVal ] [-q [-C]] [-c]

Description

The /usr/sbin/ftpd daemon is the DARPA Internet File Transfer Protocol (FTP) server process. The ftpd daemon uses the Transmission Control Protocol (TCP) to listen at the port specified with the ftp command service specification in the /etc/services file.

Changes to the ftpd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Typing ftpd at the command line is not recommended. The ftpd daemon is started by default when it is uncommented in the /etc/inetd.conf file.

The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.

If you change the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration files.

The ftpd daemon expands file names according to the conventions of the csh command. This command allows you to use such metacharacters as the * (asterisk), the ? (question mark), [ ] (left and right brackets), { } (left and right braces), and the ~ (tilde).

ftpaccess.ctl File

The /etc/ftpaccess.ctl file is searched for lines that start with allow:, deny:, readonly:, writeonly:, readwrite:, useronly:, grouponly:, herald: and/or motd:. Other lines are ignored. If the file doesn't exist, then ftp access is allowed for all hosts. The allow: and deny: lines are for restricting host access. The readonly:, writeonly: and readwrite: lines are for restricting ftp reads (get) and writes (put). The useronly: and grouponly: lines are for defining anonymous users. The herald: and motd: lines are for multiline messages before and after login.

The syntax for all lines in /etc/ftpaccess.ctl is in the form:

keyword: value, value, ...

where you can specify one or more values for every keyword. You can have multiple lines with the same keyword. The lines in /etc/ftpaccess.ctl are limited to 1024 characters, anything more than 1024 characters will be ignored.

The syntax for the allow: and deny: lines are:

allow: host, host, ...
deny: host, host, ...

If an allow: line is specified, then only the hosts listed in all the allow: lines are allowed ftp access. All other hosts will be refused ftp access. If there is no allow: line, then all hosts will be given ftp access except those hosts specified in the deny: line(s). The host can be specified as either a hostname or IP address.

The syntax for the readonly:, writeonly: and readwrite: lines is:

readonly: dirname, dirname, ...
writeonly: dirname, dirname, ...
readwrite: dirname, dirname, ...

The readonly: lines list the read-only directories and the writeonly: lines list the write-only directories. Read access is denied in a write-only directory and write access is denied in a read-only directory. All other directories are granted access except when a readwrite: line is specified. If a readwrite: line is specified, only directories listed in the readwrite: line and/or listed in the readonly: line are granted access for reading, AND only directories listed in the readwrite: line and/or listed in the writeonly: line are granted access for writing. Also, these lines can have a value of "ALL" or "NONE".

The syntax for the useronly:, puseronly:, grouponly:, and pgrouponly: lines is:

useronly: username, username, ...
puseronly: username, username, ...
grouponly: groupname, groupname, ...
pgrouponly: groupname, groupname, ...

The username is from /etc/passwd and the groupname is from /etc/group. The useronly: and puseronly: lines define an anonymous user. The grouponly: and pgrouponly: lines define a group of anonymous users. These anonymous users are similar to the user anonymous in that ftp activity is restricted to their home directories. The useronly: and grouponly: lines define anonymous users similar to the user anonymous in that they are not password protected. The puseronly: and pgrouponly: lines define anonymous users that are password protected.

Note: For puseronly: and pgrouponly: users, passwords must be created and login must be disabled.

The syntax for the herald: and motd: lines are:

herald: path
motd: on|off

The path is the full path name of the file that contains the multiline herald that displays before login. When the motd: line has a value of 'on', then the $HOME/motd file contains the multiline message that displays after login. If the user is a defined anonymous user, then the /etc/motd file contains the multiline message that displays after login. (Note that /etc/motd is in the anonymous user's chroot'ed home directory). The default for the motd: line is off.

If the Standard Operating system authentication method is the current authentication method :

Before the ftpd daemon can transfer files for a client process, it must authenticate the client process. The ftpd daemon authenticates client processes according to these rules:

The user must have a password in the password database, /etc/security/passwd. (If the user's password is not null, the client process must provide that password.)
The user name must not appear in the /etc/ftpusers file.
The user's login shell must appear in the shells attribute of the /etc/security/login.cfg file.
If the user name is anonymous, ftp or is a defined anonymous user in the /etc/ftpaccess.ctl file, an anonymous FTP account must be defined in the password file. In this case, the client process is allowed to log in using any password. By convention, the password is the name of the client host. The ftpd daemon takes special measures to restrict access by the client process to the anonymous account.

If Kerberos 5 is the current authentication method:

The ftpd daemon allows access only if all of the following conditions are satisfied:

The local user of the ftp client has current DCE credentials.
The local and remote systems both support the AUTH command.
The remote system accepts the DCE credentials as sufficient for access to the remote account. See the kvalid_user function for additional information.

Transport Layer Security support

The ftpd daemon supports Transport Layer Security (TLS) as defined in RFC 4217. TLS is a cryptographic protocol that provides secure communication between clients and servers.

The main purpose of the implementation is to secure the control and data connection using encryption. The client needs to be authenticated by other means. The only supported method is the Standard Authentication method.

Upon receiving a request to start a TLS session, the ftpd daemon proceeds to read the /etc/ftpd.cnf file, loading the following configuration parameters that will be used to set up the TLS session:

Item	Description
CRL_PATH	The CRL_PATH parameter provides the path to the certificate revocation list file, which must be in PEM format. If specified, the digital certificate provided by the client will be verified against the certificate revocation list. If the ftp client is not using a digital certificate, the connection will fail. If the client provides a digital certificate, but the certificate has been revoked, the TLS session will fail. If this parameter is not specified, the client does not have to provide a digital certificate.
CA_PATH	The CA_PATH parameter provides the path to the certificate authority file, which must be in PEM format. If specified, the client certificate will be verified against the certificate authority. If the client does not provide a digital certificate, the connection will fail. If the client provides a digital certificate, but the certificate has not been signed by the security authority, the TLS session will fail. If this parameter is not specified, the client does not have to provide a digital certificate.
CIPHER_LIST	If the CIPHER_LIST parameter is specified, the list is used during the TLS session. If not, a default cipher list is used.
DEPHT	If the CA_PATH configuration parameter has been specified, the DEPTH value is used to verify the certificate provided by the ftp client in the digital certificate hierarchy. If not provided, a default value of 9 is used.
CERTIFICATE	The CERTIFICATE parameter provides a path to a valid digital certificate chain file in PEM format. This file is used in the TLS session. This parameter needs to be specified to start a TLS session. If this parameter is not specified, the ftpd server rejects all TLS requests.
CERTIFICATE_PRIVATE_KEY	The CERTIFICATE_PRIVATE_KEY parameter provides the path to the certificate private key, which is in PEM format, and is used during the TLS session. This parameter needs to be specified to start a TLS session. If this parameter is not specified, the ftpd server rejects all TLS requests.
DH_PARAMETERS_DIR	The DH_PARAMETERS_DIR parameter provides the path to a directory containing Diffie Helman parameters in PEM format. More than one file containing Diffie Helman parameters in PEM format can be included in this directory. The ftpd daemon searches for the appropriate parameter to use if required.

To support TLS, you must install the latest version of the OpenSSL tool from the AIX® Web Download Pack Programs website.

File Transfer Protocol Subtree Guidelines

When handling an anonymous FTP user, the server performs the chroot command in the home directory of the FTP user account. For greater security, implement the following rules when you construct the FTP subtree:

Item	Description
~ftp	Make the home directory owned by root and mode r-xr-xr-x (555).
~ftp/bin	Make this directory owned by the root user and not writable by anyone. The ls program must be present in this directory to support the list command. This program must have mode 111.
~ftp/etc	Make this directory owned by the root user and not writable by anyone.
~ftp/pub	Make this directory mode 777 and owned by FTP. Users must then place files that are to be accessible through the anonymous account in this directory.

Note: The shell script /usr/samples/tcpip/anon.ftp uses the above rules to set up the anonymous FTP account for you.

When handling an anonymous FTP user defined in /etc/ftpaccess.ctl, the server performs the chroot command in the home directory of the user account. For greater security, implement the following rules when you construct the user's subtree:

~user: Make the home directory owned by root and mode r-xr-xr-x (555).
~user/bin: Make this directory owned by the root user and unwritable by anyone. The ls program must be present in this directory to support the list command. This program must have mode 111.
~user/etc: Make this directory owned by the root user and unwritable by anyone.
~user/pub: Make this directory mode 777 and owned by user. Users must then place files that are to be accessible through the anonymous account in this directory.

Note: The shell script /usr/samples/tcpip/anon.users.ftp uses the above rules to set up the anonymous FTP account for you.

The server must run as the root user to create sockets with privileged port numbers. The server maintains an effective user ID of the logged-in user, reverting to the root user only when binding addresses to sockets.

Supported File Transfer Protocol Requests

The ftpd daemon currently supports the following FTP requests:

Item	Description
ABOR	Terminates previous command.
ACCT	Specifies account (ignored).
ADAT	Specifies the Authentication/Security Data.
ALLO	Allocates storage (vacuously).
APPE	Appends to a file.
AUTH	Specifies the Authentication/Security Mechanism.
CCC	Specifies the Clear Command Channel.
CDUP	Changes to the parent directory of the current working directory.
CWD	Changes working directory.
DELE	Deletes a file.
ENC	Specifies the Privacy Protected Command.
HELP	Gives help information.

Item	Description
LIST	Gives list files in a directory (this FTP request is the same as the ls -lA command).
MKD	Makes a directory.
MDTM	Shows last modification time of file.
MIC	Specifies the Integrity Protected Command.
MODE	Specifies data transfer mode.
NLST	Gives a name list of files in directory (this FTP request is the same as the ls command).
NOOP	Does nothing.
PASS	Specifies a password.
PASV	Prepares for server-to-server transfers.
PBSZ	Specifies the Protection Buffer Size.
PORT	Specifies a data connection port.
PROT	Specifies the Data Channel Protection Level.
PWD	Prints the current working directory.
QUIT	Terminates session.
RETR	Retrieves a file.
RMD	Removes a directory.
RNFR	Specifies rename-from file name.
RNTO	Specifies rename-to file name.
SITE	The following nonstandard or UNIX-specific commands are supported by the SITE request: UMASK Changes umask (SITE UMASK 002). IDLE Sets idler time (SITE IDLE 60). CHMOD Changes mode of a file (SITE CHMOD 755 FileName). HELP Gives help information (SITE HELP).
SIZE	Returns size of current file.
STAT	Returns the status of the server.
STOR	Stores a file.
STOU	Stores a file using a unique file name.
STRU	Specifies the structure of data transfer as a file structure.
SYST	Shows operating system type of server system.
TYPE	Specifies data transfer type with the Type parameter.
USER	Specifies user name.
XCUP	Changes the parent directory of the current working directory (not usually used).
XCWD	Changes current directory (not usually used).
XMKD	Creates a directory (not usually used).
XPWD	Prints the current working directory (not usually used).
XRMD	Removes a directory (not usually used).

The remaining FTP requests defined in Internet RFC 959 are recognized, but not implemented. The MDTM and SIZE requests are not specified by RFC 959, but are scheduled to appear in the next updated FTP RFC.

If a STAT request is received during a data transfer and preceded by both a Telnet IP signal and SYNCH signal, transfer status is returned.

The ftpd daemon must be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Typing ftpd at the command line is not recommended.

Manipulating the ftpd Daemon with the System Resource Controller

The ftpd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The ftpd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled by default in the /etc/inetd.conf file and can be manipulated by the following SRC commands:

Item	Description
startsrc	Starts a subsystem, group of subsystems, or a subserver.
stopsrc	Stops a subsystem, group of subsystems, or a subserver.
lssrc	Gets the status of a subsystem, group of subsystems, or a subserver.

Flags

Item	Description
-C	Allows the user to specify that the outgoing file sent using the send_file command must be cached in the Network Buffer Cache (NBC). This flag cannot be used unless the -q flag is specified. This flag is only applicable when a file is being sent out in the binary mode with no protection.
-c	Suppresses the reverse host name lookup.
-d	Sends debugging information about ftpd daemon operations to the syslogd daemon. If you specify the -d flag, you must edit the /etc/syslog.conf file and add the following entry: `daemon.debug FileName` Note: The syslogd daemon's `debug` level includes `info` level messages. If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.
-D DataConnTimeOut	Specifies the maximum number of seconds that the ftpd daemon holds a data connection. The default value is 300 seconds and a value of 0 specifies an indefinite wait. The value for the DataConnTimeOut parameter can range from 0 to MAXINT.
-e	Enables only TLS enabled clients to establish connection with the server.
-f	Disables checking for a privileged port when the client requests the server to connect back to a specific port. By default, ftpd does not allow the client to request a connection to a privileged port as a security precaution.
-ff	Disables checking for both a privileged port and an IP address that matches the one used for the control connection when the client requests the server to connect back to a specific client port. Using this flag enables the client to request that the server send data to an alternate host or interface. By default, ftpd does not allow this action as a security precaution.
-k	Sets the SO_KEEPALIVE option defined in the sys/socket.h file on the data transfer socket to enable the data transfer to time out in the event TCP/IP hangs. The idle interval time is based on system-wide values designated by the `tcp_keepidle` and `tcp_keepintvl` options of the no command. Without the flag, ftpd data transfer will not time out.
-l	Sends logging information about ftpd daemon operations to the syslogd daemon. If you specify the -l flag, you must edit the /etc/syslog.conf file and add the following entry: `daemon.info FileName` If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.
-q	Allows the user to specify that the send_file subroutine must be used for sending the file on the network. This flag is only applicable when a file is being sent out in the binary mode with no protection.
-t TimeOut	Logs out inactive sessions after the number of seconds specified by the TimeOut variable. The default limit is 15 minutes (900 seconds). The timeout applies to both the data and the control connections.
-T MaxTimeOut	Logs out inactive client sessions after a maximum number of seconds specified by the MaxTimeOut variable. The default limit is 2 hours (7200 seconds).
-s	Turns on socket-level debugging.
-u OctalVal	Sets the ftpd daemon's umask. The OctalVal variable must be specified as an octal value to define the umask. The default umask is an octal value of 027, which results in file permissions of rw-r——-.
-U	Keep files unlocked while in transfer. If this flag is specified with /usr/sbin/ftpd, then the file can be opened while still in transfer.

Security

The ftpd daemon is a PAM-enabled application with a service name of ftp. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

The authentication mechanisms used when PAM is enabled depend on the configuration for the ftp service in /etc/pam.conf. The ftpd daemon requires /etc/pam.conf entries for the auth, account, and session module types. Listed below is a recommended configuration in /etc/pam.conf for the ftp service:

#
# AIX ftp configuration
#
ftp auth      required     /usr/lib/security/pam_aix

ftp account   required     /usr/lib/security/pam_aix

ftp session   required     /usr/lib/security/pam_aix

Examples

Note: The arguments for the ftpd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.

To start the ftpd daemon, type the following:
```
startsrc -t ftp
```
The startsrc command with the -t flag starts the ftpd subserver. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
To stop the ftpd daemon, usually type the following:
```
stopsrc -t ftp
```
The stopsrc command with the -t flag stops the ftpd subserver. The stopsrc command allows all pending connections to start and all existing connections to complete, but prevents new connections from starting. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
To force the ftpd daemon and all ftpd connections to stop, type the following:
```
stopsrc -f -t ftp
```
The stopsrc command with the -t and -f flags forces the ftpd subserver to stop. It terminates all pending connections and existing connections immediately.
To display a short status report about the ftpd daemon, type the following:
```
lssrc -t ftp
```
The lssrc command with the -t flag returns the daemon's name, process ID, and state (active or inactive). You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.

Files

Item	Description
/etc/locks/ftpd	Contains interlock and process ID (PID) storage.
/etc/group	Contains passwords for groups.
/etc/passwd	Contains passwords for users.
/etc/security/login.cfg	Contains configuration information for login and user authentication.
/etc/security/passwd	Contains encrypted passwords.
/etc/syslog.conf	Contains configuration information for the syslogd daemon.
/usr/samples/tcpip/anon.ftp	Contains the example shell script with which to set up an anonymous FTP account. This file also contains directions for its use.
/etc/ftpd.cnf	Contains the configuration parameters for TLS support.