Provides the server function for the Internet FTP protocol.
Note: The ftpd daemon is usually started by the inetd daemon. It can also be controlled from the command line, using SRC commands.
/usr/sbin/ftpd [ -d ] [ -f ] [ -ff ] [ -k ] [ -l ] [ -U ] [ -t TimeOut ] [ -T MaxTimeOut ] [ -s ] [ -u OctalVal ] [-q [-C]]
The /usr/sbin/ftpd daemon is the DARPA Internet File Transfer Protocol (FTP) server process. The ftpd daemon uses the Transmission Control Protocol (TCP) to listen at the port specified with the ftp command service specification in the /etc/services fil.
Changes to the ftpd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Typing ftp at the command line is not recommended. The ftpd daemon is started by default when it is uncommented in the /etc/inetd.conf file.
The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.
If you change the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration files.
The ftpd daemon expands file names according to the conventions of the csh command. This command allows you to use such metacharacters as the * (asterisk), the ? (question mark), [ ] (left and right brackets), { } (left and right braces), and the ~ (tilde).
The /etc/ftpaccess.ctl file is searched for lines that start with allow:, deny:, readonly:, writeonly:, readwrite:, useronly:, grouponly:, herald: and/or motd:. Other lines are ignored. If the file doesn't exist, then ftp access is allowed for all hosts. The allow: and deny: lines are for restricting host access. The readonly:, writeonly: and readwrite: lines are for restricting ftp reads (get) and writes (put). The useronly: and grouponly: lines are for defining anonymous users. The herald: and motd: lines are for multiline messages before and after login.
The syntax for all lines in /etc/ftpaccess.ctl are in the form:
keyword: value, value, ...
where one can specify one or more values for every keyword. One can have multiple lines with the same keyword. The lines in /etc/ftpaccess.ctl are limited to 1024 characters, anything more than 1024 characters will be ignored.
The syntax for the allow: and deny: lines are:
allow: host, host, ... dent: host, host, ...
If an allow: line is specified, than only the hosts listed in all the allow: lines are allowed ftp access. All other hosts will be refused ftp access. If there are no allow: line(s), then all hosts will be given ftp access except those hosts specified in the deny: line(s). The host can be specified as either a hostname or IP address.
The syntax for the readonly:, writeonly: and readwrite: lines are:
readonly: dirname, dirname, ... writeonly: dirname, dirname, ... readwrite: dirname, dirname, ...
The readonly: lines list the read-only directories and the writeonly: lines list the write-only directories. If one wants read access in a write-only directory or if one wants write access in a read-only directory, then access is denied. All other directories are granted access except when a readwrite: line(s) is specified. If a readwrite: line(s) is specified, only directories listed in the readwrite: line and/or listed in the readonly: line are granted access for reading, AND only directories listed in the readwrite: line and/or listed in the writeonly: line are granted access for writing. Also, these lines can have a value of "ALL" or "NONE".
The syntax for the useronly: and grouponly: lines are:
useronly: username, username, ... grouponly: groupname, groupname, ...
The username is from /etc/passwd and the groupname is from /etc/group. The useronly: line defines an anonymous user. The grouponly: line defines a group of anonymous users. These anonymous users are similar to the user anonymous in that ftp activity is restricted to their home directories.
The syntax for the herald: and motd: lines are:
herald: path motd: on|off
The path is the full path name of the file that contains the multiline herald that will be displayed before login. When the motd: line has a value of 'on', then the $HOME/motd file contains the multiline message that will displayed after login. If the user is a defined anonymous user, then the /etc/motd file contains the multiline message that will displayed after login. (Note that /etc/motd is in the anonymous user's chroot'ed home directory). The default for the motd: line is off.
Before the ftpd daemon can transfer files for a client process, it must authenticate the client process. The ftpd daemon authenticates client processes according to these rules:
The ftpd daemon allows access only if all of the following conditions are satisfied:
When handling an anonymous FTP user, the server performs the chroot command in the home directory of the FTP user account. For greater security, implement the following rules when you construct the FTP subtree:
When handling an anonymous FTP user defined in /etc/ftpaccess.ctl, the server performs the chroot command in the home directory of the user account. For greater security, implement the following rules when you construct the user's subtree:
The server must run as the root user to create sockets with privileged port numbers. The server maintains an effective user ID of the logged-in user, reverting to the root user only when binding addresses to sockets.
The ftpd daemon currently supports the following FTP requests:
The remaining FTP requests defined in Internet RFC 959 are recognized, but not implemented. The MDTM and SIZE requests are not specified by RFC 959, but are scheduled to appear in the next updated FTP RFC.
If a STAT request is received during a data transfer and preceded by both a Telnet IP signal and SYNCH signal, transfer status is returned.
The ftpd daemon should be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Typing ftpd at the command line is not recommended.
The ftpd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The ftpd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled by default in the /etc/inetd.conf file and can be manipulated by the following SRC commands:
startsrc | Starts a subsystem, group of subsystems, or a subserver. |
stopsrc | Stops a subsystem, group of subsystems, or a subserver. |
lssrc | Gets the status of a subsystem, group of subsystems, or a subserver. |
-C | Allows the user to specify that the outgoing file sent using the send_file command must be cached in the Network Buffer Cache (NBC). This flag cannot be used unless the -q flag is specified. This flag is only applicable when a file is being sent out in the binary mode with no protection. |
-d | Sends debugging information about ftpd daemon
operations to the syslogd daemon. If you specify the -d flag, you must
edit the /etc/syslog.conf file and add the following
entry:
daemon.debug FileName Note: The syslogd daemon's debug level includes info level messages. If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file. |
-f | Disables checking for a privileged port when the client requests the server to connect back to a specific port. By default, ftpd does not allow the client to request a connection to a privileged port as a security precaution. |
-ff | Disables checking for both a privileged port and an IP address that matches the one used for the control connection when the client requests the server to connect back to a specific client port. Using this flag enables the client to request that the server send data to an alternate host or interface. By default, ftpd does not allow this action as a security precaution. |
-k | Sets the SO_KEEPALIVE option defined in the sys/socket.h file on the data transfer socket to enable the data transfer to time out in the event TCP/IP hangs. The idle interval time is based on system-wide values designated by the tcp_keepidle and tcp_keepintvl options of the no command. Without the flag, ftpd data transfer will not time out. |
-l | Sends logging information about ftpd daemon
operations to the syslogd daemon. If you specify the -l flag, you must edit the /etc/syslog.conf file and add the following entry:
daemon.info FileName If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file. |
-q | Allows the user to specify that the send_file subroutine must be used for sending the file on the network. This flag is only applicable when a file is being sent out in the binary mode with no protection. |
-t TimeOut | Logs out inactive sessions after the number of seconds specified by the TimeOut variable. The default limit is 15 minutes (900 seconds). |
-T MaxTimeOut | Logs out inactive client sessions after a maximum number of seconds specified by the MaxTimeOut variable. The default limit is 2 hours (7200 seconds). |
-s | Turns on socket-level debugging. |
-u OctalVal | Sets the ftpd daemon's umask. The OctalVal variable must be specified as an octal value to define the umask. The default umask is an octal value of 027, which results in file permissions of rw-r-----. |
-U | Keep files unlocked while in transfer. If this flag is specified with /usr/sbin/ftpd, then the file can be opened while still in transfer. |
Note: The arguments for the ftpd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.
startsrc -t ftp
The startsrc command with the -t flag starts the ftpd subserver. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
stopsrc -t ftp
The stopsrc command with the -t flag stops the ftpd subserver. The stopsrc command allows all pending connections to start and all existing connections to complete, but prevents new connections from starting. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
stopsrc -t -f ftp
The stopsrc command with the -t and -f flags forces the ftpd subserver to stop. It terminates all pending connections and existing connections immediately.
lssrc -t ftp
The lssrc command with the -t flag returns the daemon's name, process ID, and state (active or inactive). You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
/etc/locks/ftpd | Contains interlock and process ID (PID) storage. |
/etc/group | Contains passwords for groups. |
/etc/passwd | Contains passwords for users. |
/etc/security/login.cfg | Contains configuration information for login and user authentication. |
/etc/security/passwd | Contains encrypted passwords. |
/etc/syslog.conf | Contains configuration information for the syslogd daemon. |
/usr/samples/tcpip/anon.ftp | Contains the example shell script with which to set up an anonymous FTP account. This file also contains directions for its use. |
The ftp command, lssrc command, kill command, no command, rcp command, refresh command, rlogin command, rsh command, startsrc command, stopsrc command, telnet command.
The inetd daemon, syslogd daemon.
The kvalid_user function.
The /etc/ftpusers file format, /etc/inetd.conf file format, /etc/services, $HOME/.k5login file format.
TCP/IP Daemons in AIX 5L Version 5.2 System Management Guide: Communications and Networks.
Secure Rcmds in AIX 5L Version 5.2 System User's Guide: Communications and Networks.
Network Option Tunable Parameters in AIX 5L Version 5.2 Performance Management Guide.