Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Apropos / Subsearch:
optional field

 ftpd(1M)			  Kerberos			    ftpd(1M)

      ftpd - DARPA Internet File Transfer Protocol server

      /usr/lbin/ftpd [-l] [-p] [-v] [-t timeout] [-P] [-T maxtimeout]
      [-u umask] [-K] [-B size] [-a] [-A] [-L] [-i] [-o] [-m number_of_tries]

      ftpd is the DARPA Internet File Transfer Protocol server.	 It expects
      to be run by the Internet daemon (see inetd(1M) and inetd.conf(4)).
      inetd runs ftpd when a service request is received at the port
      indicated in the ftp service specification in /etc/services (see

      ftpd recognizes the following options and command-line arguments.

	   -l		  Causes each FTP session to be logged in the syslog

	   -p		  The default action of ftpd does not allow usage of
			  reserved ports as the originating port on the
			  client's system i.e., the PORT command cannot
			  specify a reserved port. This option allows the
			  client to specify a reserved port. Note, allowing
			  usage of reserved ports can result in the misuse
			  of ftpd. The security ramifications should be
			  understood before the option is turned on.

	   -v		  The debugging information is written to the syslog

	   -t timeout	  Causes ftpd to timeout inactive sessions after
			  timeout seconds.  By default, ftpd terminates an
			  inactive session after 15 minutes.

	   -P		  Enables third party transfer.

	   -T maxtimeout  A client can also request a different timeout
			  period.  The -T option sets to maxtimeout the
			  maximum timeout that client can request, in
			  seconds.  By default, the maximum timeout is 2

	   -u umask	  Change default ftpd umask from 027 to umask.

	   -K		  Applicable only in a secure environment based on
			  Kerberos V5.	Causes access to be denied if
			  network authentication fails.	 See sis(5).

 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

	   -B size	  Sets the buffer size of the data socket to size
			  blocks of 1024 bytes.	 The valid range for size is
			  from 1 to 64 (default is 56).	 NOTE: A large
			  buffer size will improve the performance of ftpd
			  on fast links (e.g. FDDI), but may cause long
			  connection times on slow links (e.g. X.25).

	   -a		  Enables the use of the configuration file
			  /etc/ftpd/ftpaccess (see ftpaccess(4)).

	   -A		  Disables the use of the configuration file
			  /etc/ftpd/ftpaccess (see ftpaccess(4)).

	   -L		  Logs all commands sent to the ftpd server to be
			  logged to the syslog. The -L option is overridden
			  by /etc/ftpd/ftpaccess file (see ftpaccess(4)).
			  If the -L option is used, commands will be logged
			  to syslog by default.

	   -i		  Logs all the files received by ftpd server to
			  xferlog.  This option is overridden by the
			  /etc/ftpd/ftpaccess file (see ftpaccess(4)).

	   -o		  Logs all files transmitted by ftpd to xferlog.
			  This option logs outgoing files from the ftpd
			  server. This option is overridden by the
			  /etc/ftpd/ftpaccess file (see ftpaccess(4)).

	   -m number_of_tries
			  Specifies the number of tries for a bind() socket

      ftpd currently supports the following commands (uppercase and
      lowercase are interpreted as equivalent):

	   Command	  Description
	   ABOR		  Abort previous command
	   ACCT		  Specify account (ignored)
	   ALLO		  Allocate storage (vacuously)
	   APPE		  Append to a file
	   CDUP		  Change to parent of current working directory
	   CWD		  Change working directory
	   DELE		  Delete a file
	   HELP		  Give help information
	   LIST		  Give list files in a directory (ls -l)
	   MKD		  Make a directory
	   MDTM		  Show last modification time of file
	   MODE		  Specify data transfer mode
	   NLST		  Give name list of files in directory
	   NOOP		  Do nothing

 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

	   PASS		  Specify password
	   PASV		  Prepare for server-to-server transfer
	   PORT		  Specify data connection port
	   PWD		  Print the current working directory
	   QUIT		  Terminate session
	   REST		  Restart incomplete transfer
	   RETR		  Retrieve a file
	   RMD		  Remove a directory
	   RNFR		  Specify rename-from file name
	   RNTO		  Specify rename-to file name
	   SITE		  Non-standard commands (see next section)
	   SIZE		  Return size of file
	   STAT		  Return status of server
	   STOR		  Store a file
	   STOU		  Store a file with a unique name
	   STRU		  Specify data transfer structure
	   SYST		  Show operating system type of server system
	   TYPE		  Specify data transfer type
	   USER		  Specify user name
	   XCUP		  Change to parent of current working directory
	   XCWD		  Change working directory
	   XMKD		  Make a directory
	   XPWD		  Print the current working directory
	   XRMD		  Remove a directory

      The following commands are supported when ftpd is operating in a
      secure environment which is based on Kerberos V5 (see sis(5)).

	   Command	  Description
	   AUTH		  Authentication/security mechanism
	   ADAT		  Authentication/security data
	   CCC		  Clear command channel
	   ENC		  Privacy protected command
	   MIC		  Integrity protected command
	   PROT		  Data channel protection level (level 'C' only)
	   PBSZ		  Protection buffer size (has no effect)

      These commands are described in draft 8 of the FTP security

      The following non-standard or HP-UX specific commands are supported by
      the SITE command:

	   Command	  Description
	   UMASK	  Change umask. (e.g., SITE UMASK 002)
	   IDLE		  Set idle-timer. (e.g., SITE IDLE 60)
	   CHMOD	  Change mode of a file. (e.g., SITE CHMOD 755
	   HELP		  Give help information. (e.g., SITE HELP)
	   NEWER	  List files newer than a particular date.

 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

	   MINFO	  Works like SITE NEWER, but gives extra
	   GROUP	  Request for special group access. (e.g. , SITE
			  GROUP foo)
	   GPASS	  Give special group access password. (e.g. , SITE
			  GPASS bar)
	   EXEC		  Execute a program. (e.g. , SITE EXEC program

      The remaining FTP requests specified in Internet RFC 959 are
      recognized, but not implemented.	MDTM and SIZE are not specified in
      RFC 959, but are expected in the next updated FTP RFC.

      The FTP server aborts an active file transfer only when the ABOR
      command is preceded by a Telnet "Interrupt Process" (IP) signal and a
      Telnet ``Synch'' signal in the command Telnet stream, as described in
      Internet RFC 959.	 If ftpd receives a STAT command during a data
      transfer, preceded by a Telnet IP and Synch, it returns the status of
      the transfer.

      ftpd interprets file names according to the ``globbing'' conventions
      used by csh.  This allows users to utilize the metacharacters *, ., [,
      ], {, }, ~, and ?.

      ftpd authenticates users according to three rules:

	   +  The user name must be in the password data base, /etc/passwd,
	      and not have a null password.  The client must provide the
	      correct password for the user before any file operations can
	      be performed.

	   +  The user name must not appear in the file /etc/ftpd/ftpusers
	      (see ftpusers(4)).

	   +  The user must have a standard shell returned by

      Optionally, a system administrator can permit public access or
      ``anonymous FTP.'' If this has been set up, users can access the
      anonymous FTP account with the user name anonymous or ftp and any
      non-null password (by convention, the client host's name).  ftpd does
      a chroot() to the home directory of user ftp, thus limiting anonymous
      FTP users' access to the system.	If the user name is anonymous or
      ftp, an anonymous FTP account must be present in the password file
      (user ftp).  In this case the user is allowed to log in by specifying
      any password (by convention this is given as the user's e-mail

      In order to permit anonymous FTP, there must be an entry in the
      passwd(4) database for an account named ftp.  The password field
      should be *, the group membership should be guest, and the login shell

 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

      should be /usr/bin/false.	 For example (assuming the guest group ID is

	   ftp:*:500:10:anonymous ftp:/home/ftp:/usr/bin/false

      The anonymous FTP directory should be set up as follows:

      ~ftp    The home directory of the FTP account should be owned by user
	      root and mode 555 (not writable).	 Since ftpd does a chroot()
	      to this directory, it must have the following subdirectories
	      and files:

			This directory must be owned by root and mode 555
			(not writable).	 The file /sbin/ls should be copied
			to ~ftp/usr/bin.  This is needed to support
			directory listing by ftpd.  The command should be
			mode 111 (executable only).  If the FTP account is
			on the same file system as /sbin, ~ftp/usr/bin/ls
			can be hard link, but it may not be a symbolic link,
			because of the chroot().  The command must be
			replaced when the system is updated.

	      ~ftp/etc	This directory must be owned by root and mode 555
			(not writable).	 It should contain versions of the
			files passwd and group.	 See passwd(4) and group(4).
			These files must be owned by root and mode 444
			(readable only).  These files must be present for
			the LIST command to be able to produce owner names
			rather than numbers.

			This file should contain entries for the ftp user
			and any other users who own files under the
			anonymous ftp directory.  Such entries should have *
			for passwords.	Group IDs must be listed in the
			anonymous FTP group file, ~ftp/etc/group.  The path
			names of home directories in ~ftp/etc/passwd must be
			with respect to the anonymous FTP home directory.

			This file should contain the group names associated
			with any group IDs in file ~ftp/etc/passwd and any
			group IDs of files in the anonymous FTP

	      ~ftp/pub (optional)
			This directory is used by anonymous FTP users to
			deposit files on the system.  It should be owned by
			user ftp and should be mode 777 (readable and
			writable by all).

 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

	      ~ftp/dist (optional)
			Directories used to make files available to
			anonymous ftp users should be mode 555 (not
			writable), and any files to be distributed should be
			owned by root and mode 444 (readable only) so that
			they cannot be modified or removed by anonymous FTP

      Note: The steps that are followed to create an anonymous account is
      used to create a guest account also.

      ftpd replies to FTP commands to ensure synchronization of requests and
      actions during file transfers, and to indicate the status of ftpd.
      Every command produces at least one reply, although there may be more
      than one.	 A reply consists of a three-digit number, a space, some
      text, and an end of line.	 The number is useful for programs; the text
      is useful for users.  The number must conform to this standard, but
      the text can vary.

      The first digit of the message indicates whether the reply is good,
      bad, or incomplete.  Five values exist for the first digit.  The
      values and the interpretations of the values are:

	   1	   The requested action is being initiated; expect another
		   reply before proceeding with a new command.

	   2	   The requested action is complete.  The server is ready
		   for a new request.

	   3	   The command has been accepted, but the requested action
		   requires more information.

	   4	   The command was not accepted, the requested action
		   failed, but the error condition is temporary and the
		   action can be requested again.

	   5	   The command was not accepted, the requested action
		   failed, and the error condition would most likely occur
		   again if the same command sequence is repeated.

      The second digit indicates the functional area that the message
      addresses.  The values of the second digit and the interpretations of
      these values are:

	   0	   Syntax.  A message with a 0 for the second digit
		   indicates that a syntax error occurred.

	   1	   Information.	 A message with a 1 as the second digit
		   indicates that the message is in reply to a request for

 Hewlett-Packard Company	    - 6 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

	   2	   Connections.	 A message with a 2 as the second digit
		   indicates that the message is a reply to a request for
		   control and data connection information.

	   3	   Authentication and accounting.  A message with a 3 as the
		   second digit indicates that the message is a reply to a
		   login or accounting procedure.

	   4	   Not currently specified.

	   5	   File system.	 A message with a 5 as the second digit
		   indicates that the text following the number contains
		   information concerning the status of the server file

      The third digit provides a further clarification of the information
      supplied by the second digit.  Following are several examples of
      messages.	 Note that ftpd's replies match the number but not the text.

	   110	   Restart marker reply.  MARK yyyy=mmmm where yyyy is a
		   user process data stream marker, and mmmm is ftpd's
		   equivalent marker
	   120	   Service ready in nnn minutes
	   200	   Command okay
	   211	   System status, or system help reply
	   212	   Directory status
	   230	   User logged in, proceed
	   250	   Requested file action okay, completed
	   331	   User name okay, need password
	   350	   Requested file action pending further information
	   425	   Cannot open data connection
	   451	   Requested action aborted: local error in processing
	   500	   Syntax error, command unrecognized or command line too
	   530	   Not logged in
	   550	   Requested action not taken; file unavailable, not found,
		   no access

      The password is sent unencrypted through the socket connection.

      Anonymous FTP is inherently dangerous to system security.

    Pluggable Authentication Modules (PAM)
      PAM is an Open Group standard for user authentication, password
      modification, and validation of accounts.	 In particular,
      pam_authenticate() is invoked to perform all functions related to
      login.  This includes retrieving the password, validating the account,
      and displaying error messages.

 Hewlett-Packard Company	    - 7 -   HP-UX Release 11i: November 2000

 ftpd(1M)			  Kerberos			    ftpd(1M)

      ftpd was developed by the University of California, Berkeley and the
      Washington University, St. Louis, Missouri.

      ftp(1), inetd(1M), chroot(2), getusershell(3C), pam_authenticate(3),
      ftpaccess(4), ftpusers(4), group(4), inetd.conf(4), passwd(4), sis(5),

 Hewlett-Packard Company	    - 8 -   HP-UX Release 11i: November 2000