7.5. File transfer services: FTP

Important

The file transfer protocol (FTP) is a client/server protocol (under TCP) which allows files to be transferred to and from a remote system. An FTP server is a computer that runs the ftpd daemon.

Some sites that allow an anonymous connection under anonymous user are generally software repositories. On a private site, we will need a username and password in order to obtain access. It is also possible to access an FTP server via a navigator and nowadays software repositories are usually replaced by web servers (e.g. Apache) or other technologies such as Bittorrent (which uses peer to peer (P2P) networks). Nonetheless, in some cases and with Debian, for example, access continues to use the username or password with the possibility of uploading files to the server (although this is also possible with web services). The file transfer protocol (FTP) (and servers/clients that implement it) by definition are not encrypted (the data, usernames and passwords are transmitted in clear text by the network) with its ensuing risk. But there are a number of servers/clients that support SSL and therefore, encryption.

7.5.1. FTP client (conventional)

An FTP client allows acces to FTP servers and there are a large number of clients available. Using FTP is extremely simple; from the command line, run:

ftp server-name

Or also FTP, and then interactively:

open server-name

The server will prompt for a username and a password (if it accepts anonymous users, anonymous will be entered as the username and our e-mail address as the password) and from the command prompt (following several messages) we will be able to start transferring files.

The protocol allows the transfer in ASCII or binary modes. It is important to decide what type of file has to be transferred because transferring a binary in ASCII mode will destroy the file. To change between modes, we will need to execute the ascii or binary command. Useful commands of the FTP client are the ls (navigation in the remote directory), get file_name (to download files) or mget (which admits *), put file_name (to send files to the server) or mput (which admits *); in these last two cases we need to be authorised to write on the server's directory. We can run local commands by entering a '!' before the command. For example !cd /tmp will mean that the files downloaded to the local machine will be downloaded to /tmp. In order to view the status and functioning of the transfer, the client will be able to print marks, or ticks, which are activated by the hash and tick commands. There are other commands that can be consulted on the page of the manual (FTP man) or by running help from within the client.

We have numerous alternatives for clients, for example in text mode: ncftp, lukemftp, lftp, cftp, yafc, or in graphic mode: gFTP, WXftp, LLNL XFTP, guiftp. [Bor00]

7.5.2. FTP servers

The traditional UNIX server is run through port 21 and is booted by the inetd daemon (or xinetd depending on which one is installed). In inetd.conf it is advisable to include the tcpd wrapper with the access rules in host.allow and host.deny in the call to ftpd by inetd to increase the system's security (refer to the chapter on security). When it receives a connection, it verifies the user and password and allows entry if authentication is correct. An anonymous FTP works differently, since the user will only be able to access an established directory in the configuration file and its subjacent tree, but not upwards, for security reasons. This directory generally contains pub/, bin/, etc/, and lib/ directories so that the FTP daemon can run external commands for ls requests. The ftpd daemon supports the following files for its configuration:

If at some point we wish to inhibit the FTP connection, we can do so by including the /etc/nologin file. The ftpd will show its content and finish. If there is a .message file in a directory, the ftpd will show this when accessed.

A user's connection passes through five different levels:

1) Having a valid password.

2) Not appearing on the list /etc/ftpusers.

3) Having a valid standard shell.

4) If it appears in /etc/ftpchroot, it will be changed to the home directory (included if anonymous or FTP).

5) If the user is anonymous or FTP, it should have an entry in the /etc/passwd with FTP user, but will be able to connect by giving any password (conventionally the e-mail address is used).

It is important to bear in mind that the users that are only enabled to use the FTP service do not have a shell to the corresponding entry user in /etc/passwd to prevent this user having a connection through ssh or telnet, for example. Therefore, when the user is created, we will have to indicate, for example:

useradd -d/home/nteum -s /bin/false nteum

And then:

passwd nteum

Which will mean that the user nteum will not have a shell for an interactive connection (if the user already exists, we can edit the /etc/passwd file and change the last field for /bin/false). Then we will have to add as a last line /bin/false in /ect/shells. [Mou01] describes step by step how to create both a secure FTP server with registered users and an anonymous FTP server for non-registered users. Two of the most common non-standard servers are WUFTPD (http://www.wuftpd.org) and ProFTPD (http://www.proftpd.org). [Bor00, Mou01]

To install Proftpd on Debian, execute: apt-get install proftpd. After it is downloaded, debconf will ask if we want to run it by inetd or in manual mode (it is advisable to select the latter). If we wish to stop the service (for example, in order to change the configuration), we can use /etc/init.d/proftpd stop and to modify the file we can use /etc/proftpd.conf.

Consult http://www.debian-administration.org/articles/228 in order to configure it in encrypted mode (TSL) or to have anonymous access.

A Debian server that is very interesting is PureFtpd (pure-ftpd) which is very secure, it allows virtual users, quotas, SSL/TSL, and a set of very interesting features. We can check its installation/configuration at http://www.debian-administration.org/articles/383.