Virtual, anonymous, and more
The File Transfer Protocol (FTP) is one of the most frequently used services available on the Internet. Setting up an anonymous FTP server is fairly straightforward. Other services, like virtual FTP hosts and FTP-only accounts, are a little more tricky.
Along with telnet-like applications, FTP is one of the most basic TCP/IP services. Red Hat Linux comes with a clone of the standard FTP UNIX command-line FTP client, as well as the more full-featured ncftp. The default FTP daemon under Red Hat is wu-ftpd.
We will cover the setup and configuration of wu-ftpd for anonymous and user access, as well as the setup of virtual FTP servers. Next we'll talk about setting up these services with two other FTP daemons: ProFTPD and Bero-FTPD. Then we will cover some of the basics of using FTP and ncftp. Lastly, tftp (trivial FTP) will be covered briefly.
The /etc/ftpaccess file is the main configuration file for wu-ftpd. Three of the directives warrant special attention: class, autogroup, and guestgroup. The class directive defines classes of users, while autogroup combines classes into groups. The guestgroup directive tells wu-ftpd to treat users from the list of groups given like anonymous FTP users, but rooted within their home directories. This means that the bin, lib, and etc directories must be set up in the user's home directory as they are under /home/ftp.
An example /etc/ftpaccess file is:
# # /etc/ftpaccess # # The class directive takes three or more arguments. The first is the # name of the class, then the typelist (one or more of real, anonymous # or guest separated by commas ONLY), then the list of patterns for # matching against incoming hostnames # # Note that if no class matches the host, access will be denied. # # Define two classes. One for any users in hosts in the .edu and .us # TLDs named 'all', a second for real users from hosts in the # ratatosk.org domain, and a third for anonymous users from # ratatosk.org. # class all real,guest,anonymous *.edu *.us class ratatosk real *.ratatosk.org class ratatosk-anon anonymous *.ratatosk.org # # Lock users from the group 'ftponly' to their home directories # guestgroup ftponly # # Define the email address that will be substituted for the # %E magic cookie. See the man page for ftpaccess(5) for information # on the use of magic cookies # email @ratatosk.org # # Set the number of login failures (5 is the default). After 3 # login failures the connection will be closed # loginfailures 3 # # Define the files to be automatically displayed and when # logging in and changing directories # message /welcome.msg login message .message cwd=* # # Notify the user of the last modified date of a file named README # upon login, a file starting with # README upon changing directories and a file named README.NOW # upon changing to the /pub/incoming directory # readme README login readme README* cwd=* readme REAMDE.NOW cwd=/pub/incoming # # log commands of guests (as defined by guestgroup) and log # inbound transfers of real users and outbound transfers of # everyone # log commands guest log transfers real inbound log transfers all outbound # # Control which classes have access to some commands/services. # usertypes or classes can be specified. Wildcards can be used # for class names. # compress yes all tar yes ratatosk* chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous # # The shutdown message. See the man page for ftpaccess(5) # for the format of this file # shutdown /message_shutdown # # Define an IP-based virtual host.(wu-ftpd doesn't support IP-less # virtual hosts. Set up the root, the login banner and the log file # virtual 10.10.10.45 root /home/ftp_vhost1 virtual 10.10.10.45 banner /etc/banners/vhost1.banner virtual 10.10.10.45 log /var/log/ftplogs/vhost1.log # # deny connections from goober.edu, displaying a file containing # a message to them. # deny *.goober.edu /.deny.message # # don't let files named passwd, group or core be retrieved # noretrieve passwd group core
As you can see, wu-ftpd is highly configurable! Support for virtual hosts is limited, though. Only the root, banner, and log files are configurable. The rest of the directives in the ftpaccess file are applied to all FTP connections.
There are a few other files you need to know about. For the most part, they control access on a per-user basis. The /etc/ftpusers file lists users, one per line, who should be denied access. To give only FTP access to a user, specify /bin/false as the user's shell. This will effectively deny shell logins, but allow FTP access. Note that /bin/false must be in /etc/shells or the user will be denied any sort of access.
If anonymous FTP was selected when Red Hat was installed, then some of your work is already done. The anonymous FTP client account is set up as well as the directory framework under /home/ftp. If anonftp isn't installed, grab the anonftp RPM package off the distribution CD or a Red Hat FTP mirror and install it. Similarly, if wu-ftpd is absent, obtain and install its .rpm.
In the instructions below, /home/ftp is the home of the anonymous FTP user as specified in the /etc/passwd file.
The FTP daemon, ftpd, recognizes the anonymous user and adjusts some aspects of the account. The root directory for access is set to /home/ftp. This means that access is limited to the directories and files in /home/ftp at best. Permissions can, of course, restrict access further. Because the filesystem root is changed, several directories and files need to be set up to allow the necessary minimum level of functionality. The anonftp RPM does this.
The directory structure should be set up as follows:
/home/ftp—. should be owned and only writable by root./home/ftp/bin—. should also be owned and only writable by root./home/ftp/binshould be owned by root and contain the follow programs:compress,cpio,gzip,ls,sh,tar, andzcat(as a link togzip). They should all have the mode---x--x--x; chmod 111 ~ftp/bin/*if this is not the case./home/ftp/lib—. should containld-linux.so.2,libc.so.6,libnsl.so.1, andlibnss_files.so.1.
The etc subdirectory should have mode 111 also, and should contain the files group, passwd, and ld.so.cache.
If you want listings to translate user and group IDs into names, you will likely need to add additional entries to /home/ftp/etc/passwd and /home/ftp/etc/group. Both should have mode 755 and contain passwd and group files that associate IDs with names. The encrypted password field is not used and should contain an asterisk (*). The only fields that need to be present are username, UID, and GID.
The upload and download directories can be created under /home/ftp/pub. For anonymous users to upload to a directory, it should be owned by FTP (and writable by the owner!). This will allow others to upload and read from the directory. You can, of course, change ownership and permissions to allow the level of access you desire.
The user ftp should have an entry in /etc/passwd similar to this:
ftp:*:14:50:FTP User:/home/ftp:
FTP is a service controlled by inetd and, as such, requires an entry in /etc/services. Once again, this should be set up already, but if it is not, add an entry like this:
ftp ` 21/tcp
A corresponding entry in /etc/inetd.conf needs to exist as well. The wu-ftpd RPM sets this up. It should look something like:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
A relatively new FTP daemon is the Professional FTP daemon (ProFTPD). While wu-ftpd aims for performance, ProFTPD aims for security and configurability. ProFTPD's configuration file uses a syntax similar to Apache (which also aims to be highly configurable).
Some of the features it boasts are single-file configuration, per-directory configuration using .ftpaccess files, the ability to be run as a standalone program without the need of the inetd meta daemon, and anonymous FTP, without the need for a private system directory tree. Some specific security features include running as a non-privileged user (in standalone mode) and no support for running external programs (like tar and gzip.)
The source code for ProFTPD can be found at its home page, http://www.proftpd.org, and usually a recent binary RPM version can be found at a ftp://contrib.redhat.com mirror.
There are few differences between the source and binary distributions. If you install from source, the configuration file, proftpd.conf, is installed in /usr/local/etc and the server binary (proftpd) in /usr/local/sbin. The RPM installs proftd.conf in /etc and the binary in /usr/sbin.
As mentioned above, ProFTPD aims to be highly configurable and uses configuration syntax similar to Apache. Below is a sample configuration file. It doesn't adequately cover all the various options, but it tries to give examples of the more useful ones. For a complete explanation of all the configuration directives, consult the ProFTPD home page.
#
# A sample proftpd.conf.
#
# A few basic directives:
#
ServerName "ProFTPD at ftp.ratatosk.org"
ServerType standalone
#
# Send connections which don't match any virtual hosts to the
# default server (instead of giving the 'no server available'
# message.)
#
DefaultServer on
#
# Port 21 is the standard FTP port.
#
Port 21
#
# Set a ridiculously high idle timeout (# of seconds without
activity
# the server waits before closing the connection.)
#
TimeoutIdle 1800
#
# Turn off name DNS look ups. This prevents stalls on DNS lookups
# and generally helps performance.
#
UseReverseDNS no
#
# Normally, ProFTPD binds to the specified port(s) on all address
# on a machine. This directive tells it only to bind to specific
# addresses, as specified in <VirtualHost> containers or with
# the 'Bind' directive.
#
SocketBindTight on
#
# Bind to a address
#
Bind 10.10.10.2
#
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
#
Umask 022
#
# Set the maximum number of child instances, which is also
# the maximum number of simultaneous connections. Note that
# this option is ignored. If you want to limit the number of
# instances when running under under inetd, you will have to
# run and inet daemon that supports this.
#
MaxInstances 30
#
# The user and group that the server runs as.
#
User nobody
Group nobody
#
# The Directory container groups options for an entire directory
# tree.
#
<Directory /*>
#
# Default to files being overwriteable, unless denied by Unix
# permissions.
#
AllowOverwrite on
</Directory>
#
# An anonymous configuration rooted at the home directory
# of the user 'ftp'
#
<Anonymous ~ftp>
User ftp
Group ftp
#
# Don't require the shell to be listed in /etc/shells before
# allowing a connection.
#
RequireValidShell off
#
# Make "anonymous" an alias for "ftp"
#
UserAlias anonymous ftp
#
# Limit the of simultaneous anonymous logins
#
MaxClients 10
#
# Set the file containing the welcome message and the file
# containing the message to be displayed up changing directories
#
DisplayLogin welcome.msg
DisplayFirstChdir .message
#
# You can nest Directory containers. Here we deny uploads
# in general...
#
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
#
# ...but allow them in incoming while denying directory listings
#
<Directory incoming>
<Limit WRITE>
AllowAll
</Limit>
<Limit READ>
DenyAll
</Limit>
</Directory>
</Anonymous>
BeroFTPD is another new FTP daemon. It is based on wu-ftpd and uses the same configuration files. The main enhancement made over wu-ftpd is more full-featured virtual server support. Additional enhancements include support for email notification, better on-the-fly compression, additional logging options, an include directive for use inside ftpaccess, a built-in ls command, and support for Kerberos5 for secure logins.
A recent version of BeroFTPD in binary RPM format can usually be found in the Red Hat contrib area. The source code is available from ftp://bero.x5.net/pub/. As of this writing, the current version is 1.3.4.
As mentioned, BeroFTPD has enhanced support for virtual FTP servers, including support for IP-less virtual hosts. In addition to wu-ftpd virtual host support (private banners and messages), BeroFTPD supports individual configuration files, ftpusers, ftpgroups, ftphosts, and ftpconversions for each virtual FTP server.
To make full use of virtual host support under BeroFTPD, you need to add a couple of lines to the ftpaccess file and create an ftpservers file. Two directives must be added to ftpaccess:
root /ftp logfile /var/log/xferlog
These specify the default root and logfile locations of the virtual hosts, as well as the root and logfile for connections to the "real" server.
ftpaccess should contain a line for each virtual host that defines the directory where the configuration files for that host reside. These can also be defined on a per-domain basis.
cheese.ratatsk.org /etc/ftpd/config/cheese.ratatosk.org foobar.com /etc/ftpd/config/foobar.com 10.10.10.76 /etc/ftpd/config/hey.you.com
Within these directories, you can create configuration files to customize the server just as you would a standalone server. Note that the virtual host's file completely overwrites directives from the master ftpaccess file and nothing is inherited from the master configuration files except for the default root and logfile locations from ftpaccess.
Another useful feature is limiting throughput for particular files. The syntax of this directive is: throughput <root-dir><subdir-glob><file-glob-list><bytes-per-second><bytes-per-second-multiply><remote-glob-list>. For example:
throughput /home/ftp * README,help.* oo - * throughput /home/ftp/pub/dogs *cat* * 2000 0.8 *.nm.us
The first line tells the server not to restrict (the oo means no throughput restriction) the download throughput of files named README and those starting with help. under the /home/ftp directory tree. The second entry restricts the throughput of any files in subdirectories with cat in their name under /home/ftp/pub/dogs to 2000 bytes/second. In addition, subsequent downloads by the same client will be at a throughput of 20% less than the previous download. So, the second download will be at 1600 bytes/second, the third at 1280 bytes/second, and so on.
There are, of course, many other directives that are not covered here. You should consult the man pages for ftpaccess and other related files.
BeroFTPD has the benefit of being closely related to wu-ftpd: Users of wu-ftpd will find migrating to it fairly simple and its performance comparable. On the other hand, it is not as configurable as ProFTPD, which, while not having the best performance, has the added advantage of a single, centralized configuration file for everything.
Trivial tftp is a very simplistic FTP service. It has no user validation and no ability to change directories or to list the contents of directories. It can get or put files in binary or ASCII mode. That's it. The only restrictions on the reading or writing of files are that they must exist and be "publicly" readable or writable, respectively. "Publicly" in this case means read/write privileges for the user the server is running as. Therefore, it is a good idea to run the server with the lowest privileged user necessary. The server takes one argument, which is a directory to set as the tftp root. If one isn't specified, the default of /tftpboot is used.
Some remote devices may require a tftp host for part of their booting process, but, in general, tftp is used fairly rarely. By default it runs as root, but is disabled in inetd.conf. If you need to offer this service, uncomment it and change the user it runs as.
FTP clients range from the fairly limited featured, stock ftp to full-screen, feature-rich NcFTP to Web browsers with limited features to full-featured graphical clients such as gFTP and XFTP.
Today, probably the most common way to access anonymous FTP sites is with a Web browser. These are typically the only clients that support anonymous FTP well. It is possible to access sites with a username and password with URLs of the form ftp://username:[email protected]/. You should leave password empty, however, to avoid displaying it in clear text. Your browser should then provide a pop-up for you to enter it in.
There are also a number of other FTP clients, ranging from the simple command line like the ftp program to full-screen clients like NcFTP to graphical clients like XFTP.
The ftp program is a command-line-based program. It is not particularly friendly, but should always be available on any Linux (or UNIX system).
NcFTP is a full-screen (still ASCII) FTP client. It sports a number of features, including:
A list of shortcuts for FTP hosts, including storage for usernames and passwords (if so desired) for each host.
Automatic connection as anonymous (sends
anonymousas the username and a string you supply as the password defaults tousername@host; the anonymous FTP password is stored in the.ncftp/prefsfile of your home directory).The screen is split into a command typing area and an output area.
File and directory name completion using the
TABkey.Viewing of remote files with a pager like
lessormore.Support for wildcard expressions when putting or getting files, without having to use separate
mputormgetcommands.Support for FTP: URLs, for example, ftp://www.snerdwump.org/pub/wump-1.2.4.tgz.
Batch operation.
If Gnome is installed, you can also use gFTP, which is a graphical FTP client that makes full use of the Gnome environment. It allows for drag-and-drop if you are running a window manager that is Gnome-compliant, such as WindowMaker or Enlightenment.
gFTP's features include multithreading for multiple simultaneous downloads, proxy support, passive and active transfer modes, immunity to buffer overflows from malicious FTP servers, directory listing caching, bookmarking, and editing of local and remote files.
XFTP is an X/Motif-based FTP client. It supports things such as selecting groups of files for upload or download. It can also move files between other computers (i.e., neither of them needs to be running XFTP, though they both need to be running some form of ftpd).
Local and remote files can be viewed with a built-in pop view or with a user-specified viewer such as emacs, less, or more. Additionally, you can specify a program to use for various graphic formats.
Finally, the interface allows for a large amount of user configuration.
FTP is an incredibly useful service—one of the few that has not been eclipsed by the Web. (Things like Gopher, Archie, and WAIS are all but dead now, replaced by Web equivalents.)
Most of you will, at worst, have to set up an anonymous FTP server and possibly make sure your users can access their accounts via FTP. This can be trivial if your machine was set up to handle FTP initially, as most Linux boxes are. You may have to create a few files and directories, however.
The trickier things to set up are FTP-only accounts and virtual FTP clients. Hopefully, we've provided enough information to get you started
By default, anonymous FTP is rooted at
/home/ftp.Not all FTP clients are created equal; a graphical interface isn't a guarantee of ease of use.