ftpd_8.txt

基于UNIX的FTP源代码

.Xr login.conf 5 ) .
An authentication style
may be specified by appending with a colon
.Pq Sq :\&
following the authentication style, i.e.\&
.Dq joe:skey .
The allowed authentication styles for
.Nm
may be explicitly specified by the
.Dq auth-ftp
entry in
.Pa /etc/login.conf .
.Pp
.Nm
authenticates users according to five rules.
.Bl -enum -offset indent
.It
The login name must be in the password database and not have a null password.
In this case a password must be provided by the client before any
file operations may be performed.
.It
The login name must not appear in the file
.Pa /etc/ftpusers .
.It
The user must have a standard shell as described by
.Xr shells 5 .
.It
If the user name appears in the file
.Pa /etc/ftpchroot ,
the session's root will be changed to the user's login directory by
.Xr chroot 2
as for an
.Dq anonymous
or
.Dq ftp
account (see next item).
However, the user must still supply a password.
This feature is intended as a compromise between a fully anonymous account
and a fully privileged account.
The account should also be set up as for an anonymous account.
.It
If the user name is
.Dq anonymous
or
.Dq ftp ,
an
anonymous FTP account must be present in the password
file (user
.Dq ftp ) .
In this case the user is allowed
to log in by specifying any password (by convention an email address for
the user should be used as the password).
.El
.Pp
Once a user is authenticated the user must be approved by any approval
script defined (see
.Xr login.conf 5 ) .
If a valid approval script (by either :approve=...: or :approve-ftp=...:
for the user's class) is defined then it is run and must exit with a 0
(success) status.
When
.Nm
is running under the
.Fl D
flag (and debugging is not turned on) then the approval script will be
called with at least the following variables specified via the
.Fl v
option (see
.Xr login.conf 5 )
to the approve script:
.Bl -column "Variable" -offset indent
.It Sy Variable Ta Sy Description
.It FTPD_HOST Ta "The server's (virtual) hostname"
.El
.Pp
For example (the line is broken to fit the page):
.Bd -literal -offset indent
/usr/libexec/auth/approve_ftpd -v FTPD_HOST=ftp.mycompany.com \e
	username class service
.Ed
.Pp
When the user logs in to the anonymous FTP account,
.Nm
takes special measures to restrict the client's access privileges.
The server performs a
.Xr chroot 2
to the home directory of the
.Dq ftp
user.
In order that system security is not breached, it is recommended
that the
.Dq ftp
subtree be constructed with care, following these rules:
.Bl -tag -width "~ftp/pub" -offset indent
.It Pa ~ftp
Make the home directory owned by
.Dq root
and unwritable by anyone (mode 555).
.It Pa ~ftp/bin
Make this directory owned by
.Dq root
and unwritable by anyone (mode 511).
This directory is optional unless you have commands you wish
the anonymous FTP user to be able to run (the
.Xr ls 1
command exists as a built-in).
Any programs in this directory should be mode 111 (executable only).
.It Pa ~ftp/etc
Make this directory owned by
.Dq root
and unwritable by anyone (mode 511).
The files pwd.db (see
.Xr pwd_mkdb 8 )
and
.Xr group 5
must be present for the
.Xr ls 1
command to be able to produce owner names rather than numbers.
The password field in
.Pa pwd.db
is not used, and should not contain real passwords.
The file
.Pa motd ,
if present, will be printed after a successful login.
These files should be mode 444.
.It Pa ~ftp/pub
Make this directory mode 555 and owned by
.Dq root .
This is traditionally where publicly accessible files are
stored for download.
.El
.Pp
If logging to the
.Pa /var/log/ftpd
file is enabled, information will be written in the following format:
.Pp
.Bl -tag -width XXXXXXXXXXXXXX -offset indent -compact
.It time
The time and date of the download, in
.Xr ctime 3
format.
.It elapsed time
The elapsed time, in seconds.
.It remote host
The remote host (or IP number).
.It bytes
The number of bytes transferred.
.It path
The full path (relative to the FTP chroot space) of the file transferred.
.It type
The type of transfer; either
.Sq a
for ASCII or
.Sq b
for binary.
.It unused
Unused field containing a
.Sq * ,
for compatibility.
.It unused
Unused field containing an
.Sq o ,
for compatibility.
.It user type
The type of user; either
.Sq a
for anonymous or
.Sq r
for a real user (should always be anonymous).
.It name
Either a system login name or the value given for
.Dq email address
if an anonymous user.
.It unused
Unused field containing a
.Sq 0 ,
for compatibility.
.It real name
The system login name if the connection is not anonymous, or a
.Sq *
if it is.
.\" .It virtual host
.\" The virtual host that the connection was made to.
.El
.Pp
Although fields exist for logging information on real users, this file is
only used for anonymous downloads.
Unused fields exist only for compatibility with other
.Nm
implementations.
.Sh LOGIN.CONF VARIABLES
The
.Nm
daemon uses the following FTP-specific parameters:
.Bl -tag -width ftp-chroot
.It Pa auth-ftp
The list of authentication types available to this class.
See
.Xr login.conf 5 .
.It Pa ftp-chroot
A boolean value.
If set, users in this class will be automatically chrooted to
the user's login directory.
.It Pa ftp-dir
A path to a directory.
This value overrides the login directory for users in this class.
A leading tilde
.Pq Ql ~
in
.Pa ftp-dir
will be expanded to the user's home directory based on the
contents of the password database.
.It Pa welcome
The path of the file containing the welcome message.
If this variable is not set,
.Pa /etc/motd
is used.
.El
.Sh PORT ALLOCATION
For passive mode data connections,
.Nm
will listen to a random high TCP port.
The interval of ports used are configurable using
.Xr sysctl 8
variables
.Va net.inet.ip.porthifirst
and
.Va net.inet.ip.porthilast .
.Sh FILES
.Bl -tag -width /var/run/ftpd.pid -compact
.It Pa /etc/ftpchroot
list of normal users who should be chrooted
.It Pa /etc/ftpusers
list of unwelcome/restricted users
.It Pa /etc/ftpwelcome
welcome notice
.It Pa /etc/login.conf
authentication styles
.It Pa /etc/motd
printed after a successful login
.It Pa /etc/nologin
displayed and access refused
.It Pa /var/log/ftpd
log file for anonymous downloads
.It Pa /var/run/ftpd.pid
process ID if running in daemon mode
.It Pa /var/run/utmp
list of users on the system
.El
.Sh SEE ALSO
.Xr ftp 1 ,
.Xr login 1 ,
.Xr skey 1 ,
.Xr who 1 ,
.Xr chroot 2 ,
.Xr ctime 3 ,
.Xr group 5 ,
.Xr login.conf 5 ,
.Xr motd 5 ,
.Xr services 5 ,
.Xr shells 5 ,
.Xr ftp-proxy 8 ,
.Xr inetd 8 ,
.Xr pwd_mkdb 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .