Anonymous FTP Server

Anonymous FTP Server #

OpenBSD ftpd is a lightweight and secure FTP (File Transfer Protocol) server included in the OpenBSD base installation. It’s installed but disabled by default.

For a temporary FTP server, start the daemon with the -f flag

doas rcctl -f start ftpd

For a permanent FTP server, first enable the service so that it will be started automatically after a reboot.

doas rcctl enable ftpd

Then start the daemon.

doas rcctl start ftpd

Add a user with username ‘ftp’ with home directory ‘/var/ftp’ and without shell access.

doas useradd -k '' -c "FTP User" -d /var/ftp -s /sbin/nologin -m ftp

Create a test file.

doas -u ftp touch /var/ftp/test123

Login as an anonymous user and list the directory.

ftp -a localhost

ftp -a localhost
Trying 127.0.0.1...
Connected to localhost..
220 OpenBSD.my.domain FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

ls

ftp> ls
150 Opening ASCII mode data connection for '.'.
total 0
-rw-r--r--  1 1001  1001  0 Jun  6 15:17 test123
226 Transfer complete.

Public Anonymous FTP Server #

Before making the server publicly available, it’s recommended to make the following changes to the directories.

~ftp (/var/ftp)

Make the home directory owned by “root” and unwritable by anyone (mode 555).

doas chown root /var/ftp

doas chmod 555 /var/ftp

~ftp/pub (/var/ftp/pub)

Make this directory mode 555 and owned by “root”. This is traditionally where publicly accessible files are stored for download.

doas mkdir /var/ftp/pub

doas chown root /var/ftp/pub

doas chmod 555 /var/ftp/pub

(Optional)~ftp/etc (/var/ftp/etc)

Make this directory owned by “root” and unwritable by anyone (mode 511). The files pwd.db (see pwd_mkdb(8)) and group(5) must be present for the ls(1) command to be able to produce owner names rather than numbers. The password field in pwd.db is not used, and should not contain real passwords. The file motd, if present, will be printed after a successful login. These files should be mode 444.

doas mkdir /var/ftp/etc

doas chown root /var/ftp/etc

doas chmod 511 /var/ftp/etc