FTP Support
10.4
The PL/B Web Server includes FTP Server support. The FTP Server implementation can be configured to expand the capabilities of the PL/B Web Server while providing secured FTP access. The FTP server is implemented as per the RFC 959 and 1123 FTP specifications and supports the full set of commands as identified by the specification.
Note:
1. Only 32 bit file size maximum is supported.
2. When configuring the PWS FTP Server, both the PLBFTP_ADDRESS and PLBFTP_ROOT keywords must be set in the 'plbwebsrv.ini' configuration file. Otherwise, the PWS FTP Server does not start when the PWS server is started.
3. To activate the FTP Server, there are PWS keywords that can be added to the 'plbwebsrv.ini' configuration file as follows:
|
Keyword |
Meaning |
|
PLBFTP_ADDRESS={ip | url[:portnum]} |
This keyword is required to start the FTP Server. This keyword creates a socket on a listening port that allows FTP clients to connect to the PWS FTP Server.
Example: PLBFTP_ADDRESS=www.sunbelt-plb.com:8087 |
|
PLBFTP_ROOT={OsPath} |
This keyword is required to start the FTP Server and it specifies the {OsPath} directory that is the default virtual root directory used for FTP operations. This default directory is used for FTP operations when a PLBFTP_USER_<user> does not specify a <path> parameter.
Example: PLBFTP_ROOT=c:\sunbelt\plbwebsrv.104\ftpout
Note: The {OsPath} must exist or FTP operations will encounter errors. |
|
PLBFTP_SESSION_MAX={threads} |
This keyword specifies the maximum number of FTP child threads. If this keyword is not used, the default maximum value of five (5) child threads are allowed. The maximum {threads} value is one hundred. |
|
PLBFTP_PASV_PORT={baseport} |
This keyword specifies the base socket port number to be used with the FTP passive mode. The {baseport} port number value must be greater than 1024. If this keyword is not specified or the {baseport} number value is less than 1024, the default port number value of 50000 is used as the base port number. If more than one passive FTP Server session exist, the port number for each subsequent session is an incremental number starting from the {baseport} value.
Note: The {baseport} port number must not be the same as main FTP Server port number. |
|
PLBFTP_LOG_FTP={mode} |
This keyword specifies the PWS FTP Server log mode where PWS FTP Server operations are output to the log file identified by the PLBWEB_LOGNAME/PLBWEB_LOGFILE. If this keyword is not specified or the {mode} value is zero, no FTP operations are logged. The values and their meanings are as follows:
0x0- There is no logging. 0x1 - Log all FTP operations 0x2 - Log FTP commands 0x4 - Log FTP responses 0x8 - Log FTP connections 0x10 - Log FTP closes 0x40 - Log FTP system errors |
|
PLBFTP_SRVRECVTIMEOUT={min} |
This keyword controls the data receive timeout specified in minutes. If this keyword is not used or it is used with a {min} value of zero, the default data receive timeout is set to twenty seconds. The {min} value can be from zero to sixty minutes. |
|
PLBFTP_IDLE_TIMEOUT={min} |
This keyword specifies an idle time out in minutes. If a FTP Session is idle for a period of time longer than the {min} value, the FTP session is closed. If the PLBFTP_IDLE_TIMEOUT is not used, the default idle timeout is fifteen minutes. When this keyword is used, the {min} value can be from two to sixty minutes. |
|
PLBFTP_LINGER={sec} |
This optional keyword specifies the number of seconds that an OS socket close operation lingers if unsent data is present for PWS FTP socket connection.
Note: If this keyword is not used, the default OS linger is used for the socket close operation. |
|
PLBFTP_SSL_ONLY={parameter} |
This optional keyword determines if an AUTH command is required for SSL. If this keyword is not used, the default is OFF. The parameter values are:
ON - The FTP client AUTH command is required when using SSL. OFF - The FTP client AUTH command is not required. |
|
PLBFTP_SSL_IMPLICIT={parameter} |
This optional keyword requires all PWS FTP Server socket connects must use SSL or not. The parameter can be specified a ON or OFF.
ON - The FTP socket connections must use SSL. OFF - The FTP socket connections do not require SSL. |
|
PLBFTP_ALLOW_ANON={parameter} |
This optional keyword allows any password on a user named anonymous this {parameter} is set to ON. This keyword is ignored if there is no configured user named anonymous. The parameter can be specified a ON or OFF.
ON - Allow any password for a user named anonymous. OFF - Require the configured password for the user named anonymous as specified by the 'PLBFTP_USER_ANONYMOUS' keyword. |
|
PLBFTP_USER_{username}={password},{permissions}[,{path}] |
This keyword defines a user name, password, permissions, and optional path for accessing the PWS FTP Server. The 'PLBFTP_USER_{name}' keywords can be added, modified, or removed real time without having to restart the PWS server. This gives a dynamic mode of usage when managing FTP users who can access the PWS FTP Server.
Where:
Note: 1. The {permission} control characters are defined as follows:
D - Allow Download of files to the FTP client. L - Allow a List of Files to be sent to the FTP client. R - Allow Rename/Remove of files at the PWS FTP Server. U- Allow Upload of files to the PWS FTP Server. P - Allow Change path at the PWS FTP Server. M - Allow Make/remove of directories at the PWS FTP Server.
2. The {password} is a SHA-1 hashed string of 20 bytes provided as 40 hexadecimal characters. See this link to get SHA-1 Hash encrypted string: https://md5decrypt.net/en/Sha1/
This is an example of PL/B code that creates the.40 character hexadecimal string for the {password}.
UserPW DIM 50 PassWord DIM 50 i INTEGER 1 i4Arr INTEGER 1(20 D8 DIM 8 D2 DIM 2 D20 DIM 20 HashHex DIM 50 xMode INTEGER 1,"4" //SHA1 with context initialization R RUNTIME . WINHIDE MOVE "Password", UserPW HASH UserPW, PassWord,MODE=xMode UNPACK PassWord, i4Arr . FOR i, 1, 20 . R.IntToString GIVING D20 USING i4Arr(i), 1 UNPACK D20, D8, D2 PACK HashHex, HashHex, D2 . REPEAT . ALERT NOTE,HashHex,i,"HashHex of 'Password'" . . HashHex=8BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D .
3. This is an example for a user named 'Test' with a password of 'Password':
Example:
PLBFTP_USER_TEST=8BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D,DL
In this case, the user named 'TEST' with a password of 'Password' has permissions to download files and list files when accessing a PWS FTP Server. |
|
PLBFTP_SSL_1_1_USED={ on | off } |
This keyword configures the PWS FTP Server to only load the OpenSSL 1.1.x SSL DLLs. When this keyword is set to 'ON', the 1.1.x SSL shared libraries must exist and be accessible before the PWS FTP Server can start.
Note: 1. When using a Windows OS PWS server, it is recommended that the 'libssl-1_1.dll' and 'libcrypto-1_1.dll' SSL DLLs be located in the same directory as the PWS server executable. This ensures that the correct version of the SSL libraries are being loaded. 2. When using a Linux/Linux PWS server, the appropriate OpenSSL shared 32-bit libraries must be installed. In this case, the web server must be able to load the SSL shared libraries named 'libssl.so.1.1' and 'libcrypto.so.1.1'. |
|
PLBFTP_SSL_CERTFILE={certfile} |
This keyword is optional and specifies the file name of a SSL certificate that qualifies the PWS FTP Server when using a SSL secured logon channel. If this keyword is not specified in the PL/B Web Server configuration file, the PWS FTP Server does not start the SSL support. When this keyword is specified, the {certfile} can be assigned as a file name only that must exist in the current working directory of the PWS. In addition, the {certfile} can be assigned as a file name with an OS full path or a partial OS path relative to the current working directory of the PWS. |
|
PLBFTP_SSL_KEYFILE={keyfile} |
This keyword is optional and specifies the file name of a SSL certificate key(s) that supports the SSL operations. If this keyword is not specified in the PL/B Web Server configuration file, the PWS FTP Server does not start the SSL support. When this keyword is defined, the {keyfile} can be assigned as a file name only that must exist in the current working directory of the PWS. In addition, the {keyfile} can be assigned as a file name with an OS full path or a partial OS path relative to the current working directory of the PWS. See the 'PLBWEB_SSL_KEYFILE' Notes for more details on using SSL DLLs. |
|
PLBFTP_SSL_SELFSIGNED=ON |
This keyword is optional and specifies that the default SSL support was implemented to require the TLSv1 interface method which gives the best security level when a FTP client is accessing the PWS FTP server. To use a self-signed certificate, the default SSL interface method must be set to a lower security level using the SSLv23 interface method. In this case, the 'PLBFTP_SSL_SELFSIGNED=ON' must be used to allow use of a self-signed certificate.
Note: The 'PLBFTP_SSL_SELFSIGNED=ON' should only be specified when a self-signed SSL certificate is being used. |
|
PLBFTP_SSL_PROTOCOL={ 0 | 1 | 2 | 3 } |
This keyword is optional and defines the SSL minimum protocol version used by the PWS FTP Server. The keyword values and allowed protocols are defined as follows:
0 - SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2 1 - TLSv1.0, TLS1.1, or TLSv1.2 (default) 2 - TLSv1.1 or TLSv1.2 3 - TLSv1.2 10 - Only the TLSv1.0 protocol version is supported. A server only understands TLSv1.0 client hello messages. 11 - Only the TLSv1.1 protocol version is supported. A server only understands TLSv1.1 client hello messages. 12 - Only the TLSv1.2 protocol version is supported. A server only understands TLSv1.2 client hello messages.
Note: If the 'PLBFTP_SSL_SELFSIGNED=ON' is being used in the 'plbwebsrv.ini' file, the PLBFTP_SSL_PROTOCOL keyword is ignored and the minimum SSL protocol version SSLv3 is used. |
|
PLBFTP_SSL_SETCIPHER={cipher} |
This keyword specifies the SSL cipher(s) for the PWS FTP Server SSL connections. The syntax format and descriptions of the {cipher} settings can be found at this URL link: https://www.openssl.org/docs/manmaster/man1/ciphers.html
Where:
Note: It may become necessary to restrict or include specific server side SSL ciphers to be supported by the PWS FTP Server.
Examples of cipher lists:
PLBFTP_SSL_SETCIPHER=AES
Allows 128-bit and 256-bit block ciphers. |
|
PLBFTP_SSL_CHAINCERT={ ON | OFF } |
This keyword enables or disables SSL chained file certificates. By default, if this keyword is not used, the PWS FTP Server enables SSL chained certificates where the PWS server loads a certificate chain file. If the 'PLBFTP_SSL_CHAINCERT=OFF' keyword is specified in the 'plbwebsrv.ini' [Environment] section, the PWS FTP Server loads a SSL certificate file. |
|
PLBFTP_SSL_BLACKLIST_FILE=={ [path] + filename } |
This keyword file specifies the filename used to pre-load and\or output the SSL blacklist IP addresses used for IP filtering. If this keyword is not used, the PWS FTP Server defaults to use the file named 'plbwebsrv_ssl_blacklist.txt' when pre-loading or dumping IP filtering data. |
4. The PWS FTP Server supports the following FTP commands:
|
Command |
Action |
|
ABOR |
Aborts a file transfer currently in progress. |
|
ACCT account-info |
This command sends account information on systems that require it. |
|
ALLO size [R max-record-size] |
Allocates sufficient storage space to receive a file. |
|
APPE remote-filename |
Append data to the end of a file on the remote host. |
|
AUTH security |
Initialize a secure connection using TLS. |
|
CWD remote-directory |
Makes the given directory be the current directory on the remote host. |
|
DELE remote-filename |
Deletes the given file on the remote host. |
|
FEAT |
Returns the extended features. |
|
HELP [command] |
Returns general help for the FTP server. |
|
LIST [remote-filespec] |
If remote-filespec refers to a file, sends information about that file. If remote-filespec refers to a directory, sends information about each file in that directory. |
|
MDTM remote-filename |
Returns the last-modified time of the given file on the remote host in the format YYYYMMDDhhmmss. |
|
MKD remote-directory XMKD remote-directory |
Creates the named directory on the remote host. |
|
MODE mode-character |
Sets the transfer mode. Only [S]tream is supported. |
|
NLST [remote-directory] |
Returns a list of filenames in the given directory. |
|
NOOP |
Does nothing except return a response. |
|
PASS password |
Send a password. |
|
PASV |
Tells the server to enter passive mode. |
|
PBSZ size |
Sets the maximum size, in bytes, of the encoded data blocks to be sent or received during a file transfer. |
|
PORT a1,a2,a3,a4,p1,p2 |
Specifies the host and port to which the server should connect for the next file transfer. |
|
PROT protection-level |
Sets the level of protection used on the data channel. |
|
PWD XPWD |
Returns the name of the current directory on the remote host. |
|
QUIT |
Terminates the command connection. |
|
REST position |
Sets the point at which a file transfer should start. |
|
RETR remote-filename |
Begins transmission of a file from the remote host. |
|
RMD remote-directory XRMD remote-directory |
Deletes the named directory on the remote host. |
|
RNFR from-filename |
Use this command to specify the file to be renamed before a RNTO command. |
|
RNTO to-filename |
After a RNFR command send this command to specify the new name for the file. |
|
SITE site-specific-command |
Executes a site-specific command.
TIME is a supported command. CHMOD is a supported command. |
|
SIZE remote-filename |
Returns the size of the remote file as a decimal number. |
|
STAT [remote-filespec] |
If invoked without parameters, returns general status information about the FTP server process. |
|
STOR remote-filename |
Begins transmission of a file to the remote site. |
|
STOU |
Begins transmission of a file to the remote site; the remote filename will be unique in the current directory. |
|
STRU structure-character |
Sets the file structure for transfer. Only [F]ile is supported by the PWS FTP Server. |
|
SYST |
Returns a word identifying the system. The PWS FTP Server always returns: Linux Type: L8 |
|
TYPE type-character [second-type-character] |
Sets the type of file to be transferred. |
|
USER username |
Send this command to begin the login process. |
|
|