One alternative server is NcFTPd, available from http://www.ncftp.com. This server operates independently of xinetd (typically used to enable and start the wu-ftp server) and provides its own optimized daemon. Additionally, NcFTPd has the capability to cache directory listings of the FTP server in memory, thereby increasing the speed at which users can obtain a list of available files and directories. Although NcFTPd has many advantages over wu-ftpd, NcFTPd is not GPL-licensed software, and its licensing fees vary according to the maximum number of simultaneous server connections ($199 for 51 or more concurrent users and $129 for up to 50 concurrent users, but free to education institutions with a compliant domain name). Because of this licensing, NcFTPd is not pack aged with Fedora, and you will not find it on this book's DVD.

Another FTP server package for Linux is ProFTPD, licensed under the GNU GPL. This server works well with most Linux distributions and has been used by a number of Linux sites, including ftp.kernel.org and ftp.sourceforge.net. ProFTPD is actively maintained and updated for bug fixes and security enhancements. Its developers recommend that you use the latest release (1.2.10 at the time of this writing) to avoid exposure to exploits and vulnerabilities. Browse to http://www.proftpd.org to download a copy.

Yet another FTP server package is Bsdftpd-ssl, which is based on the BSD ftpd (and distributed under the BSD license). Bsdftpd-ssl offers simultaneous standard and secure access through security extensions; secure access requires a special client. For more details, browse to http://bsdftpd-ssl.sc.ru/.

Finally, another alternative is to use Apache and the HTTP protocol for serving files. Using a web server to provide data downloads can reduce the need to monitor and maintain a separate software service (or directories) on your server. This approach to serving files also reduces system resource requirements and gives remote users a bit more flexibility when downloading (such as enabling them to download multiple files at once). See Chapter 17, "Apache Web Server Management," for more information about using Apache.

As part of the Workstation installation, the client software for FTP is already installed. You can verify that FTP-related software is installed on your system by using the RPM (Red Hat Package Manager), grep, and sort commands in this query:

$ rpm -qa | grep ftp | sort

The sample results might differ, depending on what software packages are installed. In your Fedora file system, the /usr/bin/pftp file is symbolically linked to /usr/bin/ftp as well as the vsftpd server under the /usr/sbin directory. The base anonymous FTP directory structure is located under the /var/ftp directory. Other installed packages include additional text-based and graphical FTP clients.

If vsftpd is not installed, you can find it under FTP Server in the Add/Remove Applications dialog.

Because the anonftp and wu-ftpd RPM packages are not included with Fedora, you must download and install them if you want to use the wu-ftpd server. Retrieve the most recent packages for Linux from http://www.wu-ftpd.org/ to build from the latest source code or obtain RPM packages from a reputable mirror.

After Fedora is installed, an FTP user is created. This user is not a normal user per se, but a name for anonymous FTP users. The FTP user entry in /etc/passwd looks like this:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

This entry follows the standard /etc/passwd entry: username, password, user ID, group ID, comment field, home directory, and shell. To learn more about /etc/password, see the section "The Password File" in Chapter 10, "Managing Users."

Items in this entry are separated by colons. In the preceding example, you can see that the Fedora system hosting the server uses shadowed password because an x is present in the traditional password field. The shadow password system is important because it provides Fedora an additional level of security; the shadow password system is normally installed during the Fedora installation.

The FTP server software uses this user account to assign permissions to users connecting to the server. By using a default shell of /sbin/nologin (as opposed to /bin/bash or some other standard interactive shell) for anonymous FTP users, the software renders those users unable to log in as regular users. /sbin/nologin is not a shell, but a program usually assigned to an account that has been locked. As root inspection of the /etc/shadow file shows (see Listing 20.1), it is not possible to log in to this account, denoted by the use of * as the password.

# cat /etc/shadow

bin:*:11899:0:99999:7:::

daemon:*:11899:0:99999:7:::

adm:*:11899:0:99999:7:::

lp:*:11899:0:99999:7:::

...

ftp:*:12276:0:99999:7:::

...

The shadow file (only a portion of which is shown in Listing 20.1) contains additional information not found in the standard /etc/passwd file, such as account expiration, pass word expiration, whether the account is locked, and the encrypted password. The * in the password field indicates that the account is not a standard login account; thus, it does not have a password.

Although shadow passwords are in use on the system, passwords are not transmitted in a secure manner when using FTP. Because FTP was written before the necessity of encryption and security, it does not provide the mechanics necessary to send encrypted pass words. Account information is sent in plain text on FTP servers; anyone with enough technical knowledge and a network sniffer can find the password for the account to which you connect on the server. Many sites use an anonymous-only FTP server specifically to prevent normal account passwords from being transmitted over the Internet.