github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/ftp/README.md (about) 1 # MinIO FTP/SFTP Server 2 3 MinIO natively supports FTP/SFTP protocol, this allows any ftp/sftp client to upload and download files. 4 5 Currently supported `FTP/SFTP` operations are as follows: 6 7 | ftp-client commands | supported | 8 |:-------------------:|:----------| 9 | get | yes | 10 | put | yes | 11 | ls | yes | 12 | mkdir | yes | 13 | rmdir | yes | 14 | delete | yes | 15 | append | no | 16 | rename | no | 17 18 MinIO supports following FTP/SFTP based protocols to access and manage data. 19 20 - Secure File Transfer Protocol (SFTP) – Defined by the Internet Engineering Task Force (IETF) as an 21 extended version of SSH 2.0, allowing file transfer over SSH and for use with Transport Layer 22 Security (TLS) and VPN applications. 23 24 - File Transfer Protocol over SSL/TLS (FTPS) – Encrypted FTP communication via TLS certificates. 25 26 - File Transfer Protocol (FTP) – Defined by RFC114 originally, and replaced by RFC765 and RFC959 27 unencrypted FTP communication (Not-recommended) 28 29 ## Scope 30 31 - All IAM Credentials are allowed access excluding rotating credentials, rotating credentials 32 are not allowed to login via FTP/SFTP ports, you must use S3 API port for if you are using 33 rotating credentials. 34 35 - Access to bucket(s) and object(s) are governed via IAM policies associated with the incoming 36 login credentials. 37 38 - Allows authentication and access for all 39 - Built-in IDP users and their respective service accounts 40 - LDAP/AD users and their respective service accounts 41 - OpenID/OIDC service accounts 42 43 - On versioned buckets, FTP/SFTP only operates on latest objects, if you need to retrieve 44 an older version you must use an `S3 API client` such as [`mc`](https://github.com/minio/mc). 45 46 - All features currently used by your buckets will work as is without any changes 47 - SSE (Server Side Encryption) 48 - Replication (Server Side Replication) 49 50 ## Prerequisites 51 52 - It is assumed you have users created and configured with relevant access policies, to start with 53 use basic "readwrite" canned policy to test all the operations before you finalize on what level 54 of restrictions are needed for a user. 55 56 - No "admin:*" operations are needed for FTP/SFTP access to the bucket(s) and object(s), so you may 57 skip them for restrictions. 58 59 ## Usage 60 61 Start MinIO in a distributed setup, with 'ftp/sftp' enabled. 62 63 ``` 64 minio server http://server{1...4}/disk{1...4} 65 --ftp="address=:8021" --ftp="passive-port-range=30000-40000" \ 66 --sftp="address=:8022" --sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" 67 ... 68 ... 69 ``` 70 71 Following example shows connecting via ftp client using `minioadmin` credentials, and list a bucket named `runner`: 72 73 ``` 74 ftp localhost -P 8021 75 Connected to localhost. 76 220 Welcome to MinIO FTP Server 77 Name (localhost:user): minioadmin 78 331 User name ok, password required 79 Password: 80 230 Password ok, continue 81 Remote system type is UNIX. 82 Using binary mode to transfer files. 83 ftp> ls runner/ 84 229 Entering Extended Passive Mode (|||39155|) 85 150 Opening ASCII mode data connection for file list 86 drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 chunkdocs/ 87 drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 testdir/ 88 ... 89 ``` 90 91 Following example shows how to list an object and download it locally via `ftp` client: 92 93 ``` 94 ftp> ls runner/chunkdocs/metadata 95 229 Entering Extended Passive Mode (|||44269|) 96 150 Opening ASCII mode data connection for file list 97 -rwxrwxrwx 1 nobody nobody 45 Apr 1 06:13 chunkdocs/metadata 98 226 Closing data connection, sent 75 bytes 99 ftp> get 100 (remote-file) runner/chunkdocs/metadata 101 (local-file) test 102 local: test remote: runner/chunkdocs/metadata 103 229 Entering Extended Passive Mode (|||37785|) 104 150 Data transfer starting 45 bytes 105 45 3.58 KiB/s 106 226 Closing data connection, sent 45 bytes 107 45 bytes received in 00:00 (3.55 KiB/s) 108 ... 109 ``` 110 111 112 Following example shows connecting via sftp client using `minioadmin` credentials, and list a bucket named `runner`: 113 114 ``` 115 sftp -P 8022 minioadmin@localhost 116 minioadmin@localhost's password: 117 Connected to localhost. 118 sftp> ls runner/ 119 chunkdocs testdir 120 ``` 121 122 Following example shows how to download an object locally via `sftp` client: 123 124 ``` 125 sftp> get runner/chunkdocs/metadata metadata 126 Fetching /runner/chunkdocs/metadata to metadata 127 metadata 100% 226 16.6KB/s 00:00 128 sftp> 129 ``` 130 131 ## Advanced options 132 133 ### Change default FTP port 134 135 Default port '8021' can be changed via 136 137 ``` 138 --ftp="address=:3021" 139 ``` 140 141 ### Change FTP passive port range 142 143 By default FTP requests OS to give a free port automatically, however you may want to restrict 144 this to specific ports in certain restricted environments via 145 146 ``` 147 --ftp="passive-port-range=30000-40000" 148 ``` 149 150 ### Change default SFTP port 151 152 Default port '8022' can be changed via 153 154 ``` 155 --sftp="address=:3022" 156 ``` 157 158 ### TLS (FTP) 159 160 Unlike SFTP server, FTP server is insecure by default. To operate under TLS mode, you need to provide certificates via 161 162 ``` 163 --ftp="tls-private-key=path/to/private.key" --ftp="tls-public-cert=path/to/public.crt" 164 ``` 165 166 > NOTE: if MinIO distributed setup is already configured to run under TLS, FTP will automatically use the relevant 167 > certs from the server certificate chain, this is mainly to add simplicity of setup. However if you wish to terminate 168 > TLS certificates via a different domain for your FTP servers you may choose the above command line options. 169