PWGdata server Transition from FTP to FTPS

As part of a general Federal policy that requires all network communications to be encrypted, the PWGdata server will be phasing out access to unencrypted FTP services in the next few months. We expect to disable unencrypted FTP access as of July 31, 2019. On June 27th, 2019, the IP address of pwgdata.gsfc.nasa.gov changed to gs672-pwgdata.sci.gsfc.nasa.gov, but the old address pwgdata.gsfc.nasa.gov still works. This may require adding the new address to your firewall rules and software.

After the phaseout, the PWGdata server will still support TLS-encrypted FTP, aka, FTPS. Note that FTPS should not be confused with SFTP, which, despite its similar name, is not related to traditional FTP. Specifically the PWGdata server will support explicit, passive-mode FTPS connections. Implicit FTPS is not supported, nor is active mode FTP. Some FTP software handle this just fine, but the traditional command line FTP program does not work at all, so this may break the process you use to connect to PWGdata.

Implications of This Transition for the User:

Browsers: Most web browsers (Chrome, Firefox, etc.) do not support FTPS, so you will have to use another FTP client.

Scripts:

Existing scripts are likely to require some modification to handle FTPS. Many tools, e.g., recent versions of WGET (V1.17 November 2015) and CURL support FTPS, but generally these require that the user specify specific arguments to initiate an SSL-based session. Scripts using WGET or CURL with FTP URLs will likely need to be modified to specify that an SSL session is to be used. Note that the URL that is used with CURL will usually still be specified as ftp://pwgdata.gsfc.nasa.gov even after the transition to FTPS, but WGET seems to use ftps://.

What You Can Do:

We strongly urge users to check for any FTP dependencies in their scripts and processes that access the PWGdata server. If you have questions or encounter problems, email Robert Candey.

Command line tools:

Besides browsers, the biggest problem with moving to FTPS is that the standard old ftp client (inetutils) does not support FTPS. The following tools appear to work with FTPS. Perhaps the simplest replacement for command line FTP is LFTP below.

LFTP (“yum install lftp” or similar on Linux)

Perhaps linking lftp to ftp in /usr/bin will be sufficient, especially for old scripts.

lftp -u anonymous,lftp@ FTPSERVER/PATH

    Can add to ~/.lftprc  
    \# set ftp:ssl-force yes  
    set ftp:ssl-allow true  
    set ssl:verify-certificate no

CURL needs to be a recent version, >= 7.11, preferably > 7.54

Use ftp:// and not ftps:// URLs

    curl --ssl --ftp-ssl-ccc --ftp-ssl-ccc-mode active  ftp://pwgdata.gsfc.nasa.gov/  or  ftp://spdf.gsfc.nasa.gov/
    # -kvvv to print debug output

WGET (V1.17 November 2015)

Use ftps:// and not ftp:// URLs -S for server response

wget -S \[-S for sever response\] "ftps://FTPSERVER/PATH"

User-friendly programs with FTPS support:

GFTP(Unix/Linux)

Filezilla (not recommended due to inappropriate bundling)

Be sure to change settings on installation: select Advanced and turn off browser changes and skip other installs. Select FTP for Protocol and select either ‘Use explicit FTP over TLS if available’ or ‘Required explicit FTP over TLS’

Cyberduck (select FTP-SSL (Explicit AUTH TLS) or use ftps:// URL)

CoreFTP (Windows)

WinSCP

WS_FTP

Other Software:

Wikipedia FTP Software

FTPS-compatibility table

Scripting:

Existing scripts are likely to require some modification to handle FTPS. In some cases, the change to HTTPS URLs noted above might be all that is needed, just switch to the secure HTTP protocol. If that is not feasible or desirable, many tools (e.g., recent versions of WGET and CURL) support FTPS, but generally these will need to be modified to specify that an SSL session is to be used. Note that the URL that is used with CURL will usually still be specified as ftp:// even after the transition to FTPS, but WGET seems to use ftps://.

Additional notes:

PYTHON FTP_TLS library for Python 3

    from ftplib import FTP\_TLS
    ftp=FTP\_TLS(FTPSERVER)
    ftp.login()
    ftp.dir()
    ftp.cwd(PATH)
    ftp.retrbinary('RETR FILENAME', open('FILENAME', 'wb').write)
    ftp.quit()

C-KERMIT

    kermit FTPSERVER
    set auth tls debug on
    set auth tls verbose on
    set ftp authtype tls
    set ftp debug on
    set auth tls verify no

VMS notes

Multinet FTP

http://www.process.com/docs/multinet5_5/users_guide/appendix_b.html

$ ftp /AUTHENTICATE=TLS /verbose/u=ftp/pass=guest FTPSERVER

    automatically sends CCC
    add commands to SYS$LOGIN:FTP.INIT

    TCPware: $ ftp /verb/tls/u=ftp/pass=guest FTPSERVER
    
    $ curl "--ssl-reqd  -k -vvv" "ftp://FTPSERVER"
    
    Kermit might also work.

**************** Programs that do NOT support TLS encryption *********************

old ftp client (inetutils) ncftp tnftp (BSD ftp)

**************** FTP-SSL upload *********************

For the few groups that need to upload files to a FTP server, some possibilities are below.

CURL:

curl —ftp-ssl-ccc -T “FILE.TXT” -k -u “MYUSER:MYPASSWORD” FTPSEVER/PATH other options: add “-n” to read .netrc file for username and password -w size_upload # will return bytes uploaded -w ssl_verify_result multiple files can be uploaded with -T “{file1,file2}” move files: “-Q rename source target”

WPUT:

wput −−force-tls

Python FTP_TLS library upload

ftp.storbinary(‘STOR myfile.txt’, open(‘myfile.txt’, ‘rb’).read)