FTP: Support active mode

[sinnerliu]

What is your rclone version (eg output from rclone -V)

1.3.9

Which OS you are using and how many bits (eg Windows 7, 64 bit)

centos7.4

Which cloud storage system are you using? (eg Google Drive)

ftp

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone mount remote_ftp: /tmp/ftppath

A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)

I hope add PASV and PORT when rclone config ftp . because ftp server only accept PASV;
thinks!

[ncw]

Rclone FTP uses EPSV mode by default. Which ftp sever are you using and what errors did you get - can you post logs?

[sinnerliu]

[root@localhost rclone-v1.39-linux-amd64]$ ./rclone -vv ls ftp125:
2018/01/19 10:04:43 DEBUG : Using config file from "/home/root/.config/rclone/rclone.conf"
2018/01/19 10:04:43 DEBUG : rclone: Version "v1.39" starting with parameters ["./rclone" "-vv" "ls" "ftp125:"]
2018/01/19 10:04:43 DEBUG : ftp://11.51.11.125:21: Connecting to FTP server
2018/01/19 10:04:45 INFO : ftp://11.51.11.125:21: Modify window not supported
2018/01/19 10:05:46 ERROR : : error listing: dial tcp 11.51.11.125:50276: i/o timeout
2018/01/19 10:05:46 Failed to ls: dial tcp 11.51.11.125:50276: i/o timeout

but use ftp command is ok:

[root@localhost ~]# ftp -i -n
ftp> open 11.51.11.125
Connected to 10.5.11.125 (11.51.11.125).
220 Xlight FTP 3.7 ...
Remote system type is UNIX:.
ftp> user 123 123
331 123
230
ftp> ls
227 Entering Passive Mode (11,51,11,125,197,163)
^C
receive aborted
waiting for remote to finish abort
ftp> passive
Passive mode off.
ftp> ls
200 PORTִ150 ģʽΪ /bin/ls (165 ).
drw-rw-rw- 1 ftp ftp 0 Sep 27 2017 .
drw-rw-rw- 1 ftp ftp 0 Sep 27 2017 ..
drw-rw-rw- 1 ftp ftp 0 Sep 27 2017 i2p
226 (1.031 KB/s).
ftp>

[ncw]

Passive mode off.

Ah, you are using active mode...

Unfortunately the ftp library I'm using doesn't support active mode: jlaffaye/ftp#29

[sinnerliu]

thinks ,I will wait for rclone support active mode

[rvalitov]

This issue is not fixed yet?

[ncw]

This issue is not fixed yet?

It needs a volunteer to add it to jlaffaye/ftp#29

[rajeshgoyalg]

This issue is not yet fixed. And I am getting error "Failed to copy: Put mkParentDir failed: EOF" while rclone copy.
https://forum.rclone.org/t/rclone-copy-to-ftp-error-with-put-mkparentdir-failed/21674

[BraINstinct0]

since Improve FTP is planned, it might be worth being put on the list @ivandeex ?

[ivandeex]

All improvements are planned for passive mode only and include:

• reliable transfer of large files
• TLS compatibility improvements
• TLS session resumption
• 1sec modtime resolution
• path encoding for proftp/pureftp/vsftp
• mitigations for missing about
• mitigations for missing hashsum

Active mode means "rclone requests a transfer, opens incoming port, then ftp server connects back and performs the transfer".
I will not work on this.

This mode is insecure. Actually I think we don't need it at all. I'd rather close out this feature request if @ncw agrees.

[ivandeex]

The only fix I can provide for this ticket, will be a documentation fix saying
rclone will not support ftp active mode due to security concerns. please revert to other tools.
cc @ncw

[BraINstinct0]

Umm, but isn't active mode more secure(well ftp itself is insecure)? Since it requires bidirectional communication the server has more control on connection

[ivandeex]

It makes rclone insecure because rclone has to open incoming ports on its own machine to support active connections from ftp server.
Upd... putting rclone and the box it runs on under control of ftp server, so to say

[ivandeex]

well ftp itself is insecure

Modern FTP servers support TLS on command and data connections.
Some of them have option to require data connections to provide pre-shared TLS keys (PSK) negotiated in advance on command connection (aka TLS resumption) as a way to additionally "authenticate" data stream.

I am going to make rclone support that. Again, in passive mode (no open ports on rclone side!).

[BraINstinct0]

In that case I can agree that security on rclone's side is enhanced by using passive mode. (Yes it seems to be easier to implement too). I believe your choice is totally reasonable in that sense. (TBH almost nobody use active mode!)

[ncw]

The only fix I can provide for this ticket, will be a documentation fix saying
rclone will not support ftp active mode due to security concerns. please revert to other tools.
cc @ncw

I have used active mode a few times but not for at least 15 years. Its useful when the FTP server you are trying to connect to is behind a firewall that doesn't accept arbitrary incoming ports and doesn't snoop the FTP protocol to read which ports it should open.

FTP is a disaster area for security - passive mode for the server, active mode for the client.

@BraINstinct0 - do you have a use case for Active mode FTP?

As far as rclone support, I'd stand by my original comment

It needs a volunteer to add it to jlaffaye/ftp#29

So I'd probably re-word your text slightly @ivandeex

We have this at the moment

FTP servers acting as rclone remotes must support 'passive' mode. Rclone's FTP implementation is not compatible with 'active' mode.

How about

FTP servers acting as rclone remotes must support 'passive' mode. Rclone's FTP implementation is not compatible with 'active' mode as the library it uses doesn't support it. This will likely never be supported due to security concerns.

[ivandeex]

As far as rclone support, I'd stand by my original comment

It needs a volunteer to add it to jlaffaye/ftp#29

I will add this text together with the link to the https://rclone.org/ftp