FTP Clients - Part 5: MOVEit Freely Command-Line Secure FTP Client
For this installment in my series about FTP Clients, I'd like to take a look at the MOVEit Freely Command-Line Secure FTP Client ("FTPS.EXE") from Ipswitch. For this blog post I used MOVEit Freely FTP Client version 5.0.0.0, and it is available from the following URL:
At the time of this blog post, Ipswitch is providing the MOVEit Freely FTP client for free, although you are required to fill out a registration page with a short questionnaire. For more information on the license for the MOVEit Freely command-line FTP client, please see Ipswitch's web site.
If you're like me and you like to script a lot of batch jobs on your servers, the MOVEit Freely command-line FTP client can be quite handy. The command set for the MOVEit Freely FTP client is a greatly-enhanced superset of the commands that are available with the command-line FTP.EXE client that is built-in to Windows, with added features that make additional functionality possible, such SSL, passive FTP, resumable downloads, etc. There is a manual available with the MOVEit Freely FTP client, and I highly recommend using the manual as a reference when writing automation scripts because there are a lot of options that are available to you.
Active and Passive FTP
One of the great things about the MOVEit Freely command-line FTP client is the ability to use either Passive or Active connections, and you can switch between the two connection types using the "passive" command in the FTP session. This helps immensely when working with firewalls and such. The following example shows what that might look like:
CMD>ftps.exe ftp.example.com 220 Microsoft FTP Service Connected to ftp.example.com. User: administrator 331 Password required for administrator. Password: ******** 230 User logged in. ftp> passive Passive mode On . ftp> put foobar.txt 227 Entering Passive Mode (192,168,0,1,224,39). 150 Opening ASCII mode data connection. 226 Transfer complete. ftp: 8 bytes sent in 0.06Seconds 0.13Kbytes/sec. ftp> passive Passive mode Off . ftp> put foobar.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. ftp: 8 bytes sent in 0.01Seconds 0.78Kbytes/sec. ftp> bye 221 Goodbye. CMD>
Using FTP over SSL (FTPS)
The MOVEit Freely command-line FTP client supports both Implicit and Explicit FTPS, so the choice is up to you which one to use, but I generally use Explicit FTPS since Implicit FTPS should be considered obsolete. The SSL mode is specified using the "-e:" parameter on the command-line, and the 5.0.0.0 version of the MOVEit Freely command-line FTP supports the following values for that parameter:
Parameter FTPS Mode Description off n/a Specifies that no encryption will be used on either the control channel or data channel. Note: This is the default behavior.
on Explicit Specifies that both the control channel and data channel will use encryption over an explicit FTPS connection. Notes:
- This uses the AUTH TLS, PBSZ 0, and PROT P commands when establishing a connection.
- You can use "prot on" and "prot off" to specify whether encryption will be used. (See Note 1 below.)
on-ccc Explicit Specifies the control channel will use encryption over an explicit FTPS connection during login, but the control channel will switch to unencrypted after a login has been established. Data channel connections will still be encrypted. Notes:
- This uses the AUTH TLS, PBSZ 0, and PROT P commands to enable encryption when establishing a connection, then uses the CCC command after the username and password are successfully negotiated. (See Note 2 below.)
- The USER and PASS commands are the only commands that will be encrypted; all other FTP commands are unencrypted.
tls-p Explicit Specifies that both control and data channel will use encryption over an explicit FTPS connection. Notes:
- This uses the AUTH TLS and PROT P commands when establishing a connection.
- You can use "prot on" and "prot off" to specify whether encryption will be used. (See Note 3 below.)
tls-c Explicit Specifies that only the control connection will use encryption over an explicit FTPS connection. Data channel connections will be unencrypted. Notes:
- This uses only the AUTH TLS to enable encryption when establishing a connection.
- You must manually send a PBSZ command before you can use the "prot on" and "prot off" to specify whether encryption will be used. (See Note 1 and Note 3 below.)
tls-c-ccc Explicit Specifies that only the control connection will use encryption over an explicit FTPS connection during login, but the control channel will switch to unencrypted after a login has been established. Data connections will be unencrypted. Notes:
- This uses only the AUTH TLS to enable encryption when establishing a connection, then uses the CCC command after the username and password are successfully negotiated.
- The USER and PASS commands are the only commands that will be encrypted; all other FTP commands are unencrypted.
implicit Implicit Specifies that both the control channel and data channel will use encryption over an implicit FTPS connection, which can only be on port 990 for the FTP7 service. Notes:
- The implicit FTPS connection will encrypt both the control channel and data channel without the use of an AUTH command.
- You can use "prot on" and "prot off" to specify whether encryption will be used. (See Note 3 below.)
implicit-ccc Implicit Specifies that the control channel would use encryption over an implicit FTPS connection during login and switch the control channel to unencrypted after login, but this is not supported in FTP7. The implicit FTPS connection will succeed, but the FTP7 service will return an error when the CCC command is sent. You can ignore the error and continue to use the session. Notes:
- Implicit FTPS connections require encryption for the command channel. (See Note 4 below.)
- You can use "prot on" and "prot off" to specify whether encryption will be used. (See Note 3 below.)
The following notes should be considered:
- Encryption of the data connection can be changed during the session with MOVEit Freely's "prot" command. You can use the "prot on" to specify that data connections will be encrypted, and "prot off" to specify that data connections will be unencrypted; these commands will respectively send the PROT P and PROT C commands over FTP.
- The "on-ccc", "tls-c-ccc", and "implicit-ccc" parameters are useful with firewalls that inspect FTP traffic. Switching the control channel back to unencrypted allows the firewall to inspect and possibly modify the FTP commands. For example, firewalls that are performing Network Address Translation (NAT) may need to modify the PORT and PASV commands.
- "RFC 2228 - FTP Security Extensions" states that FTP clients are required to send an FTP PBSZ command before sending an FTP PROT command, and unfortunately the MOVEit Freely 5.0.0.0 FTP client does not send this command, so you get a "503 Bad sequence of commands" error. You can work around this by issuing a literal command to the server using the FTP client's "quote" command, which appears to work. See the following example for more information. The following example shows what that might look like:
Note: I turned on debugging for this example with the "-d" option so you can see the sequence of commands.
CMD>ftps.exe -e:tls-c -d ftp.example.com 220 Microsoft FTP Service ---> AUTH TLS 234 AUTH command ok. Expecting TLS Negotiation. Connected to ftp.example.com. User: administrator ---> USER administrator 331 Password required for administrator. Password: ******** ---> PASS (hidden) 230 User logged in. ---> SYST 215 Windows_NT ftp> prot on ---> PROT P 503 Bad sequence of commands. Data connections will still NOT be encrypted ftp> quot PBSZ 0 ---> PBSZ 0 200 PBSZ command successful. ftp> prot on ---> PROT P 200 PROT command successful. Data connections will be encrypted ftp> bye ---> QUIT 221 Goodbye. CMD>
- The FTP7 service treats implicit FTPS connections as though the SSL policy for the control is set to "Require".
One last note about FTPS, if you are using a certificate with trust issues, you will see the following prompt displayed:
You can get around this certificate prompt when writing scripts by using the "-z" switch. The following example shows what that might look like:
Note: For this example I bypassed a certificate prompt with the "-z" switch, and I specified passive FTP with the "passive" command.
CMD>ftps.exe -z -e:on ftp.example.com 220 Microsoft FTP Service 234 AUTH command ok. Expecting TLS Negotiation. Connected to ftp.example.com. User: administrator 331 Password required for administrator. Password: ******** 230 User logged in. 200 PBSZ command successful. 200 PROT command successful. 215 Windows_NT ftp> passive Passive mode On . ftp> ls -l 227 Entering Passive Mode (192,168,0,1,224,97). 150 Opening ASCII mode data connection. 03-10-08 10:41AM <DIR> App_Data 09-04-08 11:41AM <DIR> aspnet_client 09-04-08 11:41AM <DIR> bin 12-17-02 11:47AM 2360 default.aspx ftp: 128 bytes received in 0.03Seconds 83.25Kbytes/sec. 226 Transfer complete. ftp> bye 221 Goodbye. CMD>
Using FTP Virtual Hosts
Since everything is happening from a command-line, you can use both FTP7's Virtual Hosts and the actual FTP HOST command. Once again, see my Virtual Hosts and Host Names in FTP7 blog post for more information about FTP Virtual Host Names and FTP True Host Names, and see https://datatracker.ietf.org/drafts/draft-hethmon-mcmurray-ftp-hosts/ for more information about status of the FTP HOST command.
In any event, FTP7 virtual hosts are supported by using the "ftp.example.com|username" syntax when specifying your username, and when you connect to the FTP7 server it will route your requests to the correct FTP virtual host site. The following example shows what that might look like:
CMD>ftps.exe ftp.example.com 220 Microsoft FTP Service Connected to ftp.example.com. User: ftp.contoso.com|administrator 331 Password required for ftp.contoso.com|administrator. Password: ******** 230-Directory has 104,857,600 bytes of disk space available. 230 User logged in. ftp> bye 221 Goodbye. CMD>
True FTP hosts can be used by specifying the FTP HOST command before the client sends the USER and PASS credentials. This is accomplished in two parts:
- You need to suppress the automatic username prompt MOVEit client by using the "-n" switch on the command-line.
- You need to specify the host name using the MOVEit client's "quote" command, which allows you to send custom FTP commands. The syntax for this would be "quote HOST ftp.example.com".
The following example shows what that might look like:
CMD>ftps.exe -n ftp.example.com 220 Microsoft FTP Service Connected to ftp.example.com. ftp> quote HOST ftp.contoso.com 220 Host accepted. ftp> USER administrator 331 Password required for administrator. Password: ******** 230-Directory has 104,857,600 bytes of disk space available. 230 User logged in. ftp> bye 221 Goodbye. CMD>
Scorecard for the MOVEit Freely command-line FTP client
This concludes our quick look at some of the features that are available with the MOVEit Freely command-line FTP client, and here's the scorecard results:
Client Name | Directory Browsing |
Explicit FTPS |
Implicit FTPS |
Virtual Hosts |
True HOSTs |
---|---|---|---|---|---|
MOVEit Freely 5.0.0.0 | n/a | Y | Y | Y | Y 1 |
1 As noted earlier, true FTP HOSTs are available when using the "quote HOST ftp.example.com" syntax. |
Note: Keeping with my standard disclaimer, there are a great number of additional features that the MOVEit Freely command-line FTP client provides - I'm just keeping the focus on those topic areas that apply to FTP7.