File Transfer Protocol

You can use the File Transfer Protocol (FTP) to interact with the objects on a AIStor Server.

You must specifically enable FTP or SFTP when starting the server. Enabling either server type does not affect other AIStor Server features.

This page uses the abbreviation FTP throughout, but you can use any of the supported FTP protocols described below.

Supported protocols

When enabled, AIStor supports FTP access over the following protocols:

SSH File Transfer Protocol (SFTP)

SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0. SFTP allows file transfer over SSH for use with Transport Layer Security (TLS) and virtual private network (VPN) applications.

Your FTP client must support SFTP.
File Transfer Protocol over SSL/TLS (FTPS)

FTPS allows for encrypted FTP communication with TLS certificates over the standard FTP communication channel. FTPS should not be confused with SFTP, as FTPS does not communicate over a Secure Shell (SSH).

Your FTP client must support FTPS.
File Transfer Protocol (FTP)

Unencrypted file transfer.

MinIO does not recommend using unencrypted FTP for file transfer.

Supported commands

When enabled, AIStor supports the following SFTP operations:

get
put
ls
mkdir
rmdir
delete

MinIO does not support either append or rename operations.

Considerations

Versioning

SFTP clients can only operate on the latest version of an object. Specifically:

For read operations, AIStor only returns the latest version of the requested object(s) to the SFTP client.
For write operations, AIStor applies normal versioning behavior and creates a new object version at the specified namespace. rm and rmdir operations create DeleteMarker objects.

Authentication and access

SFTP access requires the same authentication as any other S3 client. AIStor supports the following authentication providers:

AIStor Plugin users and their service accounts
Active Directory/LDAP users and their service accounts
OpenID/OIDC service accounts

STS credentials cannot access buckets or objects over SFTP.

Authenticated users can access buckets and objects based on the policies assigned to the user or parent user account.

The SFTP protocol does not require any of the admin:* permissions. You may not perform other AIStor admin actions with SFTP.

Prerequisites

Enable an FTP or SFTP port for the server.
A port to use for the FTP commands and a range of ports to allow the FTP server to request to use for the data transfer.

Procedure

Start AIStor with an FTP and/or SFTP port enabled.

FTPS

The following example starts AIStor with FTPS enabled.

Object Store http://server{1...4}/disk{1...4} \
--ftp="address=:8021"                         \
--ftp="passive-port-range=30000-40000"        \
--ftp="tls-private-key=path/to/private.key"   \
--ftp="tls-public-cert=path/to/public.crt"    \
...

Omit tls-private-key and tls-public-cert to use the AIStor default TLS keys for FTPS. For more information, see the TLS on AIStor documentation.

SFTP/FTP

Object Store http://server{1...4}/disk{1...4}        \
--ftp="address=:8021"                                \
--ftp="passive-port-range=30000-40000"               \
--sftp="address=:8022"                               \
--sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \
...

See the minio server --ftp and minio server --sftp for details on using these flags to start the MinIO service. To connect to the an FTP port with TLS (FTPS), pass the tls-private-key and tls-public-cert keys and values, as well, unless using the MinIO default TLS keys.

The output of the command should return a response that resembles the following:

MinIO FTP Server listening on :8021
MinIO SFTP Server listening on :8022

Use your preferred FTP client to connect to the AIStor Server. You must connect as a user whose policies allow access to the desired buckets and objects.

The specifics of connecting to AIStor depend on your FTP client. Refer to the documentation for your client.

To connect over TLS or through SSH, you must use a client that supports the desired protocol.

Connect to AIStor.

SFTP/FTP

The following example connects to an SFTP server, and lists the contents of a bucket named runner.

> sftp -P 8022 aistor@localhost
minio@localhost's password:
Connected to localhost.
sftp> ls runner/
chunkdocs  testdir

FTPS

The following uses the Linux FTP CLI client to connect to the AIStor Server using aistor credentials to list contents in a bucket named runner

> ftp localhost -P 8021
Connected to localhost.
220 Welcome to MinIO FTP Server
Name (localhost:user): aistor
331 User name ok, password required
Password:
230 Password ok, continue
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls runner/
229 Entering Extended Passive Mode (|||39155|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 1 nobody nobody            0 Jan  1 00:00 chunkdocs/
drwxrwxrwx 1 nobody nobody            0 Jan  1 00:00 testdir/
...

Download an object.

SFTP/FTP

This example lists items in a bucket, then downloads the contents of the bucket.

> sftp -P 8022 aistor@localhost
aistor@localhost's password:
Connected to localhost.
sftp> ls runner/
chunkdocs  testdir
sftp> get runner/chunkdocs/metadata metadata
Fetching /runner/chunkdocs/metadata to metadata
metadata                               100%  226    16.6KB/s   00:00
sftp>

FTPS

This example lists items in a bucket, then downloads the contents of the bucket.

> ftp localhost -P 8021
Connected to localhost.
220 Welcome to MinIO FTP Server
Name (localhost:user): aistor
331 User name ok, password required
Password:
230 Password ok, continue
Remote system type is UNIX.
Using binary mode to transfer files.ftp> ls runner/chunkdocs/metadata
229 Entering Extended Passive Mode (|||44269|)
150 Opening ASCII mode data connection for file list
-rwxrwxrwx 1 nobody nobody           45 Apr  1 06:13 chunkdocs/metadata
226 Closing data connection, sent 75 bytes
ftp> get
(remote-file) runner/chunkdocs/metadata
(local-file) test
local: test remote: runner/chunkdocs/metadata
229 Entering Extended Passive Mode (|||37785|)
150 Data transfer starting 45 bytes
   45        3.58 KiB/s
226 Closing data connection, sent 45 bytes
45 bytes received in 00:00 (3.55 KiB/s)
...

Connect to AIStor using SFTP with a certificate key file

AIStor supports mutual TLS (mTLS) certificate-based authentication on SFTP, where both the server and the client verify the authenticity of each other.

This type of authentication requires the following:

Public key file for the trusted certificate authority.
Public key file for the AIStor Server minted and signed by the trusted certificate authority.
Public key file for the user minted and signed by the trusted certificate authority for the client connecting by SFTP and located in the user’s .ssh folder (or equivalent for the operating system).

The keys must include a principals list of the user(s) that can authenticate with the key:

ssh-keygen -s ~/.ssh/ca_user_key -I miniouser -n miniouser -V +1h -z 1 miniouser1.pub

-s specifies the path to the certificate authority public key to use for generating this key. The specified public key must have a principals list that includes this user.
-I specifies the key identity for the public key.
-n creates the user principals list for which this key is valid. You must include the user for which this key is valid, and the user must match the username in MinIO.
-V limits the duration for which the generated key is valid. In this example, the key is valid for one hour. Adjust the duration for your requirements.
-z adds a serial number to the key to distinguish this generated public key from other keys signed by the same certificate authority public key.

AIStor requires specifying the Certificate Authority used to sign the certificates for SFTP access. Start or restart the AIStor Server and specify the path to the trusted certificate authority’s public key using an --sftp="trusted-user-ca-key=PATH" flag:

minio server {path-to-server} --sftp="trusted-user-ca-key=/path/to/.ssh/ca_user_key.pub" {...other flags}

When connecting to the AIStor Server with SFTP, the client verifies the AIStor Server’s certificate. The client then passes its own certificate to the AIStor Server. AIStor verifies the key created above by comparing its value to the the known public key from the certificate authority provided at server startup.

Once AIStor verifies the client’s certificate, the user can connect to AIStor over SFTP:

sftp -P <SFTP port> <server IP>

Procedure

The following procedure generates two key-value pairs, signs one with the other, then uses the resulting signed key to log in to the SFTP server.

Generate a key-value pair for the AIStor Server.
```
ssh-keygen -f ./ca_user_key
```
Generate a key-value pair for the user.
```
ssh-keygen -f ./minioadmin
```
Replace minioadmin with the user accessing the AIStor Server by SFTP.
Sign the user key-value pair key with the AIStor Server key-value pair key.
```
ssh-keygen -s ca_user_key -I minioadmin -n minioadmin -V +30d -z 1 minioadmin.pub
```
Move the minioadmin.pub key to the same directory as minioadmin key-value pair, such as ~/.ssh/meaningful-directory.

Start or restart the MinIO Server passing the generated public keys.

minio server --sftp="address=:8022" --sftp="ssh-private-key=/path/to/ca_user_key" --sftp="trusted-user-ca-key=/path/to/ca_user_key.pub"

Connect to the AIStor Server by SFTP.

sftp -i ./minioadmin -oPort=8022 minioadmin@localhost

Require service account or LDAP for authentication

To force authentication to SFTP using LDAP or service account credentials, append a suffix to the username. Valid suffixes are either =ldap or =svc.

sftp -P 8022 my-ldap-user=svc@example.com:/bucket

sftp -P 8022 my-ldap-user=ldap@example.com:/bucket

Replace my-ldap-user with the name of the LDAP administrator account.
Replace aistor with the name of the user which runs the AIStor server processes.
Replace example.com with the domain name of the AIStor server.