ftp Package - Amazon Linux 2
BackgroundRecommended AlternativesMigration ConsiderationsSecurity Considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

ftp Package

The ftp package in AL2 is no longer available in Amazon Linux starting with AL2023. This decision was made as part of our ongoing commitment to security, maintainability, and modern software development practices. As part of (or before) migrating to AL2023, we recommend migrating any use of the legacy ftp package to one of its alternatives.

Background

The legacy ftp package has not been actively maintained upstream for many years. The last significant update to the source code occurred in the early 2000s, and the original source repository is no longer available. While some Linux distributions have carried patches for security vulnerabilities, the codebase remains largely unmaintained.

Recommended Alternatives

AL2023 provides several modern, actively maintained alternatives for FTP functionality:

lftp (available in AL2 and AL2023)

A sophisticated file transfer program supporting FTP, HTTP, SFTP, and other protocols. It offers more features than the traditional ftp client and is actively maintained.

Install with: dnf install lftp

curl (available in AL2 and AL2023)

A versatile command-line tool for transferring data with URLs, supporting FTP, FTPS, HTTP, HTTPS, and many other protocols.

Available by default in AL2023 via the curl-minimal package. For more extensive protocol support, you can optionally upgrade to curl-full using dnf swap curl-minimal curl-full.

wget (available in AL2 and AL2023)

A non-interactive command-line utility for downloading files from the web, supporting HTTP, HTTPS, and FTP protocols.

Install with: dnf install wget (not installed by default in all AL2023 images)

sftp (available in AL2 and AL2023)

A secure file transfer protocol that operates over SSH, providing encrypted file transfers.

Available by default as part of the OpenSSH package.

Migration Considerations

If your applications or scripts depend on the legacy ftp client, consider the following migration approaches:

  1. Update scripts to use modern alternatives: Modify your scripts to use lftp, curl, wget, or sftp instead of the legacy ftp client.

  2. Review package dependencies: Some applications may list the ftp package as a dependency in their package metadata, even though they have long since migrated to using modern protocols internally. In these cases, the application may work correctly on AL2023 despite the lack of /usr/bin/ftp from the ftp package. Review your application's actual requirements rather than relying solely on stated dependencies.

  3. Update application dependencies: For applications you maintain that still declare a dependency on the ftp package but don't actually use it, update the package metadata to remove this unnecessary dependency.

Security Considerations

The FTP protocol transmits data, including authentication credentials, in plaintext. For security-sensitive applications, we strongly recommend using encrypted alternatives such as SFTP or HTTPS which are supported by the recommended alternative tools.