Setting Up the Canon 5D Mark IV (5D4) to Use FTP on Linux

About This Page

This Web page contains detailed instructions and commentary. I believe in explaining things to the greatest extent possible, so it might take you a while to read through the page. But please don't be scared; the actual work is pretty straightforward.

About Contacting Me

I have deliberately not included my e-mail address on this Web page. That's because I don't have the time to answer questions, especially questions from novices. I'm sorry about that, but it's the way things are. If you're not a novice and you just want to let me know about errors in the instructions, you should have no difficulty whatsoever in figuring out how to get in touch.

Setting Up FTP on Linux (and maybe Mac OS) for the Canon 5D Mark IV

Skip directly to instructions.

One of the nice features of the Canon 5D Mark IV is its wireless communications abilities. You can connect your camera to a smartphone or a computer, in a number of different ways. One of those is to use the ancient FTP protocol to upload pictures to a remote server. Pictures can be uploaded automatically every time you snap a shot, which is clearly a big win for journalists, sports photographers, and anyone who just wants their pictures to be backed up or published instantly.

Before we get into details, I'll note that there are other options besides FTP. In particular, you can use the Canon Image Gateway, or you can use commercial services. But if you want to use your own server (e.g. you don't trust Canon or you're a sysadmin at a large organization) then this page might be for you.

Windows vs. Linux vs. Mac OS

Canon makes great cameras, but as a software company it has many flaws. One is that it's amazingly Windows-centric. Their documentation on how to set up FTP servers offers a choice of no fewer than ten Windows versions (although sadly, not the current one) but no other operating systems. So if you run Linux (like me) or Mac OS, you're on your own.

Fortunately for you, I spent an enormous amount of time over the past ten months figuring out how to get the camera to talk to some open-source Web servers. This page tells you what to do. Of course, since I'm a Linux guy, the Mac instructions are sketchier. But a good Mac admin should be able to make things work.

Audience

Before I begin, a word about my intended audience. This Web page is written for people who have quite a bit of experience with system administration. In particular, you should be completely comfortable with the command line, creating user accounts, and installing software, and you should be perfectly happy editing configuration files. If you do all your system administration through a GUI, sorry, this page isn't for you. And I'm not going to tell you how to install the FTP servers; the procedure varies from system to system and you ought to be able to do it on your own.

About Security

I mentioned that FTP is an ancient protocol; in fact, it's one of the oldest on the Internet. (There is some evidence to suggest that it's THE oldest "real", i.e. useful, protocol.) That means it's a bit clumsy (they were still figuring out the best way to do things) and in its native form it's completely insecure. Fortunately the latter problem has been addressed by later changes to the protocol.

Your 5D4 offers a total of four ways to connect to an FTP server: anonymous/insecure, anonymous/secure, password/insecure, and password/secure. Only the last one is safe. "Anonymous" means that people can log into your server without providing a password; the problem with that is that the Bad People on the Internet will quickly find your computer (they regularly scan every computer in the world) and start bogging it down with pornography and malware. I'm serious: they're always looking for places to store their porn, and then they tell other people where to find it. So if you want lots of garbage, set up an anonymous FTP server.

"Insecure" means that the user name and password are sent over the Internet without encryption, which means anybody can read them. So even if you set up an account with a password, somebody can capture them off the network and then use that account to upload—what else—porn.

This page tells you how to set up a password/secure FTP server for the specific purpose of being able to connect your 5D Mark IV to it. If you want to use the server for more than that, it's up to you.

Choosing a Server

There appear to be three popular Linux FTP servers that can deal with the secure protocol: vsftpd (the "very secure FTP daemon"), Pure-FTPd, and ProFTPD. However, I wasn't able to get Pure-FTPd to work with the camera, so I'll ignore it from here on out. (If anybody figures out how, feel free to let me know and maybe I'll find time to update this page.)

Vsftpd
The Very Secure FTP Daemon appears to be indeed secure; there are no significant known exploits at the moment. It is also lightweight (i.e., it won't put a lot of load on the host computer). It's highly suitable if you just want to get your files uploaded during or after a shooting session, and you'll deal with them later when you get back to your computer.
ProFTPD
ProFTPD has had security problems in the past; however, as of this writing (mid-2017) there is only one known vulnerability and it's relatively minor. The latest version has a fix for the problem, so I wouldn't worry about it. The other disadvantage is that it is bigger and more complex, so that your computer may experience more load. On the plus side, it has plugins that add a lot of features, including one that can be used to automatically process your pictures the moment they are uploaded. See below for more information.

Since I wanted the automation, I decided to go with ProFTPD. But I also got vsftpd to work and I include instructions here.

Complete Setup Instructions

Installing Software

If you don't have openssl, install it first. You might want to create your SSL certificate right away because you may have to wait up to 12 hours before the camera will recognize it as valid. (The 5D4 has a bug that uses the local time zone rather than UTC to check the certificate).

Try to use an FTP server from your Linux distribution. If it adds an ftp account of some sort, that's all to the good. You can start it with systemctl or service or a script from /etc/init.d. Mac people, you're on your own here (although I would assume launchd would be involved). But don't start the server just yet.

Creating Users

If the distro didn't create an ftp user, you might want to do that now. Or not.

You'll need an account for your camera. I'm going to use canon5d4 in this discussion, but don't call it that or anything else easy to guess (like any first name). Make the password good, following the usual rules (mix cases, insert some special characters, make it over 8 characters). Remember that you'll have to enter this password on your camera, which means there may be some Canon-imposed limitations. I haven't explored what Canon does and doesn't allow. But it's wise to choose a password you'll be able to remember in the field.

Creating an SSL Certificate

The next thing you'll need to do is to create an SSL certificate; the camera will use that to ensure that it's talking to your FTP server rather than an imposter. You don't need to buy a certificate from an outside vendor, which is nice because the vendors can charge quite a bit and because they set it up so that you have to renew (and pay) every year. Instead, you can use openssl to create a certificate of your own.

About Expiration Dates

THIS IS CRITICAL! First a bit of background: every SSL certificate includes an expiration date. Previous versions of this page suggested that you use a very long expiration so that you wouldn't have to recreate your certificate every so often. However, the Security Powers That Be have now decreed that no certificate should last longer than 13 months (I've seen times of 396 and 397 days). Their reasons are fairly sensible, although they don't really apply to this particular situation. But at least with proftpd and firmware version 1.4, you don't get a choice: they'll reject long-lived certificates. So I now recommend that you just give up and plan to renew your certificates every year. My sample below uses 390 days to be safe.

Making Directories

Now that you have the correct number, make a directory that will hold your certificate. Since I'm using ProFTPD, which uses /etc/proftpd for its configuration files, I put it in /etc/proftpd/ssl. Make sure that the directory is owned by the user that proftpd will run under (for me, that's ftp) and is mode 700, or rwx------.

For vsftpd, my distro didn't have a configuration directory so I used /etc/ssl/private. That would work fine for ProFTPD too, if you prefer that.

Configuring openssl

Strictly speaking, this step probably isn't necessary (I got the camera to work without it). But my interpretation of various documentation is that you should create your certificate with a few special SSL extensions. So edit /etc/ssl/openssl.cnf and add the following lines at the bottom:

#####################################################################
[ eos5d4 ]

# These are used to create an FTP certificate acceptable to a
# Canon EOS 5D Mark IV camera.

keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

You can just copy-and-paste them, no customization needed. If you're too lazy to do this step, just omit -extensions eos5d4 below.

Actually Making the Certificate

Once you've made a directory for the certificate and secured it, change into it (continuing to work as root) and make your certificate with this command:

openssl req -new -x509 -nodes -newkey rsa:2048 -keyout proftpd.key -out proftpd.pem -days 390 -extensions eos5d4

Obviously, replace proftpd with vsftpd (twice) if you're using vsftpd. Not that it really matters; you could use any file name as long as your other configuration matched.

When you make the certificate, openssl will ask you a lot of questions such as your country, state or province, etc. Answer them as you please; it doesn't really matter (I chose to be accurate). Enter "." if you want the answer to be empty. You can run the command again if you decide you don't like what you typed.

Once you've created the certificate, you can check it with this command:

openssl x509 -in /etc/proftpd/ssl/proftpd.pem -text

which will produce a lot of output, but buried near the top will be the expiration date. Make sure it's absolutely no later than 3 PM on January 18, 2038. Otherwise your camera will reject it (at least in some time zones).

Configuring the Daemon

The next step is to configure the FTP daemon itself. That's complex enough that I've created two separate pages for ProFTPD configuration and vsftpd configuration.

Testing the Server

After you've configured the FTP server, you would probably like to test it out before trying to get the camera to connect. I only have one option for you here: lftp. (There are probably others, but I haven't tested them.)

First, start the server. Doing so depends on your system: common incantations include systemctl start proftpd, service proftpd start, rcproftpd start, or /etc/init.d/proftpd start (replacing proftpd with vsftpd as needed).

To test with lftp, I used:

lftp -u canon5d4 -e 'set ssl:verify-certificate false' ftp-server

where canon5d4 should be replaced by the name of the user account you created for your camera and ftp-server is the DNS name of (surprise) your server.

You will be asked for a password and then given a prompt that looks like this:

lftp canon5d4@ftp-server:~>

At the prompt, type "ls" (list files) and hit enter. If you get a file list, or no output except another prompt, you're partway there. I say "partway" because lftp isn't actually verifying the certificate (set ssl:verify-certificate false). There doesn't seem to be a straightforward way to test the server with a self-signed certificate, which is unfortunate since the camera handles that just fine.

Anyway, if you get "Login incorrect" or other errors, now is the time to debug the problem. You can enable debugging in lftp by running it like this:

lftp -u canon5d4 -e 'debug;set ssl:verify-certificate false' ftp-server

…and you can turn on debugging on the server side by editing the proftpd or vsftpd configuration file and restarting the server.

Configuring the Camera

You're now ready to set up the camera. The Canon documentation isn't bad, all things considered, but in places it's not very helpful. So here's a step-by-step procedure. But first, a warning, a whine, and a suggestion.

Canon's Foolishness (Well, One of Them)

There are two parts to connecting the camera to an FTP server: you need to connect to a local wireless network, and then you need to tell the camera about the FTP server itself. Those two things are COMPLETELY independent: you can connect to the server from any wireless network, and from any given network you can connect to any server. Unfortunately, Canon conflates the two. A particular setup includes both the wireless network and the server. Wanna connect to a different server from the same network? A different setup is needed. Want to always use the same server, but from several networks? Different setups. And to make matters MUCH worse, the camera only supports three setups, total. At least you're allowed to give them names.

Oh, and the camera can only store one root certificate (see below). So if you want to use multiple servers with different certificates, you have to constantly reload the certificate. (I solved that particular problem by putting the same certificate on two servers, but that's not a great solution and not available to everyone.)

I chose to define one setup for my most-used network, a second for my phone hotspot (gotta watch out for data limits on that one), and to then leave the third for connecting to whatever network is nearby at the moment, realizing that I will have to reconfigure all the time. Sigh.

Loading the Certificate

The first thing you need to do is to load a "root certificate" on your camera. This is the certificate you made with openssl above. On your computer, copy the proftpd.pem or vsftpd.pem file to a flash card (CF or SD), naming it root.pem and placing it in the root (top-level) folder of the card. Unmount (eject) the card from your computer, put it in the camera, and:

  1. Under the Tools (wrench) menu, tab 4, choose "Communication settings".
  2. Choose "FTP transfer settings".
  3. Choose "Set root certif".
  4. Choose "Load root certif from card".
  5. Choose "OK".
  6. After the root certificate has been loaded, choose "OK" again.
  7. On the "FTP transfer settings" screen, the "Set root certif" line should now read "'38/01/18" (or whatever expiration date you chose).

The above is a one-time process; you shouldn't have to do it again.

Configuring a Wireless Network and FTP server

As I mentioned above, you need to set up separately for every combination of wireless network and FTP server. You'll probably get pretty good at this.

  1. Under the Tools (wrench) menu, tab 4, choose "Communication settings".
  2. Choose "Built-in wireless settings".
  3. Choose "Wi-Fi Function".
  4. Choose "Transfer Images to FTP server" (the fourth menu entry, lower-left icon on the screen).
  5. Under "Choose set", select set 1, 2, or 3. (You can rename these settings as you like; I named the first two after my primary network and my phone, and named the third "Any Network".
  6. If the setting is not new, choose "Review/change settings". (If it's new, you'll go to the next screen automatically.)
  7. If you're now on a review/change settings" screen, choose "Change set.".
  8. You will now be presented with a screen that lets you connect to a wireless network. The full options are documented in the Canon Wi-Fi (Wireless Communication) Function Instruction Manual. The details vary a lot, so I'm going to punt here and refer you to the Canon manual. If you're familiar with WiFi connections, you can probably navigate the screens without help.
  9. After you connect to the network, you'll be presented with an "FTP mode" screen. Choose FTPS.
  10. On the "FTP server" screen, leave "Port number setting" alone. Select "Address setting" and behold the full stupidity of Canon software: you can't use the touch screen to enter the name of your FTP server. Delete the current setting and enter the full DNS name of your server, such as prizewinners.natgeo.com (I made that up; it doesn't exist). You can also use a numeric IP address if you prefer. (Hint: you can use the big dial on the back, plus the 8-way multicontroller, to type more quickly. But it's still a pain.)
  11. Next is "Passive mode". For most situations, you want to enable passive mode. This is particularly true if you're using a NAT connection, which is true for essentially all home and small-business Internet connections, airports, hotels, and cellphones. If you're connecting via a really big business that has aggressive firewalls you might want to disable NAT; in that case the network administrator should be able to tell you that fact. If you can't find a network administrator, you probably want to enable passive mode.
  12. Next comes the proxy server. Disable it unless a network administrator tells you otherwise.
  13. For "Login method", choose "Login password". As I said before, anonymous is just wrong.
  14. Enter the login name of the user account you created (canon5d4 in my examples—again, don't use that name or anything else that a bad person could easily guess. Remember that the bad guys don't know anything about you; they just run down a list of names and try them all. (Oh, BTW, again an example of Canon stupidity: here the touch screen works.)
  15. Enter the password for your account.
  16. For "Target folder", it's up to you. I prefer "Select folder", followed by "/". That puts the results in the home folder of the given user, which I find most convenient. If you choose "Root folder" the files will be put in a folder named something like "A/DCIM/100EOS5D", which is annoying.
  17. When you hit "OK" the camera should connect to the FTP server to verify the connection. If you're lucky it will Just Work and you'll get the message "Connected to FTP server". If not, debugging is in order; start with turning on the debugging logs for proftpd or vsftpd.
  18. If you don't want to transfer files right now, or if you're done sending files, select "Disconnect,exit" to turn off WiFi.
  19. On the "Review/change settings" screen (under "Transfer images to FTP server") you can select "Change settings name" to name the connection something better than "SET1".
  20. In the future, you can choose "Review/change settings", "Change set.", and "Connection wizard" to connect to a different WiFi network. You'll have to go through the FTP server settings again; mostly you can just hit "OK" but when you get to "Login method" it will forget your choices and you'll need to pick "Login password" again. But it'll remember your login name and password, then forget the "Target folder". (Remember what I said about Canon stupidity?)
  21. If you need to connect to a different FTP server from the same WiFi network, choose "Review/change settings" and then "FTP server. That will give you a menu where you can individually select and change parameters such as the target server, password, etc. Don't ask me why that flexibility isn't available elsewhere. At least not if you don't approve of profanity.

Whew! But at least you're connected!

Disconnecting and Reconnecting

It's not really clarified in the Canon manual, but you can disconnect from the WiFi network by choosing "Communication settings" (Tools, tab 4), "Built-in wireless settings", "Wi-Fi function", and "Disconnect,exit". That will save power when you don't need WiFi.

You can then reconnect by selecting "Communication settings", "Built-in wireless settings", "Wi-Fi function", and "Transfer images to FTP server". Pick your settings (out of three) under "Choose set." and then select "Connect". Yay!

Configuring Image Transfer

After all that setup, you're finally ready to actually upload pictures to your FTP server. Start with "Communication settings" (Tools, tab 4, remember?) and pick "FTP transfer settings". The top three menu items give you some cool choices:

Automatic transfer
If enabled, every time you take a picture it will magically be sent to the FTP server. If a picture is currently in transit and you take another, the second (and third, etc.) one will be queued up and will still make it to the server. But if you're not currently connected—even if it's because you are just a hair out of range at the moment—the camera will forget the picture and it won't get uploaded. So beware! (It would have been vastly better if the camera remembered the snap and uploaded things when you connected later, but that would be expecting software competence from Canon.)
Transfer type/size
These settings let you choose the size of the images you send to the server. If you are worried about bandwidth, choose "Smaller"; if you want to be sure your pictures are 100% safe choose "Larger" (I'll leave it to you to figure out what to do about RAW_JPEG). I wish Canon had allowed me to make this decision on a connection-specific basis, since I care about bandwidth with my phone but quality with true WiFi. Ah, well. I'm just glad it works at all.
Transfer with SET
If enabled, this allows you to push the SET button while viewing a picture and have it transferred to the FTP server. As with the "Automatic transfer" option, you don't have to wait for the previous transfer to finish before choosing another picture. And you can turn both features on at the same time. But there's no record of what actually got transferred, so you definitely shouldn't delete anything until you can verify what's on the server.

Testing

You are now all set with FTP service! Connect to your server, turn on automatic transfer, and take a picture. It should magically appear on the server. Turn automatic transfer off, take another, and use the SET button to send it. (I have way too many pictures of my kitchen at this point…)

Finalizing Things

The last thing you need to do is to make sure the FTP server is always running, even after you reboot your computer. This unfortunately depends on your distro. On many systems, the command is "systemctl enable proftpd" (or vsftpd as appropriate). Other machines use "chkconfig proftpd on". Still others use other commands, which I'd be happy to be informed of. Hopefully you know enough about system administration to figure out what will work for your distribution.

Automating the Server

A cool thing about ProFTPD is that there are a couple of ways you can use it to automatically respond to image uploads. One of those is to automatically execute a program every time a file is uploaded; another is to write the name of the uploaded file to a FIFO and let another program read that name and take an appropriate action.

In both cases, there are EXTREME security risks. If the program has bugs of any sort, it is likely that there is a security hold that would allow an attacker to crash your FTP server, upload unwanted files (porn), or take it over completely.

For that reason, I am not going to give sample programs here. Instead, I will merely note the kind of things that can be done. In my case, when I shoot a picture it will be rotated to standard orientation, renamed according to my standard naming scheme, and added to my Web site as part of a collection of the day's pictures. The details of how this is accomplished are specific to how my Web site works and wouldn't be useful to anyone else, but the summary should give you an idea of the sort of thing that's possible with Linux, ProFTPD, and the Canon 5D Mark IV.