FTP reply code 331 is the normal response after the client sends a USER command with a valid (or at least syntactically acceptable) username. It indicates the server recognizes the username and is waiting for the PASS command with the password. This does not mean the username is valid — most servers send 331 regardless of whether the user exists, to prevent username enumeration attacks. After receiving 331, the client should send PASS followed by the password. If the password is correct, the server responds with 230 (logged in). If incorrect, the server responds with 530 (not logged in).
The client sent USER username and the server is requesting the password. This is the standard second step in FTP authentication. The client should now send PASS password.
The client sent USER anonymous and the server is requesting a password. For anonymous FTP, the convention is to provide an email address as the password, though many servers accept anything.
After receiving 331, send PASS followed by the user's password. For anonymous access, send PASS with your email address or an empty string.
curl -v -u username:password ftp://ftp.example.com/
If you receive 530 after PASS, the password is incorrect, the account is disabled, or login is restricted by server policy (IP whitelist, time restrictions, etc.).
FTP sends passwords in plaintext unless TLS is used. Always use AUTH TLS before sending USER and PASS to encrypt your credentials in transit.
curl -v --ssl-reqd -u user:pass ftp://ftp.example.com/
Authentication successful. The user is now logged in and can access the server.
The server requires an account name (ACCT command) in addition to the username and password.
The user is not logged in. Authentication is required before this command can be executed.
The FTP server is ready and accepting connections. This is the greeting banner sent upon connection.