SECURE_PASSWORD_KERBEROS (FTP server) statement

Use the SECURE_PASSWORD_KERBEROS statement to specify whether a password is required by the FTP server for a Kerberos-protected session. The statement is ignored for sessions that are not protected by the Kerberos security mechanism.

Rule: This statement is enabled only when EXTENSIONS AUTH_GSSAPI is coded in the server's FTP.DATA file.

When the user ID passed on the USER command matches the user ID that the SAF-compliant security product maps to the user ID that the Kerberos principal received from the client, the SECURE_PASSWORD_KERBEROS statement value determines whether the server prompts the client for the password during the login procedure.

Syntax


   .-SECURE_PASSWORD_KERBEROS REQUIRED------.   
>>-+----------------------------------------+------------------><
   '-SECURE_PASSWORD_KERBEROS--+-REQUIRED-+-'   
                               '-OPTIONAL-'

Parameters

REQUIRED: Specifies that a password is required to log in a user whose session is protected by the Kerberos security mechanism.
This is the default.
OPTIONAL: Specifies that the password is not required if the user ID passed on the USER command matches the user ID that the SAF-compliant security product mapped to the user ID that the Kerberos principal received from the client.

Examples

To require the user to enter a password on a Kerberos-protected session only when the user ID passed on the USER command does not match the user ID that the SAF-compliant security product mapped to the user ID that the Kerberos principal received from the client, code the following statement:

SECURE_PASSWORD_KERBEROS   OPTIONAL

Usage notes

Table 1 shows how the SECURE_PASSWORD_KERBEROS statement affects user authentication when the user ID to which the Kerberos principal is mapped matches the user ID that is passed on the USER command.

Table 1. User identity in the Kerberos ticket matches user ID on USER command
SECURE_PASSWORD_KERBEROS	SECURE_LOGIN	Action
REQUIRED	One of the following: VERIFY_USER REQUIRED NO_CLIENT_AUTH	Prompt for a password.
OPTIONAL	One of the following: VERIFY_USER REQUIRED NO_CLIENT_AUTH	Authenticate with the Kerberos ticket (if the Kerberos authentication fails, fail the login, do not prompt for password).

When the user ID to which the Kerberos principal is mapped does not match the user ID that is passed on the USER command, the SECURE_LOGIN statement value determines the action that is necessary during the authentication procedure.

Table 2 shows how the SECURE_LOGIN statement affects user authentication when the user ID to which the Kerberos principal is mapped does not match the user ID that is passed on the USER command.

Table 2. User identity in the Kerberos ticket does not match user ID on USER command
SECURE_PASSWORD_KERBEROS	SECURE_LOGIN	Action
REQUIRED or OPTIONAL	VERIFY_USER	Fail the login.
REQUIRED or OPTIONAL	REQUIRED or NO_CLIENT_AUTH	Prompt for a password.

SECURE_PASSWORD_KERBEROS (FTP server) statement

Syntax

Parameters

Examples

Usage notes

Related topics