VERIFYUSER (FTP server) statement

Use the VERIFYUSER statement to indicate whether the FTP server should verify that every user ID used to log into FTP has been granted access to the server's port profile in the SERVERAUTH class.

Tips:
  • The FTP server port profile is the same profile that is checked for TLS secured sessions when SECURE_LOGIN VERIFY_USER is coded in FTP.DATA. See SECURE_LOGIN (FTP server) statement for more information.
  • When sessions are secured with TLS and VERIFYUSER TRUE is coded in FTP.DATA, the server verifies the user access to the FTP server port profile regardless of the SECURE_LOGIN value.

Syntax

Read syntax diagramSkip visual syntax diagram
   .-VERIFYUSER FALSE------.   
>>-+-----------------------+-----------------------------------><
   '-VERIFYUSER--+-FALSE-+-'   
                 '-TRUE--'     

Parameters

TRUE
If the SERVAUTH class is active and a profile has been defined for the FTP port, the connection is allowed only if the user ID has a minimum of READ access to the profile.
The resource name is as follows: 
EZB.FTP.systemname.ftpdaemonname.PORTxxxx
xxxx is replaced by the port number for the FTP daemon. The profile name can contain wildcard values to the extent that the security product allows. All security product rules apply.
For example, if the procedure FTPD is used to start the FTP daemon on system MVS164 and the FTP daemon uses the default FTP port 21, the resource name is: 
EZB.FTP.MVS164.FTPD1.PORT21
To protect all ports with a single profile, you could use the following security product profile name: 
EZB.FTP.*.FTPD1.PORT*

Result: If the VERIFYUSER value is TRUE, but the security product profile is not defined, the FTP server does not verify access to the profile prior to allowing users to log into FTP.

FALSE
The server does not verify access to the profile EZB.FTP.systemname.ftpdaemonname.PORTxxxx before allowing the login.

Restriction: If the session is secured with TLS and SECURE_LOGIN VERIFY_USER is coded in FTP.DATA, the server checks the user's access to the profile as described in SECURE_LOGIN (FTP server) statement regardless of the VERIFYUSER setting.

Examples

To request that the FTP server verify user access to the SERVAUTH profile for all sessions regardless of whether they are secured with TLS and regardless of whether TLS level 3 authentication is requested, code this statement in FTP.DATA: 
VERIFYUSER TRUE

You should also define the port profile of the server in the SERVAUTH class of your security product.

For example, if the FTPD procedure is used to start the FTP daemon on system MVS164, and the FTP daemon uses the default FTP port 21, the resource name is as follows: 
EZB.FTP.MVS164.FTPD1.PORT21
If all systems use the same access list and generic profile checking is active for the SERVAUTH class, you can use the following profile name: 
EZB.FTP.*.FTPD1.PORT21
To protect all ports with a single profile, you can use the following security product profile name: 
EZB.FTP.*.FTPD1.PORT*

Related topic

Parent topic: File Transfer Protocol