You can configure the FTP server to allow users to log in anonymously. A user logs in anonymously by logging in as anonymous instead of as a user ID defined to the system. To enable users to log in anonymously, code the ANONYMOUS statement in the server FTP.DATA data set.
You can specify three levels of anonymous support on the ANONYMOUSLEVEL statement.
ANONYMOUSLEVEL 1 is the default. That is, the ANONYMOUS statement is supported. If no operands are specified on the ANONYMOUS statement, the anonymous user needs no password and has access to MVS™ data sets and the z/OS® UNIX file system.
You should not specify ANONYMOUSLEVEL 2; ANONYMOUSLEVEL 2 is provided for migration purposes only. Consider ANONYMOUSLEVEL 3 if ANONYMOUSLEVEL 1 does not meet your anonymous login security requirements.
If you specify ANONYMOUSLEVEL 3, the anonymous user cannot issue the USER command to leave anonymous mode, nor can another user issue USER anonymous to enter anonymous mode.
If you specify ANONYMOUSLEVEL 3 and STARTDIRECTORY MVS in FTP.DATA, you must create a shadow copy of the /usr/sbin/ftpdns path and file under the home directory of the anonymous user in the z/OS UNIX file system. For more information, see step 2 in Creating an anonymous directory structure in the z/OS UNIX file system
You can control the degree of verification of the email address that an anonymous user enters as a password by using the EMAILADDRCHECK keyword in FTP.DATA. See z/OS Communications Server: IP Configuration Reference for details about the EMAILADDRCHECK keyword. The email address entered is logged to the syslog daemon and is also passed to a user exit routine, FTCHKPWD, for user processing.
The FTP server can be defined to process users without passwords by using the ANONYMOUS SURROGATE support. In order to support this, ANONYMOUSLEVEL must be set to 3 in FTP.DATA on the server and BPX.SRV surrogate must be defined in RACF®.
BPX.SRV.<userid>
in
which <userid> is the MVS user
ID of the user that the server will support without a password.The following steps are for a sample user ID of the FTP daemon (the user ID associated with the FTP started task procedure) called FTPD with the ability to support user ID GUEST without a password. As you add more servers, you will need to follow similar procedures.
SETROPTS CLASSACT(SURROGAT)
This has to be done only once on the system. The SURROGAT class may already have been set up on your system. If a daemon or server you are running will be using the SURROGAT support heavily, consider using the RACLIST command to keep the SURROGAT profiles in storage. The following example shows how to cache the SURROGAT profiles in storage:
SETROPTS RACLIST(SURROGAT)
RDEFINE SURROGAT BPX.SRV.GUEST UACC(NONE)
SETROPTS RACLIST(SURROGAT) REFRESH
A similar SURROGAT profile is required for each user ID that a server must support without a password.
PERMIT BPX.SRV.GUEST CLASS(SURROGAT) ID(FTPD) ACCESS(READ)
SETROPTS RACLIST(SURROGAT) REFRESH