The FTP client can be enabled to use either TLS or Kerberos, but not both at the same time.
Perform the following steps to customize the FTP client for Kerberos:
SECURE_MECHANISM GSSAPI
To have the client log in using the Kerberos protocol, but if the server does not support Kerberos allow the client to complete the login without using it, code the following statement in the client's FTP.DATA configuration file:
SECURE_FTP ALLOWED
This
is the default. To have the client log in using the Kerberos protocol, but if the server does not support Kerberos have the login fail and not allow the client to log in, code the following statement in the client's FTP.DATA configuration file:
SECURE_FTP REQUIRED
Note that the level of security for data connections is determined by both the SECURE_DATACONN statement in FTP.DATA and by subcommands an FTP user might issue during an FTP session.
The following subcommands can be issued by the user:
If you want the client to transfer data raw with no cipher algorithm applied to the data, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN NEVER
To indicate the data can be transferred raw or enciphered, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN CLEAR
This
is the default. By default, data is transferred raw. However, the user can issue the private subcommand during the FTP session to change the data connection security level, so that data is transferred both integrity and privacy protected. The user can also issue the safe subcommand to change the data connection security level so that data is transferred integrity protected only, or the clear subcommand to reset the data connection security level back so that data is transferred raw again.
If you want to require that data is transferred both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN PRIVATE
If you want to require that data is transferred integrity protected only, or both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN SAFE
By default, data is transferred integrity protected only. However, the user can issue the private subcommand during the FTP session to change the data connection security level so that data is transferred both integrity and privacy protected. The user can also issue the safe subcommand to reset the data connection security level back, so that data is transferred integrity protected only.
Note that the level of security for data connections is determined by both the SECURE_CTRLCONN statement in FTP.DATA and by subcommands an FTP user might issue during an FTP session.
The following subcommands can be issued by the user:
To indicate the data can be transferred raw or enciphered, you can code the following statement in the server's FTP.DATA configuration file:
SECURE_CTRLCONN CLEAR
This
is the default. By default, data is transferred raw. However, the user can issue the cprotect private subcommand during the FTP session to change the security level so that data is transferred both integrity and privacy protected. The user can also issue the cprotect safe subcommand to change the security level so that data is transferred integrity protected only, and the cprotect clear subcommand to reset the security level back so that data is transferred raw again.
If you want to require that data is transferred both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
SECURE_CTRLCONN PRIVATE
If you want to require that data is transferred integrity protected only, or both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
SECURE_CTRLCONN SAFE
By
default, data is transferred integrity protected only. However, the
user can issue the cprotect private subcommand during
the FTP session to change the data connection security level so that
data is transferred both integrity and privacy protected. The user
can also issue the cprotect safe subcommand to reset
the data connection security level, so that data is transferred integrity
protected only.