Steps for customizing the FTP client for Kerberos

The FTP client can be enabled to use either TLS or Kerberos, but not both at the same time.

Procedure

Perform the following steps to customize the FTP client for Kerberos:

Code the following statement in the client's FTP.DATA configuration file to enable the client for Kerberos:
```
SECURE_MECHANISM GSSAPI
```
Decide whether the client should be required to use the Kerberos protocol. If the FTP server does not support Kerberos, you can choose to allow the client to log in without using Kerberos security, or require the client to use a secure session, thus failing the login. The default is to not require the client to use Kerberos. This setting is customized using the SECURE_FTP configuration statement.
To have the client log in using the Kerberos protocol, but if the server does not support Kerberos allow the client to complete the login without using it, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_FTP ALLOWED
```
This is the default.
To have the client log in using the Kerberos protocol, but if the server does not support Kerberos have the login fail and not allow the client to log in, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_FTP REQUIRED
```
Decide the level of security for the data connection. You can choose to require enciphered data transfers, or to allow the FTP user to decide the level of security for data transfers. The default is to not encipher the data, but allow the data to be enciphered at the server's request or at the FTP user's request during the FTP session.
Note that the level of security for data connections is determined by both the SECURE_DATACONN statement in FTP.DATA and by subcommands an FTP user might issue during an FTP session.

The following subcommands can be issued by the user:

clear

Resets the security level so that data is transferred raw.

private

Resets the security level so that data is transferred enciphered. If the client is using the Kerberos security mechanism, the data is transferred both integrity protected and privacy protected. If the client is using the TLS security mechanism, the cipher algorithm is negotiated between the server and the client using the TLS protocol negotiation.

safe

Resets the security level so that data is transferred integrity protected only.

If you want the client to transfer data raw with no cipher algorithm applied to the data, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_DATACONN NEVER
```
To indicate the data can be transferred raw or enciphered, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_DATACONN CLEAR
```
This is the default.
By default, data is transferred raw. However, the user can issue the private subcommand during the FTP session to change the data connection security level, so that data is transferred both integrity and privacy protected. The user can also issue the safe subcommand to change the data connection security level so that data is transferred integrity protected only, or the clear subcommand to reset the data connection security level back so that data is transferred raw again.

If you want to require that data is transferred both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_DATACONN PRIVATE
```
If you want to require that data is transferred integrity protected only, or both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_DATACONN SAFE
```
By default, data is transferred integrity protected only. However, the user can issue the private subcommand during the FTP session to change the data connection security level so that data is transferred both integrity and privacy protected. The user can also issue the safe subcommand to reset the data connection security level back, so that data is transferred integrity protected only.
Decide the level of security for the control connection (that is, for FTP commands and replies). You can choose to require enciphered data, or to allow the FTP user to decide the level of security. The default is to not encipher the data, but allow the data to be enciphered at the server's request or at the FTP user's request during the FTP session.
Note that the level of security for data connections is determined by both the SECURE_CTRLCONN statement in FTP.DATA and by subcommands an FTP user might issue during an FTP session.

The following subcommands can be issued by the user:

cprotect clear

Resets the security level so that data is transferred raw.

cprotect private

Resets the security level so that data is transferred both integrity protected and privacy protected.

cprotect safe

Resets the security level so that data is transferred integrity protected only.

To indicate the data can be transferred raw or enciphered, you can code the following statement in the server's FTP.DATA configuration file:
```
SECURE_CTRLCONN CLEAR
```
This is the default.
By default, data is transferred raw. However, the user can issue the cprotect private subcommand during the FTP session to change the security level so that data is transferred both integrity and privacy protected. The user can also issue the cprotect safe subcommand to change the security level so that data is transferred integrity protected only, and the cprotect clear subcommand to reset the security level back so that data is transferred raw again.

If you want to require that data is transferred both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_CTRLCONN PRIVATE
```
If you want to require that data is transferred integrity protected only, or both integrity and privacy protected, code the following statement in the client's FTP.DATA configuration file:
```
SECURE_CTRLCONN SAFE
```
By default, data is transferred integrity protected only. However, the user can issue the cprotect private subcommand during the FTP session to change the data connection security level so that data is transferred both integrity and privacy protected. The user can also issue the cprotect safe subcommand to reset the data connection security level, so that data is transferred integrity protected only.