The FTP server can be enabled to support both TLS and Kerberos.
Before you begin
Some configuration statement settings apply to both TLS and
Kerberos and affect the behavior of both.
Decide which RACF® ID the service principal is
to be associated with, which helps determine whether a keytab file
is required. If the service principal is associated with the FTP startup
procedure ID, a keytab file is not required. If a keytab file is not
required and you do not plan to use one, decide how the FTP startup
procedure is to be updated to identify the environment variable (ENVAR)
KRB5_SERVER_KEYTAB.
- Code the following statement in the server's FTP.DATA configuration
file to enable the server for Kerberos:
EXTENSIONS AUTH_GSSAPI
- Decide whether clients should be required to use the Kerberos
protocol. The default is to allow the client to decide
whether to use Kerberos.
This setting is customized using the SECURE_FTP
configuration statement. You should understand that its setting affects
both TLS security behavior and Kerberos security behavior.
To
allow the client to decide whether to use Kerberos, you can code the
following statement in the server's FTP.DATA configuration file:
SECURE_FTP ALLOWED
This
is the default setting, and indicates: - If the server is enabled for TLS only, clients must either log
in using TLS, or with no security mechanism.
- If the server is enabled for Kerberos only, clients must either
log in using Kerberos, or with no security mechanism.
- If the server is enabled for both TLS and Kerberos, clients can
log in using TLS, Kerberos, or with no security mechanism.
To require that clients log in using Kerberos, code the following
statement in the server's FTP.DATA configuration file: SECURE_FTP REQUIRED
This
setting indicates: - If the server is enabled for TLS only, clients must log in using
TLS.
- If the server is enabled for Kerberos only, clients must log in
using Kerberos.
- If the server is enabled for both TLS and Kerberos, clients must
log in using either TLS or Kerberos.
- Decide whether to use the client authentication process
to eliminate the client login password prompt so that a client supplies
only the login user ID to establish the session. The
Kerberos principal that is received from the client is used to query
the security product (either RACF or
another SAF-compliant security product) to determine whether the Kerberos
principal maps to a user ID that is known to the system. If the Kerberos
principal maps to a user ID, and that user ID matches the user name
passed from the client on the USER command, you can eliminate the
password prompt.
If the client principal is for the same realm as
the FTP server, the principal is correlated to the user ID using the
KERBNAME option of the ADDUSER or ALTUSER commands. If the client
principal is a cross-realm principal, it is correlated to the user
ID using the RDEFINE KERBLINK command.
If you want to require
the client to provide a password or password phrase even when the
client authentication process does not require it, code the following
statement in the server's FTP.DATA configuration file. This is the
default.
SECURE_PASSWORD_KERBEROS REQUIRED
If
you want to use the client authentication process to eliminate the
client password prompt, code the following statement in the server's
FTP.DATA configuration file:
SECURE_PASSWORD_KERBEROS OPTIONAL
- Decide the level of security for the data connection. You can choose to require enciphered data transfers, or to allow
the client to decide the level of security for data transfers. The
default is to allow the clients to decide the level of security.
This
setting is customized using the SECURE_DATACONN configuration statement.
You should understand that its setting affects both TLS security behavior
and Kerberos security behavior.
If you want the server to require
that data is transferred raw with no cipher algorithm applied to the
data and that clients attempting to use ciphers are rejected, code
the following statement in the server's FTP.DATA configuration file:
SECURE_DATACONN NEVER
If
you want the client to decide whether data is transferred raw or enciphered,
you can code the following statement in the server's FTP.DATA configuration
file:
SECURE_DATACONN CLEAR
This is the
default. For TLS, the client decides whether data is enciphered
or not. If it indicates it should be enciphered, the cipher algorithm
is negotiated between the server and the client using TLS protocols.
For Kerberos, the client can specify whether data is transferred raw,
integrity protected only, or both integrity and privacy protected.
If
you want the server to require that data is transferred both integrity
and privacy protected, code the following statement in the server's
FTP.DATA configuration file:
SECURE_DATACONN PRIVATE
For
TLS, the cipher algorithm is negotiated between the server and the
client using TLS protocols, and clients attempting to send raw data
are rejected. For Kerberos, the data must be transferred using both
integrity and privacy protection, and clients attempting to send raw
data or data that is only integrity protected are rejected.
If
you want the server to require that data is transferred integrity
protected only or both integrity and privacy protected, code the following
statement in the server's FTP.DATA configuration file:
SECURE_DATACONN SAFE
For
TLS, specifying this option is identical to specifying SECURE_DATACONN
PRIVATE. For Kerberos, specifying this option indicates the data can
be transferred integrity protected only, or both integrity and privacy
protected. Clients attempting to send raw data are rejected.
- Decide the level of security for the control connection
(that is, for FTP commands and replies). You can choose
to require enciphered control connection data, or to allow the client
to decide the level of security. The default is to allow the clients
to decide the level of security.
This setting is customized using
the SECURE_CTRLCONN configuration statement. This setting applies
only to Kerberos. For TLS, the control connection is required to be
enciphered and this setting has no effect on TLS behavior.
If
you want the client to decide whether control data is transferred
raw or enciphered, you can code the following statement in the server's
FTP.DATA configuration file:
SECURE_CTRLCONN CLEAR
This
is the default. The client can specify whether data is transferred
raw, integrity protected only, or both integrity and privacy protected.
If
you want the server to require that control data is transferred both
integrity and privacy protected, code the following statement in the
server's FTP.DATA configuration file:
SECURE_CTRLCONN PRIVATE
Clients
attempting to send raw data or data that is only integrity protected
are rejected. If you want the server to require that data is transferred
integrity protected only or both integrity and privacy protected,
code the following statement in the server's FTP.DATA configuration
file:
SECURE_CTRLCONN SAFE
Clients attempting
to send raw data are rejected.
- Create the service principal against a RACF ID for use with a keytab (see step 7 for
using Kerberos with no keytab).
- Create a RACF user
ID to associate with the FTP service principal.
adduser FTP NOPASSWORD DFLTGRP(SYS1) omvs(autouid home('/u/ftp') prog('/bin/sh'))
- After the FTP RACF user
ID is created, add the Kerberos principal to it.
ALTUSER FTP KERB(KERBNAME(ftp/<hostname>))
- To ensure the Kerberos segment was added, use the following
command to display the ID.
LU FTP NORACF KERB
Result: USER=FTP
KERB INFORMATION
----------------
KERBNAME= ftp/<hostname>
KEY VERSION= 001
KEY ENCRYPTION TYPE= DES DES3 DESD
- To add the FTP service principal to the keytab file,
take the following actions:
- The keytab file is located in the /etc/skrb directory. Switch
to that directory using the following command:
cd /etc/skrb
- Use the following command to see what is currently in the keytab
file:
keytab list
If nothing is currently
in the keytab file, the following information is returned:
Key table: /etc/skrb/krb5.keytab
- Add the FTP service principle using the following command:
keytab add ftp/<hostname>
You
will be prompted for the principals’ password. For this example,
that password is FTP. The password must be entered in uppercase. This
password was assigned with the RACF ALTUSER
command when the FTP service principal was created.
- Issue the keytab list command again.
The following information
is displayed when the FTP service principal is present:
Key table: /etc/skrb/krb5.keytab
Principal: ftp/<hostname>@<realm>
Key version: 1
Key type: 56-bit DES
Entry timestamp: 2005/02/04-16:21:10
Principal: ftp/<hostname>@<realm>
Key version: 1
Key type: 56-bit DES using key derivation
Entry timestamp: 2005/02/04-16:21:10
Principal: ftp/<hostname>@<realm>
Key version: 1
Key type: 168-bit DES using key derivation
Entry timestamp: 2005/02/04-16:21:10
- An alternate way to run without a keytab file is to associate
the FTP service principal to the ID under which the FTP started task
runs. If the ID that the FTP started task runs under is
FTPD, issue the following command to create the FTP service principal
and have it associated to that ID.
ALTUSER FTPD PASSWORD(ftpd) NOEXPIRED KERB(KERBNAME(ftp/<hostname>))
Rule: In this setup, you must set the KRB5_SERVER_KEYTAB
environment variable. Specify it directly in the FTP startup procedure
as follows:
//FTPD EXEC PGM=&MODULE,REGION=4096K,TIME=NOLIMIT,
// PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("KRB5_SERVER_KEYTAB=1")/&PARMS')
Another
way of specifying the environment variable directly in the startup
procedure is to specify a file where the environment variables are
listed.
//FTPD EXEC PGM=&MODULE,REGION=4096K,TIME=NOLIMIT,
// PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=/etc/ftp.envvars")/&PARMS')
Then,
within the /etc/ftp.envvars file, add the following entry:
KRB5_SERVER_KEYTAB=1