Steps for customizing the FTP server for Kerberos

The FTP server can be enabled to support both TLS and Kerberos.

Before you begin

Some configuration statement settings apply to both TLS and Kerberos and affect the behavior of both.

Decide which RACF® ID the service principal is to be associated with, which helps determine whether a keytab file is required. If the service principal is associated with the FTP startup procedure ID, a keytab file is not required. If a keytab file is not required and you do not plan to use one, decide how the FTP startup procedure is to be updated to identify the environment variable (ENVAR) KRB5_SERVER_KEYTAB.

Procedure

Perform the following steps to customize the FTP server for Kerberos:

  1. Code the following statement in the server's FTP.DATA configuration file to enable the server for Kerberos: 
    EXTENSIONS AUTH_GSSAPI
  2. Decide whether clients should be required to use the Kerberos protocol. The default is to allow the client to decide whether to use Kerberos.

    This setting is customized using the SECURE_FTP configuration statement. You should understand that its setting affects both TLS security behavior and Kerberos security behavior.

    To allow the client to decide whether to use Kerberos, you can code the following statement in the server's FTP.DATA configuration file:

    SECURE_FTP ALLOWED
    This is the default setting, and indicates:
    • If the server is enabled for TLS only, clients must either log in using TLS, or with no security mechanism.
    • If the server is enabled for Kerberos only, clients must either log in using Kerberos, or with no security mechanism.
    • If the server is enabled for both TLS and Kerberos, clients can log in using TLS, Kerberos, or with no security mechanism.
    To require that clients log in using Kerberos, code the following statement in the server's FTP.DATA configuration file: 
    SECURE_FTP REQUIRED
    This setting indicates:
    • If the server is enabled for TLS only, clients must log in using TLS.
    • If the server is enabled for Kerberos only, clients must log in using Kerberos.
    • If the server is enabled for both TLS and Kerberos, clients must log in using either TLS or Kerberos.
  3. Decide whether to use the client authentication process to eliminate the client login password prompt so that a client supplies only the login user ID to establish the session. The Kerberos principal that is received from the client is used to query the security product (either RACF or another SAF-compliant security product) to determine whether the Kerberos principal maps to a user ID that is known to the system. If the Kerberos principal maps to a user ID, and that user ID matches the user name passed from the client on the USER command, you can eliminate the password prompt.

    If the client principal is for the same realm as the FTP server, the principal is correlated to the user ID using the KERBNAME option of the ADDUSER or ALTUSER commands. If the client principal is a cross-realm principal, it is correlated to the user ID using the RDEFINE KERBLINK command.

    If you want to require the client to provide a password or password phrase even when the client authentication process does not require it, code the following statement in the server's FTP.DATA configuration file. This is the default.

    SECURE_PASSWORD_KERBEROS REQUIRED

    If you want to use the client authentication process to eliminate the client password prompt, code the following statement in the server's FTP.DATA configuration file:

    SECURE_PASSWORD_KERBEROS OPTIONAL
  4. Decide the level of security for the data connection. You can choose to require enciphered data transfers, or to allow the client to decide the level of security for data transfers. The default is to allow the clients to decide the level of security.

    This setting is customized using the SECURE_DATACONN configuration statement. You should understand that its setting affects both TLS security behavior and Kerberos security behavior.

    If you want the server to require that data is transferred raw with no cipher algorithm applied to the data and that clients attempting to use ciphers are rejected, code the following statement in the server's FTP.DATA configuration file:

    SECURE_DATACONN NEVER

    If you want the client to decide whether data is transferred raw or enciphered, you can code the following statement in the server's FTP.DATA configuration file:

    SECURE_DATACONN CLEAR
    This is the default.

    For TLS, the client decides whether data is enciphered or not. If it indicates it should be enciphered, the cipher algorithm is negotiated between the server and the client using TLS protocols. For Kerberos, the client can specify whether data is transferred raw, integrity protected only, or both integrity and privacy protected.

    If you want the server to require that data is transferred both integrity and privacy protected, code the following statement in the server's FTP.DATA configuration file:

    SECURE_DATACONN PRIVATE

    For TLS, the cipher algorithm is negotiated between the server and the client using TLS protocols, and clients attempting to send raw data are rejected. For Kerberos, the data must be transferred using both integrity and privacy protection, and clients attempting to send raw data or data that is only integrity protected are rejected.

    If you want the server to require that data is transferred integrity protected only or both integrity and privacy protected, code the following statement in the server's FTP.DATA configuration file:

    SECURE_DATACONN SAFE

    For TLS, specifying this option is identical to specifying SECURE_DATACONN PRIVATE. For Kerberos, specifying this option indicates the data can be transferred integrity protected only, or both integrity and privacy protected. Clients attempting to send raw data are rejected.

  5. Decide the level of security for the control connection (that is, for FTP commands and replies). You can choose to require enciphered control connection data, or to allow the client to decide the level of security. The default is to allow the clients to decide the level of security.

    This setting is customized using the SECURE_CTRLCONN configuration statement. This setting applies only to Kerberos. For TLS, the control connection is required to be enciphered and this setting has no effect on TLS behavior.

    If you want the client to decide whether control data is transferred raw or enciphered, you can code the following statement in the server's FTP.DATA configuration file:

    SECURE_CTRLCONN CLEAR
    This is the default.

    The client can specify whether data is transferred raw, integrity protected only, or both integrity and privacy protected.

    If you want the server to require that control data is transferred both integrity and privacy protected, code the following statement in the server's FTP.DATA configuration file:

    SECURE_CTRLCONN PRIVATE
    Clients attempting to send raw data or data that is only integrity protected are rejected.

    If you want the server to require that data is transferred integrity protected only or both integrity and privacy protected, code the following statement in the server's FTP.DATA configuration file:

    SECURE_CTRLCONN SAFE
    Clients attempting to send raw data are rejected.
  6. Create the service principal against a RACF ID for use with a keytab (see step 7 for using Kerberos with no keytab).
    1. Create a RACF user ID to associate with the FTP service principal. 
      adduser FTP NOPASSWORD DFLTGRP(SYS1) omvs(autouid home('/u/ftp') prog('/bin/sh'))
    2. After the FTP RACF user ID is created, add the Kerberos principal to it. 
      ALTUSER FTP KERB(KERBNAME(ftp/<hostname>))
    3. To ensure the Kerberos segment was added, use the following command to display the ID. 
      LU FTP NORACF KERB
      Result: 
      USER=FTP                            
                                    
KERB INFORMATION                    
----------------                    
KERBNAME= ftp/<hostname>
KEY VERSION= 001                    
KEY ENCRYPTION TYPE= DES DES3 DESD
    4. To add the FTP service principal to the keytab file, take the following actions:
      1. The keytab file is located in the /etc/skrb directory. Switch to that directory using the following command: 
        cd /etc/skrb
      2. Use the following command to see what is currently in the keytab file: 
        keytab list

        If nothing is currently in the keytab file, the following information is returned: 

        Key table: /etc/skrb/krb5.keytab
      3. Add the FTP service principle using the following command: 
        keytab add ftp/<hostname>

        You will be prompted for the principals’ password. For this example, that password is FTP. The password must be entered in uppercase. This password was assigned with the RACF ALTUSER command when the FTP service principal was created.

      4. Issue the keytab list command again.
        The following information is displayed when the FTP service principal is present: 
        Key table: /etc/skrb/krb5.keytab
 
Principal: ftp/<hostname>@<realm>
  Key version: 1
  Key type: 56-bit DES
  Entry timestamp: 2005/02/04-16:21:10
 
Principal: ftp/<hostname>@<realm>
  Key version: 1
  Key type: 56-bit DES using key derivation
  Entry timestamp: 2005/02/04-16:21:10
 
Principal: ftp/<hostname>@<realm>
  Key version: 1
  Key type: 168-bit DES using key derivation
  Entry timestamp: 2005/02/04-16:21:10
  7. An alternate way to run without a keytab file is to associate the FTP service principal to the ID under which the FTP started task runs. If the ID that the FTP started task runs under is FTPD, issue the following command to create the FTP service principal and have it associated to that ID. 
    ALTUSER FTPD PASSWORD(ftpd) NOEXPIRED KERB(KERBNAME(ftp/<hostname>))
    Rule: In this setup, you must set the KRB5_SERVER_KEYTAB environment variable. Specify it directly in the FTP startup procedure as follows: 
    //FTPD   EXEC PGM=&MODULE,REGION=4096K,TIME=NOLIMIT,
//      PARM=('POSIX(ON) ALL31(ON)',                
//        'ENVAR("KRB5_SERVER_KEYTAB=1")/&PARMS')
    Another way of specifying the environment variable directly in the startup procedure is to specify a file where the environment variables are listed. 
    //FTPD   EXEC PGM=&MODULE,REGION=4096K,TIME=NOLIMIT,
//      PARM=('POSIX(ON) ALL31(ON)',                
//        'ENVAR("_CEE_ENVFILE=/etc/ftp.envvars")/&PARMS')
    Then, within the /etc/ftp.envvars file, add the following entry: 
     KRB5_SERVER_KEYTAB=1

Results

You know you are done when a client is able to successfully log in to the FTP server using Kerberos. An example of the login is as follows:
  1. Obtain the Kerberos credentials by issuing the following command: 
    kinit joe
  2. You will be prompted for the password. Enter it.
  3. Issue the ftp command: 
    ftp <hostname>
    You should see the following information: 
    Using /u/JOE/ftp.data for local site configuration parameters.
IBM FTP CS V1R9
FTP: using TCPIP
Connecting to: <hostname><ip address> port:  <port number>.
220-FTPD1 IBM FTP CS V1R9 at <hostname>, 21:51:51 on 2007-04-04.
220 Connection will close if idle for more than 5 minutes.
>>> AUTH GSSAPI 
334 Using authentication mechanism GSSAPI
>>> ADAT 
235 ADAT=YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMC7moS==
Authentication negotiation succeeded
NAME (<hostname>:USER): 
JOE
>>> USER JOE 
331 Send password please.
PASSWORD:

>>> PASS 
230 JOE is logged on.  Working directory is "JOE".
Command:
    Tip: The password prompt is skipped if the server is configured with SECURE_PASSWORD_KERBEROS OPTIONAL and the client's Kerberos ticket principal name matches the logon user ID.
Parent topic: Customizing Transport Layer Security and Kerberos security