(Optional) Assigning password phrases to user IDs that are used to log in to the FTP server

You can enable users to log in to the FTP server with password phrases by assigning password phrases to the user IDs that are used to log in to the FTP server.

Guideline: Use the RACF® ALTUSER command to assign a password phrase to a user ID. See assigning password phrases in the z/OS Security Server RACF Security Administrator's Guide for more information.

Rules:

Do not assign a character or combination of characters to a password phrase that your FTP clients cannot support.
The maximum length of a password phrase is 100 characters.

Tips:

Use alphanumeric characters to create password phrases to minimize translation problems when the client and server are using different ASCII code pages.
If you plan to use the z/OS® FTP client in batch mode, the password phrase and optional user data must fit on a single line of the batch file.

Results:

When you assign a password phrase to a user ID, a user can log in with that user ID by using either the password or the password phrase.
A user can change the password phrase when they log in to FTP.

Restrictions:

The password phrase that a user enters to log in to the z/OS FTP server has restrictions beyond those that are enforced by your security product and those that are enforced by the optional ICHPWX11 user exit. The password phrase must not contain the following characters that have special meaning to the z/OS FTP server:
- NULL (X'00')
- Slash (/)
- Colon (:)
- Carriage return (<cr>)
- Line feed (<lf>)
- Interpret as command (<IAC> or X'FF')
- Telnet command characters (X'FB' - X'FE')
The z/OS FTP server translates all passwords that it receives during a session into EBCDIC before it passes them to the security product and to the FTCHKPWD exit routine.
A user will not be able to log in to the z/OS FTP server using a password phrase if you assign a character to the password phrase that the server cannot translate from ASCII or UTF-8 to EBCDIC. The user will also not be able to log in if you assign a character that the server translates into an EBCDIC character that is different than the character that you assigned. Untranslatable characters and inconsistent translations can occur if the client and server are using different code pages, or if the character is outside the normal range of printable characters.
The z/OS FTP server supports quotation marks in password phrases, but your FTP client might not support the use of quotation marks in password phrases.
The password phrase must not contain leading blanks or trailing blanks.
The maximum length of a password phrase is 100 characters.
When you configure the z/OS FTP server for anonymous FTP, the following restrictions apply:
- You cannot specify a password phrase instead of a password as an FTP daemon start option.
- You cannot code a password phrase instead of a password on the ANONYMOUS statement in FTP.DATA.
If the server is configured to prompt anonymous users for a password, the user can log in with either the password or the password phrase that is assigned to the anonymous user ID.