SECURE_PASSWORD_KERBEROS (FTP server) statement

Use the SECURE_PASSWORD_KERBEROS statement to specify whether a password is required by the FTP server for a Kerberos-protected session. The statement is ignored for sessions that are not protected by the Kerberos security mechanism.

Rule: This statement is enabled only when EXTENSIONS AUTH_GSSAPI is coded in the server's FTP.DATA file.

When the user ID passed on the USER command matches the user ID that the SAF-compliant security product maps to the user ID that the Kerberos principal received from the client, the SECURE_PASSWORD_KERBEROS statement value determines whether the server prompts the client for the password during the login procedure.

Syntax

Read syntax diagramSkip visual syntax diagram
   .-SECURE_PASSWORD_KERBEROS REQUIRED------.   
>>-+----------------------------------------+------------------><
   '-SECURE_PASSWORD_KERBEROS--+-REQUIRED-+-'   
                               '-OPTIONAL-'     

Parameters

REQUIRED
Specifies that a password is required to log in a user whose session is protected by the Kerberos security mechanism.

This is the default.

OPTIONAL
Specifies that the password is not required if the user ID passed on the USER command matches the user ID that the SAF-compliant security product mapped to the user ID that the Kerberos principal received from the client.

Examples

To require the user to enter a password on a Kerberos-protected session only when the user ID passed on the USER command does not match the user ID that the SAF-compliant security product mapped to the user ID that the Kerberos principal received from the client, code the following statement:

SECURE_PASSWORD_KERBEROS   OPTIONAL

Usage notes

Table 1 shows how the SECURE_PASSWORD_KERBEROS statement affects user authentication when the user ID to which the Kerberos principal is mapped matches the user ID that is passed on the USER command.
Table 1. User identity in the Kerberos ticket matches user ID on USER command
SECURE_PASSWORD_KERBEROS SECURE_LOGIN Action
REQUIRED One of the following:
  • VERIFY_USER
  • REQUIRED
  • NO_CLIENT_AUTH
Prompt for a password.
OPTIONAL One of the following:
  • VERIFY_USER
  • REQUIRED
  • NO_CLIENT_AUTH
Authenticate with the Kerberos ticket (if the Kerberos authentication fails, fail the login, do not prompt for password).

When the user ID to which the Kerberos principal is mapped does not match the user ID that is passed on the USER command, the SECURE_LOGIN statement value determines the action that is necessary during the authentication procedure.

Table 2 shows how the SECURE_LOGIN statement affects user authentication when the user ID to which the Kerberos principal is mapped does not match the user ID that is passed on the USER command.
Table 2. User identity in the Kerberos ticket does not match user ID on USER command
SECURE_PASSWORD_KERBEROS SECURE_LOGIN Action
REQUIRED

or

OPTIONAL
VERIFY_USER Fail the login.
REQUIRED

or

OPTIONAL
REQUIRED

or

NO_CLIENT_AUTH
Prompt for a password.

Related topics