Use the SECURE_PASSWORD_KERBEROS statement to specify whether a password is required by the FTP server for a Kerberos-protected session. The statement is ignored for sessions that are not protected by the Kerberos security mechanism.
Rule: This statement is enabled only when EXTENSIONS AUTH_GSSAPI is coded in the server's FTP.DATA file.
When the user ID passed on the USER command matches the user ID that the SAF-compliant security product maps to the user ID that the Kerberos principal received from the client, the SECURE_PASSWORD_KERBEROS statement value determines whether the server prompts the client for the password during the login procedure.
.-SECURE_PASSWORD_KERBEROS REQUIRED------. >>-+----------------------------------------+------------------>< '-SECURE_PASSWORD_KERBEROS--+-REQUIRED-+-' '-OPTIONAL-'
This is the default.
To require the user to enter a password on a Kerberos-protected session only when the user ID passed on the USER command does not match the user ID that the SAF-compliant security product mapped to the user ID that the Kerberos principal received from the client, code the following statement:
SECURE_PASSWORD_KERBEROS OPTIONAL
SECURE_PASSWORD_KERBEROS | SECURE_LOGIN | Action |
---|---|---|
REQUIRED | One of the following:
|
Prompt for a password. |
OPTIONAL | One of the following:
|
Authenticate with the Kerberos ticket (if the Kerberos authentication fails, fail the login, do not prompt for password). |
When the user ID to which the Kerberos principal is mapped does not match the user ID that is passed on the USER command, the SECURE_LOGIN statement value determines the action that is necessary during the authentication procedure.
SECURE_PASSWORD_KERBEROS | SECURE_LOGIN | Action |
---|---|---|
REQUIRED or OPTIONAL | VERIFY_USER | Fail the login. |
REQUIRED or OPTIONAL | REQUIRED or NO_CLIENT_AUTH | Prompt for a password. |