3. Work with user profiles
One major control applied to FTP Server Exit Programs is
the validation of user profiles logging to the IBM i FTP server.
Every time an FTP request is received, the user profile sending the request
is checked versus the
•list of authorized user profiles
and its request is checked versus the
•list of FTP operations allowed for this user profile.
Validation rules are as follow:
- User profile name
- If the Client IP address is found to belong to the Excluded IP address list,
all requests (included the logon itself) will be rejected.
Please note that a client IP address in the Excluded list should not even be allowed to login.
However, if Active Defense is enabled (see later), a logged in client IP address could be added to the Excluded IP address list
while still logged in, because of a number of consecutive failed commands.
- If the Client IP address is found to belong to the Privileged IP address list,
all requests will be accepted (the following validation steps are bypassed).
- If the logged in user profile name is found in the SECTCP list of authorized profiles,
only the operations authorized in the corresponding SECTCP profile can be requested.
- If the logged in user profile name is not found in the SECTCP list of authorized profiles and an *ANY SECTCP profile is available,
only the operations authorized in this *ANY SECTCP profile can be requested.
- If the logged in user profile name is not found in the SECTCP list of authorized profiles and no *ANY SECTCP profile is available,
all requests (included the logon itself) will be rejected.
- User profile allowed operations
- If a logged in user profile was found to be in categories 3) or 4) above, only the requests of operations allowed in the corresponding
SECTCP profile are allowed.
Use Option 3 from the "Secure Tcp" Menu (see Figure 2)
to maintain the list of the authorized user profiles.
The screen used to define an authorized user profile is displayed in Figure 4:
|
Figure 4 - Authorizing an user profile to SECTCP FTP |
- User profile
This is the name of an existing user profile that is authorized to logon through FTP.
It could also be a name of a non-existing user profile,
provided that the substituting user profile and password (see next) are defined.
- Substitute with user profile and password
Enter these parameters only if you want this user profile
log to FTP as another user profile. This can be very
useful in some circumstances. For instance, you may want
user profile ANONYMOUS to log in as an existing user
profile, which has limited AS/400 authorities, and is
further limited FTP in operations through the following specifications
on this screen.
- Override NAMEFMT with ...
This allows a user profile to override the initial value of the NAMEFMT
parameter in the FTP session. Valid values are:
- *SAME - The default NAMEFMT parameter specified in command CHGFTPA is taken.
- *LIB - The NAMEFMT parameter is overridden by value *LIB (which
implies NAMEFMT 0). At the same time, parameter CURDIR is set to
*CURLIB and parameter LISTFMT is set to *DFT
- *PATH - The NAMEFMT parameter is overridden by value *PATH (which
implies NAMEFMT 1). At the same time, parameter CURDIR is set to
*HOMEDIR and parameter LISTFMT is set to *UNIX
- Override CURLIB with ...
This is taken into account only if the initial value of the NAMEFMT
parameter in the FTP session is *LIB (namefmt 0).
- Leave it blank if you want the FTP session to use as initial current
library the current library specified in the user profile.
- If you want the FTP session to use a different initial current
library, specify it here.
- Override HOMEDIR with ...
This is taken into account only if the initial value of the NAMEFMT
parameter in the FTP session is *PATH (namefmt 1).
- Leave it blank if you want the FTP session to use as initial home
directory the home directory specified in the user profile.
- If you want the FTP session to use a different initial home
directory, specify it here.
- ALLOW ... 0/1=No/Yes
SECTCP FTP server requests handler allows to validate twelve
types of operations for a given authorized user profile.
Each type of operation can have one of two values:
- 0 - the operation is not allowed
- 1 - the operation is allowed
- FTP logon - Whether this user profile is authorized to logon to FTP.
Note. There is a small difference between not declaring an user profile and
declaring it with FTP logon set to 0. In both cases, that user profile cannot logon to FTP.
However,having defined it with FTP logon set to 0, allows for some quick enablement on the fly,
very useful exspecially when the enablement happens to be temporary.
- FTP session initialize -
MUST be allowed to user profile QTPC (otherwise no login can be performed), but NOT to any other user profile.
- Create Directory/Lib -
Whether MKDir requests are allowed.
- Delete Directory/Lib -
Whether RMDir requests are allowed.
- Set Current Directory/Lib -
Whether CD requests are allowed.
- Exit Home Directory/Lib -
Disabling this feature (value 0) would force the user to stay within the Home directory and its child directories.
- Directory/Lib listing -
Whether DIr requests are allowed.
- Delete Files -
Whether DELete requests are allowed.
- Receive Files -
Whether requests to Put files to the server are allowed.
- Send Files -
Whether requests to Get files from the server are allowed.
- Rename Files -
Whether REName requests are allowed.
- Execute CL Command -
Whether SYSCmd requests are allowed.
Important note.
If you do not define - in the list of Authorized user profiles - a user profile named *ANY to be used as default,
only the user profiles defined in your list of Authorized user profiles can logon and request FTP commands.
If no Authorized user profiles exist, no cliet user profile is allowed to logon, unless the client IP address belongs to the Privileged list.
|