Re: ftp and kerberos

Thu, 18 May 2006 06:30:15 -0700

I have no experience using Kerberos, but we implmented ssl'ed ftp so that even though we send userid/password it is encrypted using ssl. This is full blown ftp where the control and data sessions are encrypted.
Depending on your requirments you could also use SSH FTP, which is a ftp like function over a ssh session. The biggest problem with that is it only supports ftp'ing files to/from a HFS/ZFS, it does not support ftp'ing to a mvs dataset. 


David Huysmans wrote:

Hello List(eners),


we have the following situation : 

we want to send data between 2 different MVS sysplexes. We’re planning to 
use FTP as the protocol for the datatransfer.
The only problem we have with this is the confidentiality of the passwords 
we have to use to set up the communication. 
The user(s) we will use for the FTP needs to have access to a lot of 
production data, so the impact when the password is revealed, could be huge.



We were now thinking of using Kerberos as the authentication protocol for 
FTP, because this should eliminate the need for a password. When I look at 
the TCPIP security redbook, I’m surprised to see the need to send a user 
and password, after the kerberos authentication has been set up. I’m 
wondering what the added value then is for using kerberos.



As I understood; you receive a ticket from your kerberos server, and with 
this ticket you should be able to gain access to other servers within the 
realm.
There should be no more need for a password. The tickets map you to a user 
defined within your SAF database (I our case ACF2).



Is there any way to eliminate the use of user/password when doing an FTP 
(TSO/batch) from one MVS to another MVS? 
When kerberos would be the answer for this problem : does anyone have a 
document for implementing it using ACF2 as the SAF database (something more 
usable than the ACF2 administrator book).


Any sugestion is welcome,

Regards.

Bert Gilis



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html






















					Reply via email to