Securing FTP/iX

Prevent display of passwords in DEBUG mode: The debug

command at the FTP client places FTP

into a diagnostic mode, whereby the client’

s and servers internal commands are displayed on the $stdlist of

the client. If debug mode is turned on prior to an open

, then the user ID and password are visible in plain

text. In order to make FTP/iX compliant with SAR-

OX, a new option, DEBUG_PASS, has been introduced and

is set in the SETPARMS.ARPA.SYS file. If DEBUG_PASS is set to OFF (default), the password is not echoed,

even in debug mode.

•

Banner: This new feature allows the display of an FTP/iX welcome message.

This enhancement is

enabled by creating a file named FTPHELLO.ARPA.SYS, and adding the desired FTP banner text.

The entire

FTPHELLO file is displayed to $stdlist after a successful logon. FTPHELLO supports special substitution

characters for values pertaining to the FTP connection. For instance,

%T displays the server time; %R

displays the remote host name, etc. Any user can create and modify this file provided the user has write

access to ARPA.SYS. By default the FTPHELLO file does not exist, and hence FTP will display only its

customary one line banner. Any changes to this file will get reflected in the next FTP logon session.

The above features do not capture all aspects of FTP security. For instance, robust user authentication and

encrypted transmission of FTP commands and data are absent from this collection of FTP/iX enhancements. The

Alternatives Section, at the end of this paper, describes a potential solution for file encryption.

The following section covers the detail of how to configure and utilize the new security enhancements described

above.

Page

Secure FTP on MPE/iX

7/18/2008

http://jazz.external.hp.com/papers/Securing

FTP

Whitepaper.html