Information returned to clients

Some information returned to clients may be considered sensitive and for security reasons you may not want the end user to see it.

ACCESSERRORMSGS

If a client attempts to login, but enters an incorrect password, you may not want to provide detailed information such as the errno or reason codes on the failure message.

Example

If you do not check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and the login fails because the password was incorrect, the client will see the following:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:11:22 on 2002-10-31.

220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
530-Error on __passwd() function call, errno=111, rsncode=090C0000
530-The username is unknown
530 PASS command failed
Login failed.
ftp>

If you do check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and the login fails because the password was incorrect, the client will see the following:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:21:17 on 2002-10-31.

220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
530 PASS command failed
Login failed.
ftp>

If you choose not to send detailed login failure messages, you can trace them instead by checking the box labeled "Log failure messages (DEBUG ACC)".

REPLYSECURITYLEVEL

You may want to configure the server not to show clients secure information such as IP addresses, host names, or port numbers, etc. Check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" to direct the server not to send such information.

Example:

If you do check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" the client will see the following:

# ftp loopback
IBM FTP CS V1R4
FTP: using TCPCS
Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21.
220-IBM FTP, 17:57:42 on 2002-10-31.
220 Connection will not timeout.
NAME (loopback:USER3):
user3
>>> USER user3
331 Send password please.
PASSWORD:

>>> PASS
230 USER3 is logged on.  Working directory is "USER3.".
Command:
stat
>>> STAT
211-User: USER3  Working directory: USER3.
211-The control connection has transferred 115 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-using Mode Stream, Structure File, type ASCII, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is disabled
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are removed from a fixed format
211-data set when it is retrieved.
211-Data set mode.  (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 55 cylinders.  Secondary allocation 55 cylinders.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 1
211-ENcoding is set to SBCS
211-SBSUB is set to FALSE
211-SBSUBCHAR is set to SPACE
211-SMS is active.
211-Dataclass for new data sets is DATAF
211-Data sets will be allocated on CPDLB2,CPDLB3.
211-New data sets will be deleted if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 027
211-Checkpoint interval is 0
211-Authentication type: None
211 *** end of status ***
Command:

If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" the client will see the following:

# ftp loopback
IBM FTP CS V1R4
FTP: using TCPCS
Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31.
220 Connection will not timeout.
NAME (loopback:USER3):
user3
>>> USER user3
331 Send password please.
PASSWORD:

>>> PASS
230 USER3 is logged on.  Working directory is "USER3.".
Command:
stat
>>> STAT
211-Server FTP talking to host 127.0.0.1, port 1026
211-User: USER3  Working directory: USER3.
211-The control connection has transferred 115 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-to host 127.0.0.1, port 1026,
211-using Mode Stream, Structure File, type ASCII, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is disabled
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are removed from a fixed format
211-data set when it is retrieved.
211-Data set mode.  (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 55 cylinders.  Secondary allocation 55 cylinders.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 1
211-ENcoding is set to SBCS
211-SBSUB is set to FALSE
211-SBSUBCHAR is set to SPACE
211-SMS is active.
211-Dataclass for new data sets is DATAF
211-Data sets will be allocated on CPDLB2,CPDLB3.
211-New data sets will be deleted if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 027
211-Process id is 52
211-Checkpoint interval is 0
211-Authentication type: None
211 *** end of status ***
Command:

Differences in above example

If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)",

  1. When logging in, the following message is shown in more detail:
    220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31.
    
  2. On the reply to the STATUS command, the following messages are not shown.
    211-Server FTP talking to host 127.0.0.1, port 1026
    211-to host 127.0.0.1, port 1026,
    211-Process id is 52