[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CHROOT on iSeries FTP Server
Sender: Christian <chrisv5@xxxxxx>
Such things get managed by exit programs for the FTP server (typical IBM
way; efficient but one has to do some work; specifically you need to be
familiar with programming to APIs).
an introduction is here:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaj4/rzaj45zpftpsolutions.htm
the exit program docs in detail:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaiq/rzaiqreferenceexit.htm
You can do exactly what you want. You can control the initial home
directory upon connection and restrict access to the IFS.
As someone else has suggested, you can set up an i5/OS user for every
FTP user (with restricted rights), but you can also use one generic FTP
type user (which, let's say, has access to /ftp and the subdirectories)
and fine tune that in your exit programs for /ftp/user1, /ftp/user2,
etc. It can also used for anonymous style FTP access.
Generally, doing non-encrypted FTP for any sensitive data over the
Internet is *BAD* and while the iSeries FTP server supports FTPS (FTP
over SSL/TLS)quite well (better than the client anyway), it lacks
options neededed for using behind a NAT router or firewall using NAT.
One option would be to bolt down your iSeries heavily and then put it
into a fully IP mapped DMZ.
We opted using a PC server (actually an IXS which came free with our
550) running Windows 2003 and a Windows FTP server. Those servers can
serve network directories (thus your favourite IFS folder on the
iSeries). Or you can do like we do, we transfer files between the FTP
server (via the Intranet) and the IFS with Scott's FTPAPI (I wrote a
nice wrapper around it which can transfer whole directories back and
forth, with optional deletion after transfer).
Regards,
Christian
Brian Eckenrod wrote:
My question is not FTPAPI specific, but I thought this list was a great
audience of people that might know the answer. Here is my situation:
I have a remote company I need to allow access to my iSeries to drop of
files for me to process. I want to set them up with a limited user ID
and also have them go directly in to their folder when they log in via
FTP and not be able to change directory upwards. I am open to doing
this in a traditional library or on the IFS. My only concern is that
right now our iSeries is configured to log people in to the DB2 side of
the machine and it needs to stay that way. I am not sure the company
placing the file will be open to issuing the namefmt command to switch
to the IFS, so maybe my only option is to use the DB2 side of things or
maybe there is a way to route a user to the IFS @ logon time?
Either place is fine for me to have them drop files off. I am mostly
concerned with restricting movement on the FTP server to just their own
folder/library/directory.
If anyone has done this sort of thing before, your input is much
appreciated.
Thanks!
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------