[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CHROOT on iSeries FTP Server

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: CHROOT on iSeries FTP Server
From: Christian <chrisv5@xxxxxx>
Date: Fri, 09 Jun 2006 07:31:16 +0200
In-reply-to: <OF1BEA1B4F.C57AAE81-ON85257187.0072E81C-85257187.007374AC@paragon-csi.com>
References: <OF1BEA1B4F.C57AAE81-ON85257187.0072E81C-85257187.007374AC@paragon-csi.com>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Sender: Christian <chrisv5@xxxxxx>

Such things get managed by exit programs for the FTP server (typical IBM way; efficient but one has to do some work; specifically you need to be familiar with programming to APIs).

an introduction is here:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaj4/rzaj45zpftpsolutions.htm

the exit program docs in detail:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaiq/rzaiqreferenceexit.htm

You can do exactly what you want. You can control the initial home directory upon connection and restrict access to the IFS.

As someone else has suggested, you can set up an i5/OS user for every FTP user (with restricted rights), but you can also use one generic FTP type user (which, let's say, has access to /ftp and the subdirectories) and fine tune that in your exit programs for /ftp/user1, /ftp/user2, etc. It can also used for anonymous style FTP access.

Generally, doing non-encrypted FTP for any sensitive data over the Internet is *BAD* and while the iSeries FTP server supports FTPS (FTP over SSL/TLS)quite well (better than the client anyway), it lacks options neededed for using behind a NAT router or firewall using NAT. One option would be to bolt down your iSeries heavily and then put it into a fully IP mapped DMZ.

We opted using a PC server (actually an IXS which came free with our 550) running Windows 2003 and a Windows FTP server. Those servers can serve network directories (thus your favourite IFS folder on the iSeries). Or you can do like we do, we transfer files between the FTP server (via the Intranet) and the IFS with Scott's FTPAPI (I wrote a nice wrapper around it which can transfer whole directories back and forth, with optional deletion after transfer).

Regards,
Christian

Brian Eckenrod wrote:

My question is not FTPAPI specific, but I thought this list was a great audience of people that might know the answer. Here is my situation:

I have a remote company I need to allow access to my iSeries to drop of files for me to process. I want to set them up with a limited user ID and also have them go directly in to their folder when they log in via FTP and not be able to change directory upwards. I am open to doing this in a traditional library or on the IFS. My only concern is that right now our iSeries is configured to log people in to the DB2 side of the machine and it needs to stay that way. I am not sure the company placing the file will be open to issuing the namefmt command to switch to the IFS, so maybe my only option is to use the DB2 side of things or maybe there is a way to route a user to the IFS @ logon time?

Either place is fine for me to have them drop files off. I am mostly concerned with restricting movement on the FTP server to just their own folder/library/directory.

If anyone has done this sort of thing before, your input is much appreciated.

Thanks!

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

References:
- CHROOT on iSeries FTP Server
  - From: Brian Eckenrod

Prev by Date: Re: CHROOT on iSeries FTP Server
Next by Date: Re: FTPAPI - my plans for improvement
Previous by thread: Re: CHROOT on iSeries FTP Server
Next by thread: FTPAPI - char set conversions, status report
Index(es):
- Date
- Thread