Some information returned to clients may be considered sensitive and for security reasons you may not want the end user to see it.
If a client attempts to login, but enters an incorrect password, you may not want to provide detailed information such as the errno or reason codes on the failure message.
Example
If you do not check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and
the login fails because the password was incorrect, the client will see the following:
D:\>ftp 9.42.103.112 Connected to 9.42.103.112. 220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:11:22 on 2002-10-31. 220 Connection will not timeout. User (9.42.103.112:(none)): user1 331 Send password please. Password: 530-Error on __passwd() function call, errno=111, rsncode=090C0000 530-The username is unknown 530 PASS command failed Login failed. ftp>
If you do check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and
the login fails because the password was incorrect, the client will see the following:
D:\>ftp 9.42.103.112 Connected to 9.42.103.112. 220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:21:17 on 2002-10-31. 220 Connection will not timeout. User (9.42.103.112:(none)): user1 331 Send password please. Password: 530 PASS command failed Login failed. ftp>
If you choose not to send detailed login failure messages, you can trace them instead by checking the box labeled "Log failure messages (DEBUG ACC)".
You may want to configure the server not to show clients secure information such as IP addresses, host names, or port numbers, etc. Check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" to direct the server not to send such information.
Example:
If you do check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)"
the client will see the following:
# ftp loopback IBM FTP CS V1R4 FTP: using TCPCS Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21. 220-IBM FTP, 17:57:42 on 2002-10-31. 220 Connection will not timeout. NAME (loopback:USER3): user3 >>> USER user3 331 Send password please. PASSWORD: >>> PASS 230 USER3 is logged on. Working directory is "USER3.". Command: stat >>> STAT 211-User: USER3 Working directory: USER3. 211-The control connection has transferred 115 bytes 211-There is no current data connection. 211-The next data connection will be actively opened 211-using Mode Stream, Structure File, type ASCII, byte-size 8 211-Automatic recall of migrated data sets. 211-Automatic mount of direct access volumes. 211-Auto tape mount is allowed. 211-Inactivity timer is disabled 211-VCOUNT is 59 211-ASA control characters in ASA files opened for text processing 211-will be transferred as ASA control characters. 211-Trailing blanks are removed from a fixed format 211-data set when it is retrieved. 211-Data set mode. (Do not treat each qualifier as a directory.) 211-ISPFSTATS is set to FALSE 211-Primary allocation 55 cylinders. Secondary allocation 55 cylinders. 211-FileType SEQ (Sequential - default). 211-Number of access method buffers is 5 211-RDWs from variable format data sets are discarded. 211-Records on input tape are unspecified format 211-SITE DB2 subsystem name is DB2 211-Data not wrapped into next record. 211-Tape write is not allowed to use BSAM I/O 211-Truncated records will not be treated as an error 211-JESLRECL is 80 211-JESRECFM is Fixed 211-JESINTERFACELEVEL is 1 211-ENcoding is set to SBCS 211-SBSUB is set to FALSE 211-SBSUBCHAR is set to SPACE 211-SMS is active. 211-Dataclass for new data sets is DATAF 211-Data sets will be allocated on CPDLB2,CPDLB3. 211-New data sets will be deleted if a store operation ends abnormally 211-Single quotes will override the current working directory. 211-UMASK value is 027 211-Checkpoint interval is 0 211-Authentication type: None 211 *** end of status *** Command:
If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)"
the client will see the following:
# ftp loopback IBM FTP CS V1R4 FTP: using TCPCS Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21. 220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31. 220 Connection will not timeout. NAME (loopback:USER3): user3 >>> USER user3 331 Send password please. PASSWORD: >>> PASS 230 USER3 is logged on. Working directory is "USER3.". Command: stat >>> STAT 211-Server FTP talking to host 127.0.0.1, port 1026 211-User: USER3 Working directory: USER3. 211-The control connection has transferred 115 bytes 211-There is no current data connection. 211-The next data connection will be actively opened 211-to host 127.0.0.1, port 1026, 211-using Mode Stream, Structure File, type ASCII, byte-size 8 211-Automatic recall of migrated data sets. 211-Automatic mount of direct access volumes. 211-Auto tape mount is allowed. 211-Inactivity timer is disabled 211-VCOUNT is 59 211-ASA control characters in ASA files opened for text processing 211-will be transferred as ASA control characters. 211-Trailing blanks are removed from a fixed format 211-data set when it is retrieved. 211-Data set mode. (Do not treat each qualifier as a directory.) 211-ISPFSTATS is set to FALSE 211-Primary allocation 55 cylinders. Secondary allocation 55 cylinders. 211-FileType SEQ (Sequential - default). 211-Number of access method buffers is 5 211-RDWs from variable format data sets are discarded. 211-Records on input tape are unspecified format 211-SITE DB2 subsystem name is DB2 211-Data not wrapped into next record. 211-Tape write is not allowed to use BSAM I/O 211-Truncated records will not be treated as an error 211-JESLRECL is 80 211-JESRECFM is Fixed 211-JESINTERFACELEVEL is 1 211-ENcoding is set to SBCS 211-SBSUB is set to FALSE 211-SBSUBCHAR is set to SPACE 211-SMS is active. 211-Dataclass for new data sets is DATAF 211-Data sets will be allocated on CPDLB2,CPDLB3. 211-New data sets will be deleted if a store operation ends abnormally 211-Single quotes will override the current working directory. 211-UMASK value is 027 211-Process id is 52 211-Checkpoint interval is 0 211-Authentication type: None 211 *** end of status *** Command:
Differences in above example
If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)",
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31.
211-Server FTP talking to host 127.0.0.1, port 1026 211-to host 127.0.0.1, port 1026, 211-Process id is 52