Comments on the use of ftp server/client on OS/400 AS/400

sunhux used Ask the Experts™
Just got Carol Woodsbury latest IBM i Security book: a quick browse showed
OS/400 uses ftp (it has telnet & ftp servers in it).

I've been hearing for the past ten years that ftp should not be used anymore
from security point of view as data as well as credentials of ftp are not
encrypted; likewise for telnet

So under what circumstances is ftp's use still justified for OS/400?
Or there are legacy IBM products that require ftp & if so which ones?

Is it possible to sftp/scp for OS/400?  From the index of the book, there's
no mention of sftp/scp, so I'm curious if sftp/scp is the way to go for
OS/400?  Or there's 3rd parties  sftp servers out there for OS/400 that
we ought to install?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VP Technology / Senior Consultant
Q1: IBM i FTP server supports TLS encryption.  FTP over TLS is secure.  Unencrypted FTP sends credentials in plaintext, so the only time it is a appropriate is when potential disclosure of the user ID and password that you are using to log on, and all of the commands and data you send doesn't matter.  From a practical standpoint, it is best to just avoid unencrypted FTP altogether.  FTPS (FTP over SSL/TLS) was available in V5R1, and possible further back than that.

I'm not aware of any IBM products that require unencrypted FTP connections to the IBM i.

Q2: Yes, since V5R4, sftp/scp is part of PASE.

There are also 3rd party products.
Gary PattersonVP Technology / Senior Consultant

BTW, IBM i also provides TLS encryption for Telnet connections.


Thanks v much.

In versions prior to V5R1, can we specify which version of TLS (specifically V1.2) to use and to disable SSL?  Or starting which version of Ibm i is this feature to specify TLS version available?
Versions prior to V5R1 are far too old to be concerned about the security of network protocols. It's similar to being concerned about Windows pre-2000. And technically, at least some of the concern over SSL is still misplaced unless you're involved with perhaps military secrets and interception. See, e.g., SSL is broken. So what? (2014) and many others.

Simple FTP might be justified any time simple, unsecured transfers will be done or perhaps when a VPN is used. Of course, only a dedicated user profile should do transfers, one authorized only for transfers and only to specific source/destination directories or libraries. If your organization has someone sniffing traffic, there are probably other problems anyway.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial