Hi
I think you didn't get a the answer for your question, so I hope I can give
you a better answer:
The name: port forwarding almost tells everything: you can forward you ftp
server's 21th port to another machine which has an ssh client. The ssh
client does all the work for you on the client side.
For example I use this command (in a batch) on my Winblows machine to get my
mails, connect to ftp:
ssh2.exe -t -l username -L 21000:ftp.host.com:21 -L
11000:mail.host.com:110 -L 11001:mail.anotherhost.com:110 ssh.host.com vlock
;
ftp.host.com, ssh.host.com and mail.host.com are the same host I just used
this names because they're eaier to understand. Let they be simply:
host.com.
So it connects to host.com (actually ssh.host.com) and authenticate the user
called username. If the authentication went fine the client opens 3 secure
channels to the server. They are all forwarded to localhost's ports: ftp to
21000, pop3 to 11000 and 11001. When the user connect to one the forwarded
ports on localhost it will looks like for hiim/her if he or she was
connected to the remote machine.
The mail.anotherhost.com doesn't have ssh, but I use ssh.host.com to forward
my mails and it is still secure my datas between my machine and ssh.host.com
and forward the channel to mail.anotherhost.com in non secure mode. I use
this because ssh.host.com is has it's own port in our switching hub and it
can't be sniffed at least from our LAN (I live in a dormitory and there's a
lot of student here with too much hacking ambitions :)).
But there's a problem with the forwarding of ftp: ftp servers usually don't
allow to estabilish a data connection (with the PORT or the PASV command)
from another IP than the ftp command connection was made (on port 21). The
ftp command connection always seems to be local for the ftp server because
of port forwarding, but ssh can't make the data connection so it must come
from another host. The only way to make it work is to configure the ftp
server to accept PORT and PASV commands (they're are used to make a data
connection) from different IPs than the command connection was made, even if
this makes the server more vulnerable to DOS attacks (usually you can
configure the IPs that you want to use for forwading).
Example for config (wu-ftpd 2.6.0):
pasv-allow all 192.168.87.*
port-allow all 193.168.87.*
all is the name of the class defined in the another part of the conf.
I hope I didn't complicate the things too much and you can imagine how it
works.
regards,
Arpi
> I am still trying to get a secure ftp connection going over ssh, but I am
> confused. I think I understand what I have read about getting the server
to
> monitor ports on the server, but how does ftp work? Does the client need
> port 21 encrypted and forwarded on the server to port 21 or does the
client
> use a different port to establish the connection? If so which port does
the
> client use? Again I don't care if the data is encrypted only the passwords
> sent by the user for authentication.
>
> Thanks,
>
> Chad
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
