> > > Right. You have to use FTP in passive mode. The control port (21) doesn't
> > > tunnel right.
> >
> > As stated earlier on this list you can not (fully) tunnel FTP without
> > using an "ftp enabled" client (and/or server), that is the ONLY solution
> > if you want ALL traffic to the ftp server to be encrypted (also needed if
> > e.g. the ftp server is "behind" a firewall which you can only "traverse"
> > through ssh). I thought this was added to the FAQ though? If not, couldn't
> > someone add it since it's quite a FAQ (as far as I've seen).
I want to point out (already for the second time!) that the FAQ
(http://www.tigerlair.com/ssh/faq/ssh-faq-5.html#ss5.6) also contains
wrong information on this matter. To be specific it's 'ftp localhost
1234' which is misleading. Generally speaking you should connect to the
interface that has route to the ftp server, not localhost or any other
interface. It doesn't work otherwise. If you want to 'ftp localhost',
then your client ought to be "ftp enabled."
Now are there "ftp enabled" clients out there? Yes. It's indeed Mats's
MindTerm, (as again Mats pointed out) Van Dyke apparently has its
AbsoluteFTP gadget and there's
http://fy.chalmers.se/~appro/ssh_beyond.html#secure_ftp of my own
design. It's perfectly possible to tunnel FTP, it's rather
interoperable(*), it's trivial to implement and I keep wondering why
SSH/F-Secure keeps hiding behind "just use sftp instead.:-)" and
realize/accept that there're such things as legacy applications?
Andy.
(*) Excerpt from my post from April (where "has anybody seen/heard of
anything similar" and obviously outdated):
- Local forwarding cases.
FTP client - modified SSH client ==== *any* SSH server - FTP server
If FTP client goes passive mode, modified client takes care of
everything by spoofing replies to PASV commands (I really wonder why
this wasn't implemented! At least none of the clients I've tried so
far support this. Has anybody seen/heard of anything similar?). If
FTP client goes active, data transfers become clear-text and work
as long as FTP client was connected to SSH client through interface
which has route to the FTP server.
FTP client - modified SSH client ==== modified SSH server - FTP server
Works either way (passive or active), both sides spoof whatever is
appropriate to spoof:-). No way to go clear-text.
FTP client - F-Secure SSH for Mac/PC ==== modified SSH server - FTP
server
If FTP client goes active, modified SSH server takes care of everything
by spoofing PORT commands. It's possible as F-Secure appears to accept
reverse forwardings (surprise!). If FTP client goes passive, data
tranfers
become clear-text and work as long as FTP server was invoked at
interface
which has route to FTP client.
