Re: ftp ssh tunelling

To: Christian Dysthe <cdysthe@bigfoot.com>
Cc: Debian-user <debian-user@lists.debian.org>
Subject: Re: ftp ssh tunelling
From: Kevin Turner <Kevin.Turner@oberlin.edu>
Date: Fri, 11 Jun 1999 11:48:25 -0700
Message-id: <[🔎] 19990611114824.B3114@DHCP5315.resnet.oberlin.edu>
Reply-to: Kevin Turner <Kevin.Turner@oberlin.edu>
In-reply-to: <[🔎] E10sIiP-00004z-00@oddbird>; from Christian Dysthe on Thu, Jun 10, 1999 at 11:14:49PM -0500
References: <[🔎] E10sIiP-00004z-00@oddbird>

On Thu, Jun 10, 1999 at 11:14:49PM -0500, Christian Dysthe wrote:
> I would like to know where I can find some information about how to do ftp over
> a ssh tunnel.

I recently automated this process by writing some aliases for lftp:
~/.lftp/rc:
alias foossh "source ~/.lftp/foossh"

~/.lftp/foossh:
! ssh2 -S -f +C -l UserNameAtSshHost -L 9021:RemoteFtpHost:21 RemoteSshHost -o 'PasswordPrompt Password for SSH tunnel to %H, %U: '
set ftp:passive-mode on
open -u FTPUserName,FTPPassword -p 9021 localhost

Explanation:
~/.lftp/rc is sourced upon start-up of lftp. The alias there causes the
sequence of commands in ~/.lftp/foossh to be run whenever 'foossh' is
typed.

foossh uses ssh2[*Note] to open a tunnel from port 9021 on the Localhost
to port 21 (FTP port) on the RemoteFtpHost, via the RemoteSshHost. The
connection between Localhost and RemoteSshHost is secure, the connection
between RemoteSshHost and RemoteFtpHost is not (unless RemoteSshHost and
RemoteFtpHost are the same or RemoteFtpHost is 'localhost', which would
be local-to-ssh-host).

The script then insures that the ftp client is working in passive mode,
necessary for using ftp through a tunnel. Then it logs in to the FTP
server with name and password by connecting to port 9021 on localhost
(the forwarded port).

This example is a bit more complicated than your case might be because
in my case, the ftp server is not the one running ssh... but the ftp
server is on the same network as the ssh server, so it's safer than
nothing. Also, the ssh server is running only ssh2, but sftp doesn't
function there (sftp is a much easier way of doing what you want, but
only comes with ssh2 client/server. It may be worth your while to see
if the ssh2 license is acceptible to your application.).

This example also assumes you are using password authentication (which
is my case because public key authentication with the ssh2 host I
connect to is non-functional for no reason I can find), you could use
public key authentication as well. If your ssh secret-key is
passphraseless, you won't have to enter a password to establish the ssh
tunnel at all.

I have different 'foossh' files and aliases for different hosts. Port
9021 is not special, you can use any non-privledged port that is not in
use on the local host. I do not think you can forward multiple
connections over the same local port. The example here uses lftp,
but the concepts are not lftp-specific, and most clients should have
commands that allow you to execute a ssh command in a local shell, turn
on passive mode, and do a ftp login to a non-standard port on localhost.

*Note: You can use ssh1 instead of ssh2 here if you:
* remove the -S argument, it is not in ssh1. It lets the ssh channel
be established without opening a shell session on the host. You
will probably have to tell ssh to run something like 'sleep 30' as a
command on the remote host to give ssh something to do while you're
setting up the ftp-forwarding.
* the +C is for compression. It is optional. In ssh1, the option was -C

Good luck,
- Kevin

--
Kevin.Turner@oberlin.edu | OpenPGP encryption welcome here, see X-DSA-Key

Reply to:

References:
- ftp ssh tunelling
  - From: Christian Dysthe <cdysthe@bigfoot.com>

Prev by Date: Re: Sui precompilati...
Next by Date: Re: loggin 'su'
Previous by thread: Re: ftp ssh tunelling
Next by thread: Re: ftp ssh tunelling
Index(es):
- Date
- Thread