Re: ssl'ed / ssh'ed ftp ?
On Mon, 7 Feb 2000, Joe Chung wrote:
> On Sun, Feb 06, 2000 at 09:32:11PM -0800, t s a d i wrote:
> > hello all,
> > we use ssh (and ssl telnet) at our place to remotely admin some
> > machines (we are on an untrusted network) ...
> > our concern now is on ftp, is there such thing as an ssh'ed or
> > ssl'ed ftp ? or any equivalent ? (using ssh's file transfer capability
> > is not an option since no Win9x ssh client supports this)
>
> For Windows clients try the ssh extension to Teraterm at:
>
> http://www.zip.com.au/~roca/ttssh.html
>
> With the port-forwarding feature, I was able to use good old ws_ftp from the
> Windows machine to connect securely to our Solaris server running openssh's
> sshd. That should work for you.
>
That's only partially true:
ftp is a dual-ported protocol. It uses port 21 for transferring the
parameters and commands, but it uses a separate data connection. It can
behave the following two ways:
Active mode: the data connection is initiated by the ftp server. The
connection is between ftpserver:20 a user-specified ip:port.
Passive mode: the ftp server is the one which is contacted by another
computer. This mode is triggered by the pasv command. The reply of the ftp
server to pasv command is a port on which it will listen. It then needs to
be contacted by the client (or another machine).
This makes it possible to use ftp protocol to transfer files between two
ftp servers. In this scenario the control connections are between the
client and the two ftp servers, but the one data connection is between the
two ftp server.
What is described in the previous lines shows the forwarding a connection
to port 21 via ssh does not encrypt the data connections.
Therefore: if you need to encrypt only the passwords, then ssh can provide
you the tool. But there is no way to encrypt the data connection with ssh
alone. You need a tool which uses ssh's port forwarding capabilities
actively for that.
Robert Varga
Reply to: