FTP tunneling is an extension to the generic tunneling mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.
To protect also the transferred files, FTP forwarding can be used instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested.
FTP tunneling works for both local and remote tunnels, but it must always be explicitly requested.
On the command line, this can be done by using a command with the following syntax:
sshclient$ sshg3 -L ftp/1234:localhost:21 username@sshserver
FTP tunnels can also be defined for connection profiles in the Connection Broker configuration file.
The following is an example from a ssh-broker-config.xml
file:
<profile id="id1" host="sshserver.example.com"> ... <tunnels> <local-tunnel type="ftp" listen-port="1234" dst-host="127.0.0.1" dst-port="21" /> ... </tunnels> </profile>
The FTP connection can then be made with a command like the following:
sshclient$ ftp localhost 1234
The FTP connection to port 1234 on client is now tunneled to port 21 on the Secure Shell server.
When using SSH Tectia Client with the Windows GUI, the tunneling settings can be made under Profile Settings → Tunneling. See Defining Tunneling (SSH Tectia Client).
The typical use case is that the FTP client is located on the same host as SSH Tectia Client and the FTP server is on the same host as the Secure Shell server. However, other configurations are also supported.
Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and SSH Tectia Client will likewise need to reside on the same host.
Note | |
---|---|
Consider using |