SSH Tectia

Enabling FTP-SFTP Conversion (Unix)

On Unix, the connection capture component performing the SFTP conversion is installed from a separate installation package ssh-tectia-capture. For installation instructions, see Chapter 2.

On Unix, the FTP-SFTP conversion activation requires defining the filter rules for SFTP conversion in the Connection Broker configuration and then running the ssh-capture command.

The FTP-SFTP conversion settings are defined in the Connection Broker configuration file. The following example configuration converts any FTP connections to port 21 on any host to SFTP, and allows falling back to plain text transfer mode in case the secure connection cannot be established. The user name and the destination host name are taken from the application that initiates the connection.

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes"
          fallback-to-plain="yes" />
</filter-engine>

With the above configuration, you can start an FTP session for example to host address ftp.example.org with FTP-SFTP conversion enabled by running the following command:

$ ssh-capture ftp ftp.example.org

The SSH Tectia ConnectSecure has an option to allow plaintext FTP used if the secure SFTP connection cannot be established. You can enable fallback to plaintext FTP in the configuration file as shown above and then by adding option -F or --fallback to the command:

$ ssh-capture -F ftp ftp.example.org

When allowing fallback to plaintext with setting fallback-to-plain="yes", always specify the port unambiquously in the configuration. Otherwise, the connection to a plaintext FTP server may fail in passive mode file transfer.

To start a bash shell session with FTP-SFTP conversion enabled for all commands, run the following command:

$ ssh-capture bash

Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.