On Unix, the connection capture component performing the SFTP
conversion is installed from a separate installation package
ssh-tectia-capture
.
For installation instructions, see Chapter 2.
On Unix, the FTP-SFTP conversion activation requires defining the
filter rules for SFTP conversion in the Connection Broker configuration and then running
the ssh-capture
command.
The FTP-SFTP conversion settings are defined in the Connection Broker configuration file. The following example configuration converts any FTP connections to port 21 on any host to SFTP, and allows falling back to plain text transfer mode in case the secure connection cannot be established. The user name and the destination host name are taken from the application that initiates the connection.
<filter-engine> <rule application=".*" host=".*" ip-address=".*" ports="21" action="FTP-PROXY" hostname-from-app="yes" username-from-app="yes" fallback-to-plain="yes" /> </filter-engine>
With the above configuration, you can start an FTP session for
example to host address ftp.example.org
with FTP-SFTP conversion
enabled by running the following command:
$ ssh-capture ftp ftp.example.org
The Tectia ConnectSecure has an option to allow plaintext FTP used if the secure
SFTP connection cannot be established. You can enable fallback to plaintext
FTP in the configuration file as shown above and then by adding option
-F
or --fallback
to the command:
$ ssh-capture -F ftp ftp.example.org
When allowing fallback to plaintext with setting
fallback-to-plain="yes"
, always specify the port unambiquously
in the configuration. Otherwise, the connection to a plaintext FTP server
may fail in passive mode file transfer.
To start a bash shell session with FTP-SFTP conversion enabled for all commands, run the following command:
$ ssh-capture bash
Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.