SSH

Enabling FTP-SFTP Conversion (Unix)

On Unix, the connection capture component performing the SFTP conversion is installed from a separate installation package ssh-tectia-capture. For installation instructions, see Chapter 2.

On Unix, the FTP-SFTP conversion activation requires defining the filter rules for SFTP conversion in the Connection Broker configuration and then running the ssh-capture command.

The FTP-SFTP conversion settings are defined in the Connection Broker configuration file. The following example configuration converts any FTP connections to port 21 on any host to SFTP, and allows falling back to plain text transfer mode in case the secure connection cannot be established. The user name and the destination host name are taken from the application that initiates the connection.

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes"
          fallback-to-plain="yes" />
</filter-engine>

With the above configuration, you can start an FTP session for example to host address ftp.example.org with FTP-SFTP conversion enabled by running the following command:

$ ssh-capture ftp ftp.example.org

The Tectia ConnectSecure has an option to allow plaintext FTP used if the secure SFTP connection cannot be established. You can enable fallback to plaintext FTP in the configuration file as shown above and then by adding the option -F (alias for --fallback) to the command:

$ ssh-capture -F ftp ftp.example.org

The -F option is effective if ssh-capture cannot connect to Connection Broker and the value of fallback-to-plain in the configuration file cannot be checked.

When allowing fallback to plaintext with setting fallback-to-plain="yes", always specify the port unambiguously in the configuration. Otherwise, the connection to a plaintext FTP server may fail in passive mode file transfer.

To start a bash shell session with FTP-SFTP conversion enabled for all commands, run the following command:

$ ssh-capture bash

Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.