SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
        Local Tunnels >>
        Remote Tunnels >>
        Tunneling FTP on the Command Line >>
            Tunneling FTP in Passive Mode
            Tunneling FTP in Active Mode
            Examples of FTP Tunneling
        Agent Forwarding
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

Tunneling FTP in Active Mode

In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channel by sending the IP address and the port number to the FTP server in a command of the following form: PORT 10,1,60,99,6,12. The Secure Shell client intercepts this command and creates a remote port forwarding from the localhost address of the Secure Shell server to the address and port specified in the PORT command.

After creating the tunnel, the Secure Shell client rewrites the address and port in the PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the PORT command, effectively forwarding the data through the Secure Shell connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events takes place automatically for every data channel.

Since the tunnel is made to a localhost address on the Secure Shell client machine, the FTP client must be run on the same host as the Secure Shell client if passive mode is used.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.

Note: Consider using sftp2 or scp2 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since SSH Tectia Server for IBM z/OS already has sft-server-g3 as a subsystem, and sftp2 and scp2 clients are included in the distribution. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice