I've read some documents about using SSH port forwarding to allow encryption of the FTP control channel in order to protect the username and password.

I can't figure out how to make it work, though. I followed the instructions, but I can never establish a data channel even in PASV mode. This is what I'm doing:

(1) Establish the SSH tunnel:

[pmak@lina pmak]$ ssh -L2021:localhost:21 aaanime.net
Authentication successful.
Last login: Wed Dec 31 1969 19:00:00 -0500 from
You have mail.

(2) Connect to the tunneled port:

[pmak@lina pmak]$ ftp localhost 2021
Connected to localhost.localdomain.
220 sg1 FTP server (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
Name (localhost:pmak): pmak
331 Password required for pmak.
Password:
230 User pmak logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote pasv
227 Entering Passive Mode (127,0,0,1,19,216)
ftp> ls
227 Entering Passive Mode (127,0,0,1,74,90)
ftp: connect: Connection refused

Attempts to do it using GUI FTP clients and checking the "Use PASV mode" box doesn't work either. Does anyone know what I did wrong?

Which ssh are you using (on the server)? A number of them come with a sftp server (secure ftp) which should be a lot easier to setup.

Frank

I have a Secure FTP server and it works, and it works with my Secure FTP client. (I'm using SSH2, btw.)

But I'd like to have SSH tunneling of the FTP control connection for use by people who don't have Secure FTP clients (only normal FTP clients).

Can you use PASV mode when connected directly to your FTP server without SSH tunneling?

I tried your example and it worked fine for me. System: Mandrake Linux 7.2, WUFTPD 2.6.1, OpenSSH 2.3.0p1.

PASV works fine:

[pmak@lina pmak]$ ftp localhost
Connected to localhost.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.6 )) .:.-=(<*>)=-
220-You are user number 1 of 50 allowed
220-Local time is now 00:53 and the load is 0.00. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 120 minutes of inactivity.
Name (localhost:pmak): pmak
331 User pmak OK. Password required
Password:
230-User pmak has group access to: pmak
230 OK. Current directory is /usr/home/pmak
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,234,111).
150 Accepted data connection
drwx------ 4 pmak pmak 4096 Dec 25 17:49 Mail
drwx------ 5 pmak pmak 4096 Dec 25 17:35 Maildir
drwxrwxr-x 2 pmak pmak 4096 Dec 25 23:03 bin
lrwxrwxrwx 1 pmak pmak 4 Dec 24 19:07 mail -> Mail
-rw------- 1 pmak pmak 152560275 Dec 25 17:30 mbox
-rw-r--r-- 1 pmak pmak 13319750 Dec 25 05:49 sent.zip
226-Options: -l
226 6 matches total

Here's my hunch regarding why it's not working for me: Even with PASV on, a connection on another port has to be opened to the FTP server, but apparently ssh doesn't know to read the "227 Entering Passive Mode (127,0,0,1,141,154)." line from FTP and open a new port forward automatically?

Originally posted by pmak0
Here's my hunch regarding why it's not working for me: Even with PASV on, a connection on another port has to be opened to the FTP server, but apparently ssh doesn't know to read the "227 Entering Passive Mode (127,0,0,1,141,154)." line from FTP and open a new port forward automatically? [/B]

No, ssh doesn't read data, it only forwards data. PASV mode shouldn't require another port for data transfer. I suggest that you try different FTP server (such as WU or ProFTPD) to see if the problem is with PureFTPD.

Originally posted by priyadi
No, ssh doesn't read data, it only forwards data. PASV mode shouldn't require another port for data transfer. I suggest that you try different FTP server (such as WU or ProFTPD) to see if the problem is with PureFTPD.

Man... I'm not having any luck at all. :( I just tried this on a different system that uses OpenSSH (instead of ssh.com) and ProFTPd, but got the same problem.

Originally posted by pmak0


Man... I'm not having any luck at all. :( I just tried this on a different system that uses OpenSSH (instead of ssh.com) and ProFTPd, but got the same problem.

Well, that's strange indeed. Have you tried different FTP client? Maybe it is something in your network configuration?
Here is FTP session on my system:

[root@gerbang /root]# ftp localhost 2021
Connected to localhost.localdomain.
220 warnet-x.net FTP server (Version wu-2.6.1(1) Tue
Oct 3 14:29:19 CEST 2000) ready.
Name (localhost:root): priyadi
331 Password required for priyadi.
Password:
230 User priyadi logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote pasv
227 Entering Passive Mode (127,0,0,1,158,200)
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 56046
drwxrwxr-x 19 502 502 495 Dec 25 2000 1
drwxrwxr-x 3 502 502 281 Dec 29 2000 2
d--x--x--x 2 502 502 52 Dec 30 2000 3
..... blah blah blah ...
226 Transfer complete.
ftp>