[Contents] [Index]

Introduction >>     Configuration >>     Connecting >>         Quick Connect         Profiles >>         Key Generation >>         Connecting to a Remote Host Computer>>         Uploading Your Public Key >>         Using Public-Key Authentication         Tunneling Explained >>             Local And Remote Forwarding             Forwarding FTP             Tunneling Example - Email             Tunneling Example - FTP         Command Line Options     Terminal Window >>     File Transfer >>     Toolbar Reference >>     Menu Reference >>     Advanced Information >>     Troubleshooting >>     Appendices >>

Forwarding FTP

FTP forwarding is an extension to the generic port forwarding mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.

To protect also the transferred files, use FTP forwarding instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested.

However, the only port we need to worry about is TCP Port 21 which is the port the client uses to establish a connection with the remote server for an FTP session. The TCP port locally assigned to the client is always going to be different since it is only used as a method to ensure the FTP server's traffic is sent back to the appropriate machine.

This is important in situations where multiple users may be FTPing files to the same server. If the user's machines are sitting behind a NAT device such as firewall, all of packets coming to the server will look as though they are from the same machine. The dynamic port numbers assigned to each client enables the firewall to route the return packets to the correct user.

To see exactly how this dynamically created port forwarding is done, two different cases need to be examined: the active mode and the passive mode of the FTP protocol.

FTP in Passive Mode

In passive mode, the FTP client sends the command 'PASV' to the server, which reacts by opening a listener port for the data channel and sending the IP address and port number of the listener as a reply to the client. The reply is of the form '227 Entering Passive Mode (10,1,60,99,6,12)'.

When the Secure Shell client notices the reply to the PASV command, it will create a local port forwarding to the destination mentioned in the reply. After this the client will rewrite the IP address and port in the reply to point to the listener of the newly created local port forwarding (which exists always in a local host address, 127.0.0.1) and pass the reply to the FTP client. The FTP client will open a data channel based on the reply, effectively tunneling the data through the SSH connection, to the listener the FTP server has opened. The net effect is that the data channel is secure all the way except from the Secure Shell server to the FTP server, if they are on different machines. This sequence of events happens automatically for every data channel.

Since the port forwarding is opened to a local host address, the FTP client must be run on the same machine as the Secure Shell client if passive mode is used.

FTP in Active Mode

In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channel by sending the IP address and the port number to the FTP server in a command of the following form: 'PORT 10,1,60,99,6,12'. The Secure Shell client intercepts this command and creates a remote port forwarding from the Secure Shell server's localhost address to the address and port specified in the PORT command.

After creating the port forwarding, the Secure Shell client rewrites the address and port in the PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the PORT command, effectively forwarding the data through the SSH connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events happens automatically for every data channel.

Since the port forwarding is made to a local host address on the Secure Shell client machine, the FTP client must be run in the same host as the Secure Shell client if passive mode is used.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.

Note: Consider using sftp2 or scp2 (see Appendices) instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since the server already has sftp-server2 as a subsystem, and sftp2 and scp2 clients are included in the distribution.