Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

FTP Tunneling

FTP tunneling is an extension to the generic tunneling mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.

To protect also the transferred files, FTP forwarding can be used instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested.

FTP tunneling works for both local and remote tunnels, but it must always be explicitly requested.

On the command line, this can be done by using a command with the following syntax:

sshclient$ sshg3 -L ftp/1234:localhost:21 username@sshserver

FTP tunnels can also be defined for connection profiles in the Connection Broker configuration file. The following is an example from a ssh-broker-config.xml file:

<profile id="id1" host="">
     <local-tunnel type="ftp" 
                   dst-port="21" />

The FTP connection can then be made with a command like the following:

sshclient$ ftp localhost 1234

The FTP connection to port 1234 on client is now tunneled to port 21 on the Secure Shell server.

When using SSH Tectia Client with the Windows GUI, the tunneling settings can be made under Profile Settings → Tunneling. See Defining Tunneling (SSH Tectia Client).

The typical use case is that the FTP client is located on the same host as SSH Tectia Client and the FTP server is on the same host as the Secure Shell server. However, other configurations are also supported.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and SSH Tectia Client will likewise need to reside on the same host.


Consider using sftpg3 or scpg3 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since SSH Tectia Server already has sft-server-g3 as a subsystem, and sftpg3 and scpg3 clients are included with SSH Tectia Client. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now