SSH

Enabling FTP-SFTP Conversion (Unix)

On Unix, the connection capture component performing the SFTP conversion is installed from a separate installation package ssh-tectia-capture. For installation instructions, see Chapter 2.

On Unix, the FTP-SFTP conversion activation requires defining the filter rules for SFTP conversion in the Connection Broker configuration and then running the ssh-capture command.

The FTP-SFTP conversion settings are defined in the Connection Broker configuration file. The following example configuration converts any FTP connections to port 21 on any host to SFTP. The user name and the destination host name are taken from the application that initiates the connection.

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes" />
</filter-engine>

With the above configuration, you can start an FTP session for example to host address ftp.example.org with FTP-SFTP conversion enabled by running the following command:

$ ssh-capture ftp ftp.example.org

To start a bash shell session with FTP-SFTP conversion enabled for all commands, run the following command:

$ ssh-capture bash

Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.

In addition, if the target SFTP server is configured to send a banner to the client, the Connection Broker can forward the SFTP server banner to the FTP client if the rule contains the following line:

show-sftp-server-banner="yes"

For example:

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes"
          show-sftp-server-banner="yes" />
</filter-engine>

If a connection profile is used in the FTP-SFTP conversion, you must create a filter rule that specifies the used connection profile, and to make sure that show-sftp-server-banner="yes" is included in the rule.

[Note]Note
Make sure that you have enabled showing the server banner (server-banners visible="yes") in the connection default Connection Broker configuration, or in the used connection profile if the default settings are not used.
[Note]Note
Sending SFTP server banner to the FTP client will cause an extra connection opening to the target SFTP server for retrieving the banner message.

In case of a failure in retrieving the banner message from the target SFTP server, the banner that Connection Broker forwards to the FTP client includes an error description, a default banner, and the following text:

Can't fetch banner from SFTP Server