Your browser does not allow storing cookies. We recommend enabling them.

SSH

Enabling FTP-SFTP Conversion (Unix)

On Unix, the connection capture component performing the SFTP conversion is installed from a separate installation package ssh-tectia-capture. For installation instructions, see Chapter 2.

On Unix, the FTP-SFTP conversion activation requires defining the filter rules for SFTP conversion in the Connection Broker configuration and then running the ssh-capture command.

The FTP-SFTP conversion settings are defined in the Connection Broker configuration file. The following example configuration converts any FTP connections to port 21 on any host to SFTP. The user name and the destination host name are taken from the application that initiates the connection.

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes" />
</filter-engine>

With the above configuration, you can start an FTP session for example to host address ftp.example.org with FTP-SFTP conversion enabled by running the following command:

$ ssh-capture ftp ftp.example.org

To start a bash shell session with FTP-SFTP conversion enabled for all commands, run the following command:

$ ssh-capture bash

Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.

In addition, if the target SFTP server is configured to send a banner to the client, the Connection Broker can forward the SFTP server banner to the FTP client if the rule contains the following line:

show-sftp-server-banner="yes"

For example:

<filter-engine>
    <rule application=".*"
          host=".*"
          ip-address=".*"
          ports="21"
          action="FTP-PROXY"
          hostname-from-app="yes"
          username-from-app="yes"
          show-sftp-server-banner="yes" />
</filter-engine>

If a connection profile is used in the FTP-SFTP conversion, you must create a filter rule that specifies the used connection profile, and to make sure that show-sftp-server-banner="yes" is included in the rule.

[Note]Note
Make sure that you have enabled showing the server banner (server-banners visible="yes") in the connection default Connection Broker configuration, or in the used connection profile if the default settings are not used.
[Note]Note
Sending SFTP server banner to the FTP client will cause an extra connection opening to the target SFTP server for retrieving the banner message.

In case of a failure in retrieving the banner message from the target SFTP server, the banner that Connection Broker forwards to the FTP client includes an error description, a default banner, and the following text:

Can't fetch banner from SFTP Server


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more