Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
    Application Tunneling >>
        Incoming and Outgoing Tunnels >>
        Tunneling FTP >>
            Tunneling FTP in Passive Mode
            Tunneling FTP in Active Mode
        Tunneling X11
        Agent Forwarding
        Dynamic Tunneling
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Tunneling FTP in Active Mode

In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channel by sending the IP address and the port number to the FTP server in a command of the following form: PORT 10,1,60,99,6,12. The Secure Shell client intercepts this command and creates a remote port forwarding from the localhost address of the Secure Shell server to the address and port specified in the PORT command.

After creating the tunnel, the Secure Shell client rewrites the address and port in the PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the PORT command, effectively forwarding the data through the Secure Shell connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events takes place automatically for every data channel.

Since the tunnel is made to a localhost address on the Secure Shell client machine, the FTP server must be run on the same host as the Secure Shell server if active mode is used.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.

Note: Consider using sftp2 or scp2 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since SSH Tectia Server already has sftp-server2 as a subsystem, and sftp2 and scp2 clients are included in the distribution. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now