Tunneling FTP in Active Mode
In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channel by sending the IP address and the port number to the FTP server in a command of the following form:
PORT 10,1,60,99,6,12. The Secure Shell client intercepts this command and creates a remote port forwarding from the localhost address of the Secure Shell server to the address and port specified in the
After creating the tunnel, the Secure Shell client rewrites the address and port in the
PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the
PORT command, effectively forwarding the data through the Secure Shell connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events takes place automatically for every data channel.
Since the tunnel is made to a localhost address on the Secure Shell client machine, the FTP client must be run on the same host as the Secure Shell client if passive mode is used.
Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.
Note: Consider using
scp2 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since SSH Tectia Server for IBM z/OS already has
sft-server-g3 as a subsystem, and
scp2 clients are included in the distribution. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.