Tunneling FTP in Active Mode
In active mode, the FTP client creates a listener on a local port, for a data
channel from the FTP server to the FTP client, and requests the channel by
sending the IP address and the port number to the FTP server in a command of the
PORT 10,1,60,99,6,12. The Secure Shell client intercepts this
command and creates a remote port forwarding from the localhost address of the Secure Shell server
to the address and port specified in the
After creating the tunnel, the Secure Shell client rewrites the address
and port in the
PORT command to point to the newly opened remote forwarding on
the Secure Shell server and sends it to the FTP server. Now the FTP server will
open a data channel to the address and port in the
PORT command, effectively
forwarding the data through the Secure Shell connection. The Secure Shell client passes
the incoming data to the original listener created by the FTP client. The net
effect is that the data channel is secure the whole way except from the Secure
Shell client to the FTP client. This sequence of events takes place automatically
for every data channel.
Since the tunnel is made to a localhost address on the Secure Shell
client machine, the FTP client must be run on the same host as the Secure Shell
client if passive mode is used.
Where end-to-end encryption of FTP data channels is desired, the FTP server and
Secure Shell server need to reside on the same host, and the FTP client and the
Secure Shell client will likewise need to reside on the same host. If this is
the case, both active or passive mode can be used.
Note: Consider using
scp2 instead of FTP
forwarding to secure file transfers. It will require less configuration than FTP
forwarding, since SSH Tectia Server for IBM z/OS already has
sft-server-g3 as a
scp2 clients are included in
the distribution. Managing remote user restrictions on the server
machine will be easier, since you do not have to do it also for FTP.