SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
ssh-socks-proxy-config.xml configuration file
uses the same format as the
For a detailed description on the elements used in the configuration, see Appendix Connection Broker and SOCKS Proxy Configuration Files in Tectia Server 6.3 for IBM z/OS User Manual.
An example configuration file shown below tunnels all FTP connections
using the host name and user name provided by the FTP client application. To
enable the configuration, copy the text to
You can edit the
file using a normal text editor.
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE secsh-broker SYSTEM "/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd"> <secsh-broker version="6.3" > <default-settings> <authentication-methods> <auth-password /> <auth-keyboard-interactive /> </authentication-methods> </default-settings> <profiles> <profile name="dynamic-ftp" id="id1" host="" port="22" user=""> </profile> </profiles> <static-tunnels> <tunnel type="socks-proxy" listen-address="127.0.0.1" listen-port="1080" dst-port="0" profile="" /> </static-tunnels> <filter-engine> <rule ip-address=".*" ports="21" action="ftp-tunnel" profile-id="id1" username-from-app="YES" hostname-from-app="YES" fallback-to-plain="NO" /> </filter-engine> <logging> <log-events facility="auth" severity="informational"> Connector_filter_rule </log-events> </logging> </secsh-broker>
The following settings are required in the
ssh-socks-proxy-config.xml file to enable transparent FTP
tunneling or FTP-SFTP conversion:
default-settings element defines, for example, the user
authentication methods used by the Tectia SOCKS Proxy. Requiring password
authentication ensures that the password information provided by the FTP
client application is used.
At least one
profile element must be defined.
id must be a unique identifier that does not
change during the lifetime of the profile.
name can be given to the profile. This is
a free-form text string.
host attribute defines the address of the Secure
Shell server host. If it is left empty and/or under the
hostname-from-app="yes", the Secure Shell connection
is opened to the destination host given in the SOCKS request. Otherwise the
Secure Shell connection is opened to the host specified in the profile and in
FTP tunneling, FTP connections are forwarded to the requested hosts.
port attribute specifies the Secure Shell server
port. The default port is
user attribute specifies the user name on the Secure
Shell server. If it is left empty, the user name given by the FTP client
is used when opening the Secure Shell connection.
At least one
tunnel element must be defined.
For transparent tunneling, the tunnel
type must be
"socks-proxy and the
listen-address is usually the loopback address
"127.0.0.1", but can be an address of any local
interface that will be listened.
dst-port attribute is set to
profile attribute is left empty when transparent
tunneling and FTP-SFTP conversion are used.
At least one
rule element must be defined.
ip-address attribute specifies the target host IP
address to be filtered. It can be a regular expression. Connections to the
specified address are captured. With transparent FTP tunneling and FTP-SFTP
conversion, this can be usually set to capture all connections
".*"), as the connections are already filtered by the SOCKS Proxy
ports attribute specifies the ports to be
filtered. It can be a single port or a range. A range is specified with a
dash between two integers (such as
action attribute specifies the action to be done
when a filter is used. For transparent FTP tunneling, the action is
"ftp-tunnel". For FTP-SFTP conversion, the action
profile-id attribute is a reference to a
profile element and should contain the same value as the
id attribute of the profile.
hostname-from-app attribute defines whether the
SOCKS Proxy should extract the Secure Shell server's host name from data sent by
the application, or use a Secure Shell server defined by the connection
profile-id. With Tectia SOCKS Proxy on z/OS, this is
usually set to
"yes". Note that this requires that a Secure
Shell server is installed to each destination server (or that
fallback-to-plain is enabled to allow direct connections to
those servers that do not have Secure Shell installed).
username-from-app attribute defines whether the FTP
tunneling or FTP-SFTP conversion extracts the user name from data sent
by the FTP application. With Tectia SOCKS Proxy on z/OS, this is usually set
"yes". This setting will override any user name settings
made in a related connection profile.
When applying the filter rule, if creating the tunnel fails or the
connection to the Secure Shell server fails, the SOCKS Proxy will normally
return a "host not reachable" error. However, if the
attribute is set to
"yes", a direct (unsecured) connection
is used instead.