ssh-socks-proxy-config.xml configuration file uses the same format as the
ssh-broker-config.xml configuration file.
For a detailed description of the elements used in the configuration, see Appendix Connection Broker and SOCKS Proxy Configuration Files in Tectia Server 6.6 for IBM z/OS User Manual.
An example configuration file shown below tunnels all FTP connections using the host name and user name provided by the FTP client application. To enable the configuration, copy the text to
/opt/tectia/etc/ssh-socks-proxy-config.xml. You can edit the
ssh-socks-proxy-config.xml configuration file using a normal text editor.
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE secsh-broker SYSTEM "/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd"> <secsh-broker version="6.6" > <default-settings> <authentication-methods> <auth-password /> <auth-keyboard-interactive /> </authentication-methods> </default-settings> <profiles> <profile name="dynamic-ftp" id="id1" host="" port="22" user=""> </profile> </profiles> <static-tunnels> <tunnel type="socks-proxy" listen-address="127.0.0.1" listen-port="1080" dst-port="0" profile="" /> </static-tunnels> <filter-engine> <rule ip-address=".*" ports="21" action="ftp-tunnel" profile-id="id1" username-from-app="YES" hostname-from-app="YES" fallback-to-plain="NO" /> </filter-engine> <logging> <log-events facility="auth" severity="informational"> Connector_filter_rule </log-events> </logging> </secsh-broker>
The following settings are required in the
ssh-socks-proxy-config.xml file to enable transparent FTP tunneling or FTP-SFTP conversion:
default-settingselement defines, for example, the user authentication methods used by the Tectia SOCKS Proxy. Requiring password authentication ensures that the password information provided by the FTP client application is used.
At least one
profileelement must be defined.
idmust be a unique identifier that does not change during the lifetime of the profile.
namecan be given to the profile. This is a free-form text string. The name must not contain any blanks/spaces.
hostattribute defines the address of the Secure Shell server host. If it is left empty and/or under the
hostname-from-app="yes", the Secure Shell connection is opened to the destination host given in the SOCKS request. Otherwise the Secure Shell connection is opened to the host specified in the profile and in FTP tunneling, FTP connections are forwarded to the requested hosts.
portattribute specifies the Secure Shell server port. The default port is
userattribute specifies the user name on the Secure Shell server. If it is left empty, the user name given by the FTP client is used when opening the Secure Shell connection.
At least one
tunnelelement must be defined.
For transparent tunneling, the tunnel
typemust be set as
listen-addressis usually the loopback address
"127.0.0.1", but can be an address of any local interface that will be listened.
dst-portattribute is set to
profileattribute is left empty when transparent tunneling and FTP-SFTP conversion are used.
At least one
ruleelement must be defined.
ip-addressattribute specifies the target host IP address to be filtered. It can be a regular expression. Connections to the specified address are captured. With transparent FTP tunneling and FTP-SFTP conversion, this can be usually set to capture all connections (
".*"), as the connections are already filtered by the SOCKS Proxy settings.
portsattribute specifies the ports to be filtered. It can be a single port or a range. A range is specified with a dash between two integers (such as
actionattribute specifies the action to be done when a filter is used. For transparent FTP tunneling, the action is
"ftp-tunnel". For FTP-SFTP conversion, the action is
profile-idattribute is a reference to a
profileelement and should contain the same value as the
idattribute of the profile.
hostname-from-appattribute defines whether the SOCKS Proxy should extract the Secure Shell server's host name from data sent by the application, or use a Secure Shell server defined by the connection profile in
profile-id. With Tectia SOCKS Proxy on z/OS, this is usually set to
"yes". Note that this requires that a Secure Shell server is installed to each destination server (or that
fallback-to-plainis enabled to allow direct connections to those servers that do not have Secure Shell installed).
username-from-appattribute defines whether the FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application. With Tectia SOCKS Proxy on z/OS, this is usually set to
"yes". This setting will override any user name settings made in a related connection profile.
When applying the filter rule, if creating the tunnel fails or the connection to the Secure Shell server fails, the SOCKS Proxy will normally return a "host not reachable" error. However, if the
fallback-to-plainattribute is set to
"yes", a direct (unsecured) connection is used instead.