> I know there are problems with a ssh tunnel for the data channel. I was
> just trying to get the basics done and get a tunnel for the control
> connection with a functional passive yet unencrypted data channel.

Don't bother. Proceed directly to an entirely SSH solution, with chroot
cages if you need them to control user access to the server system, or go to
WebDAV (which is built into Apache these days and runs over SSL quite