Help: FTP over SSH to Windows FTP server behind Linux gateway/firewall

From: Chuck Renner (chuck@dataoncd.com)
Date: 03/26/02 

From: Chuck Renner <chuck@dataoncd.com>
Date: Tue, 26 Mar 2002 01:45:25 GMT

Help!

I've seen this question posted almost a 100 times, but I have never seen
anyone get a real answer to it.

I already know about scp and sftp, and they are worthless to me for what
I need to do. I need to host the ftp server on the Windows machine for
file access and control reasons.

Here goes:

How do I encrypt a regular ftp session over SSH with the following
circumstances:

            1. The ftp client is a Windows machine on a LAN in office #1.

            2. The ssh daemon is a Linux machine that is directly on the
    internet, and serves as the internet gateway for the LAN in office
    #2.

            3. The ftp server is a Windows machine on a LAN in office #2.

            4. I need the ftp client on the Windows Machine in office #1 to
    connect via port-forwarding (through SSH on the linux machine) to
    the ftp server on the Windows machine in office #2.

Without ssh, and through portforwarding the process would like like
this: key:
lp: = local port:
rp: = remote port:
r = random
ar = assigned port range
> = TCP session established in outgoing direction
< = TCP session established in incoming direction

(Active FTP example)
     --------- --------- ---------
     | | control sess. | | control sess. | |
     | ftp |-(lp:r)-(rp:21)->| linux |-(lp:r)-(rp:21)->| ftp |
     | client| data session |gateway| data session | server|
     | |<-(lp:r)-(rp:20)-| |<-(lp:r)-(rp:20)-| |
     --------- --------- ---------
or this:
(Passive FTP)
     --------- --------- ---------
     | | control sess. | | control sess. | |
     | ftp |-(lp:r)-(rp:21)->| linux |-(lp:r)-(rp:21)->| ftp |
     | client| data session |gateway| data session | server|
     | |-(lp:r)-(rp:ar)->| |-(lp:r)-(rp:ar)->| |
     --------- --------- ---------

With ssh portforwarding the process SHOULD look like like this:
key:
lp: = local port:
rp: = remote port:
r = random
ar = assigned port range
> = TCP session established in outgoing direction
< = TCP session established in incoming direction

(Active FTP example)
--------- --------- ---------
| ssh |-(lp:r)-(rp:22)->| ssh | | |
| client| | daemon| | |
| |--------tunnel-----tunnel-----tunnel-------| |
| | control session over ssh tunnel | |
| ftp |---(lp:21)->---->--------->---->-(rp:21)-->| ftp |
| client| data session over ssh tunnel | server|
| |---(lp:20)-<----<---------<----<-(rp:20)---| |
| |--------tunnel-----tunnel-----tunnel-------| |
| | | | | |
--------- --------- ---------
or this:
(Passive FTP)
--------- --------- ---------
| ssh |-(lp:r)-(rp:22)->| ssh | | |
| client| | daemon| | |
| |--------tunnel-----tunnel-----tunnel-------| |
| | control session over ssh tunnel | |
| ftp |---(lp:21)->---->--------->---->-(rp:21)-->| ftp |
| client| data session over ssh tunnel | server|
| |---(lp:ar)->---->--------->---->-(rp:ar)-->| |
| |--------tunnel-----tunnel-----tunnel-------| |
| | | | | |
--------- --------- ---------

OK. I can't get EITHER model to work. The active session would be
preferable for compatibility reasons.

The active session doesn't work because:
            * The control session works fine, because it can be forwarded to a
    machine on the LAN in office #2 through a SSH local port forward.
            * The data session does not work, because the remote port
    forwarding feature on the SSH daemon forwards a remote port on the
    linux gateway instead of a remote port on the machine on the LAN in
    office #2.

The passive session doesn't work because:
            * The control session works fine, because it can be forwarded to a
    machine on the LAN in office #2 through a SSH local port forward.
            * The data session does not work, because you have to open up an
    ENTIRE RANGE of ports to forward to the machine on the LAN in office
    #2 for the data session, and it doesn't seem to make sense to open
    an entire range of ports for port forwarding when only one is
    needed.
            * Most FTP clients don't use passive mode (which royally sucks)
    automatically or at all, so there are some real compatibility
    problems with using passive ftp with a large user base.
         * Passive ftp gets more complicated because of IP reporting by the
    FTP server.

Has anyone ever gotten a model like this to work for active FTP over SSH
to a Windows FTP server behind a linux firewall/gateway?

If so, please document how. We all need to know.

- Chuck Renner
Director of Technical Services
ICT/Data On CD
chuck@dataoncd.com
www.dataoncd.com

Relevant Pages

  • Re: tunnelling
    ... > If I want to tunnel a ftp connection I have to ... > server I want to connect to, port 21. ... What you're doing is telling your SSH client to _listen_ on port 21 ...
    (comp.security.ssh)
  • Re: ftp server question
    ... That innocent looking port scan you see in your firewall today could ... So anyone running an open FTP server has probably already been 'found out' but not everyone runs a log and even fewer probably check it! ... the SSH server, so it only gets attacked once every three minutes tops. ...
    (alt.computer.security)
  • RE: FTPD & SSHD server
    ... I think you are confused about difference between ssh and FTPD. ... This FTP software gives FTP protocol ... not used over the public internet. ... high port number for data channel in passive mode. ...
    (freebsd-questions)
  • Re: How to FTP through SSH tunneling (on AIX server)
    ... > to AIX, but I wanted it try it first and see what happen. ... > I want to be able to do FTP into an SSH ... I read that I need to open port 21 anyway for the ...
    (comp.unix.aix)
  • Re: How safe are FTP servers?
    ... Partly because it's a PITA when firewalls are involved. ... The FTP protocol is a little bizarre in its use of ports. ... the data traffic flows on another port. ... control session to tell it which port to use. ...
    (comp.os.linux.security)
Loading