SSH Case Studies: Batch Jobs, FTP and SSH - 11.2 FTP and SSH
(Page 2 of 2 )
One of the most frequently asked questions about SSH is, “How can I use port forwarding to secure FTP?” If the forwarding in question is the traditional sort of static port forwarding provided by SSH clients such as OpenSSH, then the short answer is that you usually can’t, at least not completely, as we will explain in detail in this section. Such port forwarding can protect your account password, but usually not the files being transferred. Still, protecting your password is a big win, since the most egregious problem with FTP is that it usually reveals your password to network snoopers.
It’s worth noting that FTP can in fact be used securely on its own. Both FTP and Telnet are famously considered “insecure,” but it’s more accurate to say that they are simply used insecurely most of the time. Both protocols allow the use of strong authentication and encryption methods, such as SSL or Kerberos. However, the vast majority of FTP and Telnet servers in the world do not provide these features, and so we are left trying to secure them as best we can with other tools, such as SSH.
Before trying to figure out how to forward FTP over SSH, you should first ask yourself whether you really need to use FTP at all. If possible, it’s far less trouble to simply use a file-transfer method that works easily over SSH, such as scp, sftp, rsync, etc. (and remember that SFTP and FTP have nothing to do with one another, save the acronym). If you’re going to secure FTP end-to-end with SSH, then the FTP server must already be running an SSH server—which means it shouldn’t be hard to make the requisite files available via SSH as well. But the real world is messy, and you might be stuck with FTP.
11.2.1 FTP-Speciﬁc Tools for SSH
As we will describe, the FTP protocol is not amenable to standard SSH port forwarding. There are SSH clients, however, with features tailored specifically for dealing with FTP. We describe two of them here.
188.8.131.52 VanDyke’s SecureFX
VanDyke Software (http://www.vandyke.com/) has a useful Windows product, specifically designed to forward FTP over SSH, data connections and all: SecureFX. It is a specialized combination of SSH-2 and FTP clients. SecureFX acts as a GUI FTP client, first creating an SSH connection, then logging into the remote FTP server via an SSH channel. Whenever it needs an FTP data connection, it dynamically creates the needed tcpip-direct channels (for passive mode) or remote forwardings (active mode); to the remote FTP server, SecureFX looks like an FTP client connecting from the same host. SecureFX works very smoothly and we recommend the product.
SecureFX is a great solution if you can choose your client. However, perhaps you need to secure FTP traffic in an existing system, where you can’t replace the client side. In this case, Tectia has a feature that will help.
184.108.40.206 Tectia client
The Tectia software has a special FTP-aware port-forwarding mode. In the GUI Windows client, when configuring tunneling in the Add New Outgoing Tunnel dialog box, set Type = FTP. In the command-line version, FTP forwarding works this way:
# Tectia $ ssh -L ftp/1234:localhost:21 server
This forwards local port 1234 to an FTP server running on the standard FTP port (21), on the same machine as the SSH server. After connecting with a regular FTP client to the forwarded port, FTP data-transfer commands such as ls, get, put, etc., should work normally, in either FTP’s “active” or “passive” mode. Tectia intercepts and alters FTP command traffic, particularly thePORTandPASVcommands and their responses. It does this to “fool” the FTP client and server into using SSH-forwarded ports it creates for data channels, instead of the direct connections each side intends to make.
11.2.2 Static Port Forwarding and FTP: A Study in Pain
So far, we’ve described a number of alternatives for dealing with SSH and FTP. If you’re particularly unlucky, though, you might be stuck having to secure FTP with SSH, without any of these options—for instance, using OpenSSH, which has no FTP-specific forwarding features. If so, this section is for you. And even if you’re not stuck with this unenviable task, you may find the discussion useful for understanding the general problem and limitations. Or simply for the morbid fascination of it all.
Here, we explain in detail what you can and can’t do with FTP and SSH, and why. Some difficulties are due to limitations of FTP, not only when interacting with SSH, but also in the presence of firewalls and network address translation (NAT). We will discuss each of these situations, since firewalls and NAT are common nowadays, and their presence might be the reason you’re trying to forward FTP securely. If you are a system administrator responsible for both SSH and these networking components, we will try to guide you to a general understanding that will help you design and troubleshoot entire systems.
Depending on your network environment, different problems may arise when combining SSH with FTP. Since we can’t cover every possible environment, we describe each problem in isolation, illustrating its symptoms and recommending solutions. If you have multiple problems occurring simultaneously, the software behavior you observe might not match the examples we’ve given. We recommend reading the entire case study once (at least cursorily) before experimenting with your system, so you will have an idea of the problems you might encounter. Afterward, go ahead and try the examples at your computer.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.