FTP/SSH Tunnel Configuration

Introduction

The File Transfer Protocol (ftp) is a protocol for copying files between servers over the Internet. ftp is however not secure. There are secure alternatives (e.g. sftp, which is a secure file tranfer program run though a ssh daemon). It is also, however, possible to configure standard ftpto be run through a (secure) sshtunnel.

The following guidance might be useful in helping to configure FTP through a SSH tunnel. In particular details about the configuration and use of Very Secure FTP Daemon (vsftp) and SSH on the Linux server is given, along with the PuTTY (ssh) and ftp client software on a workstation.

FTP/SSH Tunnel Configuration

Essentially the details of the configuration set-up as described below are as given in http://www.nurdletech.com/ftp.html. The configuration here was carried out following the description given in the sections "Example" and "Adapting the Example" of this web-link.

1) Configure vsftpd server as follows:

1a) vi /etc/vsftpd/vsftpd.conf

# 01/05/2009: added pasv_address=localhost, pasv_min_port/pasv_max_port, and pasv_enable
# pick any port range above 1024. Define as many ports as required 
# (noting that this will have to be matched in the PuTTY configuration below (step 2)).
pasv_enable=YES
pasv_min_port=11900
pasv_max_port=11902
pasv_address=127.0.0.1

1b) service vsftpd restart

2) Configure workstation (client) PuTTY as follows:

Connection / Tunnels

L2021 :21
L10900 :11900
L10901 :11901
L10902 :11902

3) Configure workstation (client) FTP software (e.g. FileZilla or similiar) to use:

Localhost: 2021

4) From workstation (client) use PuTTY to open SSH session to SSH server host as per normal procedure.

Logon as appropriate user (if keys need to be loaded then use Pageant to load the appropriate keys prior to running up the SSH session).

5) From workstation (client) use ftp client software (e.g. FileZilla FileZilla or similiar) to open ftp session as follows:

Open ftp session to localhost with required username/pathword

NB: any suitable PASV port range can be used (those used above are for illustration purposes only).
Likewise any suitable available port on the workstation can be used for the ftp tunnel (thus 2021 as used above was for illustration purposes only).

sftp: the secure FTP alternative

ftp is being used above to copy/move files between servers through a ssh tunnel. The alternative is to use sftp.

sftp (as built into ssh) is not the same as ftp over ssh. They are completely different protocols. sftp is designed to be secure; it's already a subsystem of openssh.

SFTP - SSH daemon configured with the 'sftp-server' subsystem. The ssh server's sshd_config should have a line like:

Subsystem sftp /usr/libexec/sftp-server

Secure Copy (scp) or Secure File Transfer Program (sftp) can be used to transfer files/data between client applications and a server, while ssh handles link encryption. The 'sftp-server' subsystem can be disabled and still transfer all your files using scp. Also know as SSH FTP.

See http://en.wikipedia.org/wiki/SSH_file_transfer_protocol for more details about sftp.

Firewall Configuration

The firewall/port-blocking configuration of any routers/firewalls used on the LAN as usual needs to be carefully addressed.

ssh uses port 22. The router is configured to forward this to the SSH server.

ftp uses port 20, 21 plus other ports (see FTP for more details). In this case however, the ftp ports are blocked on the NAT (check link) router, as the FTP traffic is being routed through the SSH port.

General Links

The following general links are useful references when setting up FTP to be tunnelled through SSH: