Tunnelling FTP

Greetings,

Can anyone point me to a clear net resource, or simply give me instructions, on creating SSH2 tunnels for insecure TCP protocols specifically FTP? I don't care as much about encrypting the data connection, but I do want to encrypt the control connection.

I altered my config file, adding the following line:

LocalForward "ftp/21:my.machine.name:21"

and restarted my daemon. I was hoping this would automatically encrypt any FTP logins. However, if it is encrypted it's almost too transparent. I can't tell whether it's working or whether the FTP client is going directly to the FTP daemon and bypassing the tunnel.

My sense is that I'm going about this the wrong way.

I would simply use sftp but I have users that are on Macs and they need to upload files to our Linux server, and so far I have not found an sftp client for for Mac. If there is one, and I've missed it, please let me know. Otherwise, I would like to establish a connection that at least protects my user's passwords from sniffing.

Thanks,
Eric Anderson

AFAIK tunneling ftp is difficult to do due to ftp utilising passive connections where the server makes a second tcp socket connection back to the client for sending the information.

Thus you can't just encrypt the incoming ftp connection to socket 21, since the server makes a second connection back to client which causes problems due to the fact that ports below 1024 are reserved for root setup only and i think ssh needs a port below 1024 to opperate thus the host -> client channel cannot be made within the correct port range.

However I read about this ages ago and things may have changed since then.

I remember reading in one of the ssh guides that you were advised not to tunnel ftp due to this problem, however i cannot remember whether it was possible but very difficult?

Replying to my own posts now :-)

I've just looked into setting up pop3 over secure channels and this can be done using SSL.

I presume you can do the same for ftp via SSL?

Have a look at stunnel which I used for the pop3 encryption (prevents passwords been sent clear text)

the url is www.stunnel.org

hope that helps

That's great information, muphicks. I was actually trying to figure this out myself, but never thought to post here (thanks Eric!). BTW, did you know you can "edit" your own post?