PDA

View Full Version : SSH Tunneling


mikeboeck
01-30-2006, 08:19 AM
I am trying to use ssh to connect to and send a file to an FTP server.

For the visually strong people:

Client(A) ---Internet(SSH)---> OpenSSH Server(B)------> FTP Server(C)
WinXp Linux Linux

Client A is outside the corporate firewall. I need to send a file from A to C(which is inside the firewall)
The data being sent must not reside on Server(B), it must be automatically forwarded to FTP(C)

I am new to SSH and SFTP as well as forwarding of data and a step by step guide would be very helpful. :confused:

jjh
01-30-2006, 03:07 PM
Hello Mikeboeck.

It sounds like you might be able to benefit from a client that does dynamic port forwarding, like our SecureCRT client.

If I understand the problem you are trying to solve, there is connectivity between the Windows machine and the OpenSSH server and between the OpenSSH server and the FTP server, but not directly from the Windows machine to the FTP server. You need to be able to get files from the Windows machine to the FTP server without the files ever residing on the OpenSSH server.

Is that correct?

If so, you could solve the problem by port forwarding the FTP traffic through the SSH tunnel. The only problem with that is the fact that normal port forwarding requires you to know exactly which ports you need to forward. The FTP protocol uses port 21 for the Control connection, but a second random port is used for the data connection, which is used to transfer the files. It's because of the use of the random port that you can't do normal port forwarding, but SecureCRT has dynamic port forwarding capability.

The following is an example of how you could configure dynamic port forwarding in SecureCRT to meet your need:

Create a session that connects from SecureCRT to the OpenSSH server running on the UNIX machine.
In the Session Options for that session open the Port Forwarding category and click the "Add" button.
When the "Local Port Forwarding Properties" dialog appears, Enter a name for the port forward. For the purposes of this example, we'll call it "SSHSocks" because we are essentially setting up SecureCRT as a Socks proxy.
Configure a local port for SecureCRT to listen on. For this example, let's use port 9080.
Enable the "Dynamic Forwarding Using Socks 4 or 5" setting.Click "OK".
Now you can connect to that session.

Now you can configure your FTP client to take advantage of the dynamic forward (SOCKS proxy) you just configured. You'll need to configure your FTP client to use PASV mode instead of Port mode. Your FTP client likely has a setting for you to configure a proxy server. The proxy server you need to use is the one you have created with your SecureCRT session, so the proxy server is on localhost (or 127.0.0.1), port 9080. You can use the hostname or IP address for your FTP server that you would normally use if you were connecting from the OpenSSH server to the FTP server.

If you are using our SecureFX client as your FTP client, you will need to set up the Firewall setting in your Global Options, then make sure that you have chosen that firewall in the Session Options for your session.

With this configuration, all of the FTP traffic will be routed through the secure tunnel that was created when you connected SecureCRT to the OpenSSH server. The OpenSSH server will forward the traffic along to your FTP server.

Does this configuration work for you?

Thank you

JJH