{"componentChunkName":"component---src-templates-manual-template-tsx","path":"/manuals/client-user/44/Forwarding_FTP.html","webpackCompilationHash":"d1750f6cc413894a8b5c","result":{"data":{"promoBlocks":{"edges":[{"node":{"contentful_id":"47glnSpWzXeFylv2vfQEF8","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"7KIOfSfgwJnCXuvRN6CfrP","textContent":"Standing privileges are a risk with PAM","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Start your journey towards a just-in-time (JIT) model with zero standing privileges (ZSP). Read 'Remove Standing Privileges Through a Just-In-Time PAM Approach' by Gartner , courtesy of SSH.COM.\\n \\n\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"19EUesynV2Z7HHcuJk0BAS","content":"Download Gartner research","internalLink":null,"externalLink":"https://info.ssh.com/gartner_research_privileged_access_management","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"2ClylmBswcfDx4XdO7NTmL","title":"ICON Gartner ZSP","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png","contentType":"image/png"},"fluid":{"aspectRatio":1,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=750&h=750&q=50 750w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1500&h=1500&q=50 1500w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1601&h=1601&q=50 1601w","sizes":"(max-width: 3000px) 100vw, 3000px"},"fixed":{"width":3000,"height":3000,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":""}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block2","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}},{"node":{"contentful_id":"6dfNaA1UlY4bADKQk6awhs","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"49Tb2wSR21P5C2cpcgMZ3","textContent":"Get Multi-cloud PAM software - for free!","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"PrivX® Free replaces your in-house jump hosts and combines your AWS, GCP and Azure access into one multi-cloud solution.\\n \\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"1dmQ13jyyZ46ID07eVNVFb","content":"PrivX Free","internalLink":null,"externalLink":"https://info.ssh.com/privx-free-access-management-software","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"4UUYdjING8micwZQur5o6d","title":"ICON computer (search)","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/4UUYdjING8micwZQur5o6d/1b378a0f4646075c7a4788f1afffbabe/ICON_computer__search_.svg","contentType":"image/svg+xml"},"fluid":{"aspectRatio":null,"src":null,"srcSet":null,"sizes":null},"fixed":{"width":null,"height":null,"src":null,"srcSet":null}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block1","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}}]}},"pageContext":{"isCreatedByStatefulCreatePages":false,"body":"
\n\n\n\n \n \n \n \n \n
\"SSH\n \n  \n \n \"\"
\n\n\n\n\n \n \n\n \n \n
\"\"\n \n \n \n \n
\"\"
\n
\n\n\n\n\"\"\n\n\n\n\n\n\n\"\" \n\n
\n
\n \n \n \n \n\n
\"\"\n \n \n \n \n \n\t\n\t\n\t
\n\n\n\n
\"Previous\"\n\"Next\"\n\"Up\"\n[Contents]\n[Index]\n
\n

\n
\n    About This Document>>
\n    Installing SSH Tectia Client >>
\n    Getting Started >>
\n    Configuring SSH Tectia Client >>
\n    Connecting to a Remote Host Computer>>
\n    Transferring Files>>
\n    Tunneling Applications>>
\n        How to Set Up Tunneling for E-Mail >>
\n        How to Set Up Tunneling for FTP >>
\n            Configuring SSH Tectia Client
\n            Configuring the FTP Client
\n            Forwarding FTP
\n    GUI Reference>>
\n    Troubleshooting >>
\n    Command-Line Tools >>
\n\n
\n\n

Forwarding FTP

\n\n

\n\n\n\n

FTP forwarding is an extension to the generic port forwarding mechanism. \nThe FTP control channel can be secured by using generic port forwarding, \nbut since the FTP protocol requires creating separate TCP connections \nfor the files to be transferred, all the files would be transferred \nunencrypted when using generic port forwarding, as these separate TCP \nconnections would not be forwarded automatically.\n\n

To protect also the transferred files, use FTP forwarding instead. It \nworks similarly to generic port forwarding, except that the FTP \nforwarding code monitors the forwarded FTP control channel and \ndynamically creates new port forwardings for the data channels as they \nare requested. \n\n

TCP port 21 is the port the client uses to establish a connection with \nthe remote server for an FTP session. The TCP port locally assigned to \nthe client is always going to be different since it is only used as a \nmethod to ensure the FTP server traffic is sent back to the appropriate \nmachine. \n\n

This is important in situations where multiple users may be using FTP to \ntransfer files to the same server. If the users' machines are sitting \nbehind a NAT device such as a firewall, all packets coming to the server \nwill look as though they are from the same machine. The dynamic port \nnumbers assigned to each client enable the firewall to route the return \npackets to the correct user.\n\n

To see exactly how this dynamically created port forwarding is done, two \ndifferent cases need to be examined: the active mode and the passive \nmode of the FTP protocol.\n\n

\n\n

FTP in Passive Mode

\n\n

\n\n\n

In passive mode, the FTP client sends the command PASV to the \nserver, which reacts by opening a listener port for the data channel and \nsending the IP address and port number of the listener as a reply to the \nclient. The reply is of the format 227 Entering Passive Mode (10,1,60,99,6,12).\n\n

When the Secure Shell client notices the reply to the PASV \ncommand, it creates a local port forwarding to the destination mentioned \nin the reply. After this, the client rewrites the IP address and port in \nthe reply to point to the listener of the newly created local port \nforwarding (which exists always in a localhost address, 127.0.0.1) and \npasses the reply to the FTP client. The FTP client opens a data channel \nbased on the reply, effectively tunneling the data through the SSH \nconnection, to the listener that the FTP server has opened. The net \neffect is that the data channel is secure all the way except from the \nSecure Shell server to the FTP server, if they are on different \nmachines. This sequence of events takes place automatically for every \ndata channel.\n\n

Since port forwarding is opened to a localhost address, the FTP \nclient must be run on the same machine as the Secure Shell client if \npassive mode is used.\n\n

\n\n

FTP in Active Mode

\n\n

\n\n\n

In active mode, the FTP client creates a listener on a local port for a \ndata channel from the FTP server to the FTP client, and requests the \nchannel by sending the IP address and the port number to the FTP server \nin a command of the following format: PORT 10,1,60,99,6,12. The \nSecure Shell client intercepts this command and creates a remote port \nforwarding from the Secure Shell server localhost address to \nthe address and port specified in the PORT command.\n\n

After creating the port forwarding, the Secure Shell client rewrites the \naddress and port in the PORT command to point to the newly \nopened remote forwarding on the Secure Shell server and sends it to the \nFTP server. Now the FTP server opens a data channel to the address and \nport in the PORT command, effectively forwarding the data \nthrough the SSH connection. The Secure Shell client passes the incoming \ndata to the original listener created by the FTP client. The net effect \nis that the data channel is secure the whole way except from the Secure \nShell client to the FTP client. This sequence of events takes place \nautomatically for every data channel.\n\n

Since port forwarding is made to a localhost address on the \nSecure Shell client machine, the FTP client must be run on the same host \nas the Secure Shell client if passive mode is used.\n\n

Where end-to-end encryption of FTP data channels is desired, the FTP \nserver and Secure Shell server need to reside on the same host, and the \nFTP client and the Secure Shell client will likewise need to reside on \nthe same host. If this is the case, both active or passive mode can be \nused.\n\n

Note: Consider using sftp2 or scp2 (see SCP2 Syntax) instead of FTP forwarding to secure file \ntransfers. It will require less configuration than FTP forwarding, since \nthe server already has sftp-server2 as a subsystem, and \nsftp2 and scp2 clients are included in the \ndistribution. \n\n

\n\n\n

\n\"Previous\"\n\"Next\"\n\"Up\"\n[Contents]\n[Index]\n

\n
\n[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]\n

\nCopyright © 2010 SSH Communications Security Corp.
\nThis software is protected by international copyright laws. All rights reserved.
\nCopyright Notice\n\n

\n\n\n\n 		\"\"
\n\n
\n\n\n\n
","head":"\nSSH: Forwarding FTP\n\n\n","url":"/manuals/client-user/44/Forwarding_FTP.html"}}}