On Mon, 7 Feb 2000, Joe Chung wrote:
> On Sun, Feb 06, 2000 at 09:32:11PM -0800, t s a d i wrote: > > hello all, > > we use ssh (and ssl telnet) at our place to remotely admin some > > machines (we are on an untrusted network) ... > > our concern now is on ftp, is there such thing as an ssh'ed or > > ssl'ed ftp ? or any equivalent ? (using ssh's file transfer capability > > is not an option since no Win9x ssh client supports this) > > For Windows clients try the ssh extension to Teraterm at: > > http://www.zip.com.au/~roca/ttssh.html > > With the port-forwarding feature, I was able to use good old ws_ftp from the > Windows machine to connect securely to our Solaris server running openssh's > sshd. That should work for you. > That's only partially true: ftp is a dual-ported protocol. It uses port 21 for transferring the parameters and commands, but it uses a separate data connection. It can behave the following two ways: Active mode: the data connection is initiated by the ftp server. The connection is between ftpserver:20 a user-specified ip:port. Passive mode: the ftp server is the one which is contacted by another computer. This mode is triggered by the pasv command. The reply of the ftp server to pasv command is a port on which it will listen. It then needs to be contacted by the client (or another machine). This makes it possible to use ftp protocol to transfer files between two ftp servers. In this scenario the control connections are between the client and the two ftp servers, but the one data connection is between the two ftp server. What is described in the previous lines shows the forwarding a connection to port 21 via ssh does not encrypt the data connections. Therefore: if you need to encrypt only the passwords, then ssh can provide you the tool. But there is no way to encrypt the data connection with ssh alone. You need a tool which uses ssh's port forwarding capabilities actively for that. Robert Varga
