SSH port forward and ftp

Rasjid Wilcox rasjidw at
Sun Feb 17 23:03:01 EST 2002

On Sun, 17 Feb 2002 8:20 pm, Ben Elliston wrote:
> >>>>> "Rasjid" == Rasjid Wilcox <rasjidw at> writes:
>   Rasjid> I have spent quite a while trying to work out how to get ftp
>   Rasjid> working with ssh port forwarding, and I'm not having much
>   Rasjid> joy.
> If all you're trying to do is transfer files to/from the FTP server,
> have you considered using sftp?  It runs over SSH and so will work
> through your firewall box that forwards port 22.  End of story.
> Ben

There are a few reasons I don't want to do this.
a) It would require direct access to the ftp box, which I don't want.
b) It requires some kind of shell access, which I don't want to provide.  
(sftp requires sufficient shell access to read and write files etc).
c) By default it would give users access to the complete directory tree, 
unless I work out how to get chroot working the sftp.  I have no idea if this 
is even possible.

This is, however, my option of last resort.

On Sun, 17 Feb 2002 2:37 am, Steven Hanley wrote:
> Have you tried using passive ftp? Otherwise ftp daemons will try to connect
> to you when you make any kind of data request (whether it be ls or get,
> this is one of the things that makes the ftp protocol so sucky)

Thanks, but yes.

On Sun, 17 Feb 2002 4:39 am, Filip Radlinski wrote:
> I assume you're trying to get FTP to be secure? I suggest you try safetp
> instead of using port forwarding - free clients and servers exist for
> Linux and Windows and it works without any hassles.

I had a look, but not what I want.  One of my goals is to provide SSH2-RSA 
access only.  I really don't trust my users to have strong passwords.


With a bit more looking around, all my questions were answered by the pdf 
available at:

I think I was just lucky that the chapter they decided to provide as a sample 
went into an amazing amount of detail on exactly what I wanted to know.

Based on the information given, I have decided there are several ways to do 
what I want. (I have not had a chance to test any of these yet).

a) Modify the ftp server configuration so the PASV command gives as 
the address, and a small range of ports x-y.  Set up the SSH session to 
forward all ports x-y in addition to the port to 21.  This is my least 
prefered option as the number of users grows the number of ports that will 
need to be forwarded by every session will also grow.

b) Use some (highly configurable) ftp proxy on the ssh server to do a), but 
on a per user basis.

c) As above, but on the clients machine.

What I need the ftp proxy to do is to re-write either the PORT commands sent 
from the ftp client (to the IP of the ssh server) or the response from the 
ftp server to the PASV command (to IP  I'm hoping that an 
existing ftp proxy will do this.  Otherwise I will need to modify an existing 
one or write my own.  Given I only really know a little (self taught) Java 
and Python I'm hoping an existing product will do what I want.



More information about the linux mailing list