FTPS - Tunneling

jaycee · Post by *jaycee » 2006-11-05, 17:01 UTC

Hi,

I would like to know something about the ftp over ssl features.
I read that an ssl tunnel is opened, and ftp goes via that tunnel.

Would it be possible to have the tunnel to a ssh server, then to have ftp connecting to another computer on the ssl servers' network ?

Having this:
TC > internet > SSH server > FTP Server

Let's say the destination network is 10.0.0.255.
SSH server: lan: 10.0.0.2 (wan = MY.DYN.IP)
FTP server: 10.0.0.3
This is done quite easily with putty ( for example ).
I open an ssh session to MY.DYN.IP, and create a tunnel to 10.0.0.3:21 on the LAN.

I guess, now, TC would only accept a connection to a ftp server running on the same IP as SSH server ?

Cheers,
Jaycee.

jaycee · Post by *jaycee » 2006-11-10, 08:56 UTC

No one can help ?

SanskritFritz · Post by *SanskritFritz » 2006-11-10, 12:54 UTC

Would it be possible to have the tunnel to a ssh server, then to have ftp connecting to another computer on the ssl servers' network ?

No.

I guess, now, TC would only accept a connection to a ftp server running on the same IP as SSH server ?

Yes.

SSH tunneling is simply a port forwarding, no address translation is done on the server side. If there was address translation (meaning, the server forwards the request to another server), it would pose a security leak i think, but i might be wrong.

EDIT: if you want the tunnel to bypass your firewall to connect to another servers on different ports using another server outside the firewall, use HTTPort and HTTHost

jaycee · Post by *jaycee » 2006-11-10, 13:13 UTC

I am doing such thing everyday ...

ssh root@SSH_SERVER_IP:22 -L 5901:WRK1_LAN_IP:5900
ssh root@SSH_SERVER_IP:22 -L 5902:WRK2_LAN_IP:5900
...

SSH_SERVER_IP being the ssh server
SERVER_LAN_IP being inside the destination network.

ie, this port is for vnc ...

SanskritFritz · Post by *SanskritFritz » 2006-11-10, 13:19 UTC

I only see 2 addresses here, the source and the destination. How would you address a third machine through the ssh server? Looks like my knowledge of ssh tunneling is very limited, i didnt know of such a possibility!

SanskritFritz · Post by *SanskritFritz » 2006-11-10, 13:29 UTC

Can you please explain how you do it with Putty?

jaycee · Post by *jaycee » 2006-11-10, 14:42 UTC

being connected on any hotspot on internet (whatever my ip wan address is...)
This, only work with ssh2 (I think ... )

let say the remote ssh server has WAN/LAN ip: 194.224.32.2/10.0.1.1
desktop you want to reach behind ssh server is: 10.0.1.133 (which don't have an ssh server)

Putty:

in session/hostname, the ip of ssh server with the port. (194.224.32.2:22) ( I usually change the port number because I get to many DOS attack...)

in connection/ssh/tunnels (be root for port < 1024),
localhost source port : any port (ie 5901)
destination: IPAddress of destination, inside destination LAN: port (ie 10.0.1.133:5900 )

as example, if, now, you run vnc viewer, open localhost:5901, you will be linked to the remote pc 10.0.1.133, via the ssh server 194.224.32.2, which acts just as a proxy...

With a bit of imagination, you could find a lot of things to do with this... Enjoy...

And ... it would be interresting that TC implement this...

(I think ssh3 will natively implement this for ftp... but I am not sure...)

edit: I think (again) ... that port forwarding is limited to root ...

edit2: I might didn't fully understand you request

Jean-Christophe.

SanskritFritz · Post by *SanskritFritz » 2006-11-10, 15:03 UTC

2jaycee
Thank you, you understood me correctly. For some reason I always thought, the destination server cannot be separated from the ssh server... that is why in my putty config both IP addresses are the same: hostname IP and tunnel destination IP. Well now I understand why there is the possibility to input another IP address to the destination field. I never needed another scenario, hence, i stopped here. Thank you again!