Page 1 of 1
FTPS - Tunneling
Posted: 2006-11-05, 17:01 UTC
by jaycee
Hi,
I would like to know something about the ftp over ssl features.
I read that an ssl tunnel is opened, and ftp goes via that tunnel.
Would it be possible to have the tunnel to a ssh server, then to have ftp connecting to another computer on the ssl servers' network ?
Having this:
TC > internet > SSH server > FTP Server
Let's say the destination network is 10.0.0.255.
SSH server: lan: 10.0.0.2 (wan = MY.DYN.IP)
FTP server: 10.0.0.3
This is done quite easily with putty ( for example ).
I open an ssh session to MY.DYN.IP, and create a tunnel to 10.0.0.3:21 on the LAN.
I guess, now, TC would only accept a connection to a ftp server running on the same IP as SSH server ?
Cheers,
Jaycee.
Posted: 2006-11-10, 08:56 UTC
by jaycee
No one can help ?
Posted: 2006-11-10, 12:54 UTC
by SanskritFritz
Would it be possible to have the tunnel to a ssh server, then to have ftp connecting to another computer on the ssl servers' network ?
No.
I guess, now, TC would only accept a connection to a ftp server running on the same IP as SSH server ?
Yes.
SSH tunneling is simply a port forwarding, no address translation is done on the server side. If there was address translation (meaning, the server forwards the request to another server), it would pose a security leak i think, but i might be wrong.
EDIT: if you want the tunnel to bypass your firewall to connect to another servers on different ports using another server outside the firewall, use
HTTPort and HTTHost
Posted: 2006-11-10, 13:13 UTC
by jaycee
I am doing such thing everyday ...
ssh root@SSH_SERVER_IP:22 -L 5901:WRK1_LAN_IP:5900
ssh root@SSH_SERVER_IP:22 -L 5902:WRK2_LAN_IP:5900
...
SSH_SERVER_IP being the ssh server
SERVER_LAN_IP being inside the destination network.
ie, this port is for vnc ...
Posted: 2006-11-10, 13:19 UTC
by SanskritFritz
I only see 2 addresses here, the source and the destination. How would you address a third machine through the ssh server? Looks like my knowledge of ssh tunneling is very limited, i didnt know of such a possibility!
Posted: 2006-11-10, 13:29 UTC
by SanskritFritz
Can you please explain how you do it with Putty?
Posted: 2006-11-10, 14:42 UTC
by jaycee
being connected on any hotspot on internet (whatever my ip wan address is...)
This, only work with ssh2 (I think ... )
let say the remote ssh server has WAN/LAN ip: 194.224.32.2/10.0.1.1
desktop you want to reach behind ssh server is: 10.0.1.133 (which don't have an ssh server)
Putty:
in session/hostname, the ip of ssh server with the port. (194.224.32.2:22) ( I usually change the port number because I get to many DOS attack...)
in connection/ssh/tunnels (be root for port < 1024),
localhost source port : any port (ie 5901)
destination: IPAddress of destination, inside destination LAN: port (ie 10.0.1.133:5900 )
as example, if, now, you run vnc viewer, open localhost:5901, you will be linked to the remote pc 10.0.1.133, via the ssh server 194.224.32.2, which acts just as a proxy...
With a bit of imagination, you could find a lot of things to do with this... Enjoy...
And ... it would be interresting that TC implement this...
(I think ssh3 will natively implement this for ftp... but I am not sure...)
edit: I think (again) ... that port forwarding is limited to root ...
edit2: I might didn't fully understand you request
Jean-Christophe.
Posted: 2006-11-10, 15:03 UTC
by SanskritFritz
2jaycee
Thank you, you understood me correctly. For some reason I always thought, the destination server cannot be separated from the ssh server... that is why in my putty config both IP addresses are the same: hostname IP and tunnel destination IP. Well now I understand why there is the possibility to input another IP address to the destination field. I never needed another scenario, hence, i stopped here. Thank you again!