Hi!
So, my situation is this: School has lousy file storage (and a stringent quota). So, I'm using a server at my house to store files. At school, I have access to SSH and the web, and though there is an FTP client on the systems, the port is blocked (can't take FTP off of IE; thank microsoft for that blunder.)

My solution to the problem, since sftp is NOT an option (no client software at the school), I need to do the same thing manually: tunnel an FTP connection over ssh.

Right now, I'm on my laptop trying to get it working while I'm on a LAN before I try anything fancy .

So, server (debian Gnu/Linux etch) running vsftpd, connects fine. Server running OpenSSH, connects fine as well.
On my laptop (gNewSense Gnu/Linux), I used the commands:

$sudo ssh -f -L20:localhost:20 -L21:localhost:21 username@server
$ftp localhost
Connected to localhost.
220 ProFTPD 1.3.0 Server (Server) [127.0.0.1]
Name (localhost:username):
331 Password required for username.
Password:
230 User username logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT Command Successful
425 Unable to build data connection: Connection refused
ftp>

Ok, so, everything seems to connect O.K. (laptop does NOT have an ftp server; the tunnel was successful). I've tried everything I can think of (changing ports, using the -C option, using -R instead of -L), and I'm kind of stuck.

Does anyone know what could be going wrong with the connection?

Active mode will not work, as it requires opening connection from server to client by server's initiative. So you need at least to tell your client go into passive mode. As far as I remember, even in this case server tells you to connect to some port by server's choice and it is not ftpdata (so networking thread can drop root privileges after getting ftp port open), so it'll be a problem to set up tunneling. Don't you want to use scp, or mc's #fish: file system, or FUSE sshfs?

sftp should be an option. If you can use ssh, you should be able to use sftp. It operates through a ssh tunnel but does all this in the background.

The problem is: there is no sftp client software, and I have insufficient rights to even run such software. Sftp, therefore, isn't an option -- it really doesn't matter if the theory works if you don't have client software

Does SSL work in IE? Set up the file server using HTTPS with login maybe..

I was pondering if the port change was the reason (it seemed logical enough. But it also seemed that since this happens for a lot of standard services -- http, ftp, even ssh -- that the tunnel should somehow be able to compensate?)

Once again, the problem with alternative solutions is that I can't install any client software -- what's on the system is all I have. scp isn't there (only the putty ssh client), and I can't install it (or even run a stand-alone copy), so I can't use it.

Trying to get files to go the other way Reading them isn't a big issue AT school (most of my current work is saved, finished at home, then printed and brought in that way), but I need to be able to write...

There is file upload in HTTP. Also, if you need to send text files typed in manually, you can just cut-and-paste them through a large enough textarea and POST form.

I have so far been unaware of HTTP having native upload capability (only sending it as mime-encoded text through the form data, and a lot of browsers just happen to support this nicely). Any idea how to set it up?

You might want to double check that . What ssh client are you using? Usually there will be an scp or sftp client included in the installation. Looking in the Putty manual, the scp client is named "pscp", and the sftp client is named "psftp".

I am well aware; I use putty all the time. pscp and psftp are separate programs (check the putty download page -- you'll see), and only the SSH client is installed (it has tunnel support, though).

I just found this thread, I wanted to do exactly what the OP was asking: Run FTP over SSH tunnel

And I did find a way. Look here:

www dot derkeiler dot com
/Newsgroups
/comp.security.ssh
/2002-03/0545 dot html

(Sorry, please put the pieces together. I'm not permitted to post a URL on my first post here, I presume that's a spam deterrent measure.)


I have copied the text of the above post below my signature in case you cannot get to the page.

My setup is not quite the same as described in the post, but the method was very easy for me to adapt. It works beautifully for me.

Just wanted to pass this info along for anyone else looking to do this.

Best regards,
--appyface



Slightly reformatted text taken from
www dot derkeiler dot com
/Newsgroups
/comp.security.ssh
/2002-03/0545 dot html


From: Chuck Renner
Date: Tue, 26 Mar 2002 02:29:46 GMT

This is cumbersome, and requires passive ftp (uugh...), but it works!


OK. So you have a Windows machine in office LAN #1, which you need to
connect via FTP to a Windows machine in office LAN #2, and you want both
the data and the control session encrypted by SSH. Both LANs are behind
Linux firewall/gateways running SSH daemons.


You can do this, but it's tricky. I've tested it and it works.


Steps:
1. First get a GOOD ftp client (with automatic passive mode when
available) and a GOOD ftp server (with very configurable passive ftp
mode). I am using BulletProof ftp client and BulletProof ftp
server.


2. Get a good SSH client for windows (I tested this with PuTTY -
free and good)


3. Setup your ftp server to run on an acceptable port for your
incoming control session (I used port 2021)


4. Setup your ftp server to tell ftp passive clients that your
real ip is 127.0.0.1 (yes, I know that that seems weird (that's the
localhost self-resolving ip), but trust me, it will make sense)


5. Setup your ftp server to use a very small range of incoming
ports for passive ftp connections (I used 5 ports, 2022 - 2026)


6. Setup your SSH client to use SSH2, and set up the following
local port forwards (using my examples above, substitute your own
ports):
* 2021 (local port)--> 192.168.0.2:2021 (ftp server internal
ip:ftpserver local port for control session)
* 2022 (local port)--> 192.168.0.2:2022 (ftp server internal
ip:ftpserver local port for passive data session)
* 2023 (local port)--> 192.168.0.2:2023 (ftp server internal
ip:ftpserver local port for passive data session)
* 2024 (local port)--> 192.168.0.2:2024 (ftp server internal
ip:ftpserver local port for passive data session)
* 2025 (local port)--> 192.168.0.2:2025 (ftp server internal
ip:ftpserver local port for passive data session)
* 2026 (local port)--> 192.168.0.2:2026 (ftp server internal
ip:ftpserver local port for passive data session)


7. Connect your ssh client with the settings in step 6 to the ssh
daemon on your linux gateway machine in office #2.


8. Your Windows machine in office #1 will now have listening local
ports 2021-2026.


9. Connect your Windows ftp client (in passive mode) to
localhost:2021 (yes, localhost - the connection will be forwarded
via the encyrpted SSH tunnel to the Windows machine in office #2).


10. Login to the ftp server.


11. List files. The data session will be established, and this
will work!!! (I couldn't believe it when this step actually worked,
I've been trying to find a documented solution to this forever)


12. If you want, exit your SSH client, it will close the
psuedo-terminal session, but will not actually exit until the ftp
connections over the tunnel have closed.


13. Make your ftp transfers.


14. Exit ftp. If you already exited SSH, then you are finished.
Otherwise, exit SSH.


If you want to grant ftp access to users that you would not grant normal
shell access to, then generate keypairs for them, give them their private
keys, and use the SSH documentation to limit the port-forwards that they
can use to just the ones they need 192.168.0.2:2021-192.168.0.2:2026, and
to turn off pseudo-terminal access. If you make them login using their
private keys (don't give them a shell password), you can keep a pretty
tight reign on things (see the authorized_keys or authorized_keys2
documentation in OpenSSH)

provided that the machines you are running from are windows you could allways try a staic binary of winscp.
i carry one on my kedrive that will work with every windows machine i use without doing anything to the harddrive.
so far the only thing that has been able to stop it is certian firewalls that are not likly to be installed on a standard school cluster!

My situation is much like the OP's: I cannot choose the client software or protocol, it must be FTP over SSH tunnel. The post I quoted here (provided the requirements outlined therein are met) has provided me with an excellent solution, given this restriction.

Of course, if one has control over the client software and/or protocol used, there are many more options available, such as the one you mentioned as well as the others in this thread.

I just wanted to share this particular method, so that anyone else with similar restrictions as the OP, might have a workable solution.

Best regards,
--appyface

Hello,

I got this working using putty 0.60 for setting up a dynamic tunnel, with this kind of tunnel PuTTY provides a local SOCKS 4/4A/5 proxy on a local port. Your FTP client must be set to use this local SOCKS proxy and passive mode.

Not so detailed Instructions:

on PUTTY:

1. Open putty configuration.
2. Set up an SSH connection to your SSH server as usual (host, port, etc.)
3. Go to Connection > SSH > Tunnels.
4. Fill in source port, this is the port where SOCKS proxy will listen, so you FTP client should be set to use 127.0.0.1:<source port> as socks proxy.
5. Destination: empty, not used for dynamic tunnels.
6. Select Dynamic radio button.
7. (optional) Go back to session and save you settings.
8. Connect to your SSH server!

on FTP client:

1. Configure your FTP client to use a SOCKS proxy at 127.0.0.1:<source port>.
2. Configure your FTP client to use PASSIVE mode.
3. FTP connection must be opened to actual FTP server address and port, for example 192.168.0.1:21. Note that your SSH server must be able to reach your FTP server at that IP address and port.

FrAlAcos

PS: I'm a frequently visitor of this forums and got lot of help from here, just now i have this chance to help back so ... hope it helps!

1 members found this post helpful.