Description
This article is from the SSH - Secure Shell FAQ, by Thomas Koenig Thomas.Koenig@ciw.uni-karlsruhe.de with numerous contributions by
others.
4.8. Can I use ssh to protect services like ftp or POP?
If you want to avoid sending ftp passwords in cleartext over the net,
you can use ssh to encrypt your command channel. This will still
leave your data channel open to all attacks on TCP, and will not work
through a firewall.
Suppose you are on a host called myhost and want to initiate a ftp
connection to ftphost. On myhost, you do
myhost$ ssh -L 1234:ftphost.do.main:21 ftphost
This logs you on to ftphost and also forwards connections to 1234 on
myhost to ftphost.
Then, in another window, you do
myhost$ ftp mymachine 1234
220 ftphost FTP server (Foonix 08/15) ready.
Name: (myhost:yourname):
331 Password required for yourname
Password:
230 User yourname logged in.
This works if the remote ftp daemon accepts PORT commands which
specify a different host from the one the command channel appears to
come from, and if the ftp client always uses PORT. This is true for
vanilla UNIX ftp client and ftpd servers; it may not work for more
advanced ftpds, such as wu-ftpd.
For servers which do not accept this, you can see wether you ftp
client supports passive mode, and wether the ftp server accepts PASV.
For POP, Stephane Bortzmeyer (bortzmeyer@pasteur.fr) has written a
script which protects the mail transfer and passwords ussing ssh. It
requires no modification to existing POP servers or clients, and is
available from ftp://ftp.pasteur.fr/pub/Network/gwpop/.
Other services could be secured by similar means. Note, however, that
unencrypted ftp data connections are still vulnerable to session
hijacking and snooping.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, SSH, Secure Shell
