[Nottingham] hello and a vsftpd configuration problem for FTP tunnelling

leigh silvester nottingham at mailman.lug.org.uk
Thu Jun 12 23:02:00 2003


While I have had much experience of setting up and mainitaining Windows
server systems have not had much call to setup and maintain Linux systems.
I have played on Solaris systems as a user but would not call myself an expert.

Recently had to setup Redhat Linux 8.0 for a client and was extremely impressed
with this OS. I am an instant covert! I have seen the light.

Now I'm not sure what the remit of this list is but perhaps I can trouble you to
consider a problem?

A matter that has vexxed me somewhat is tunneling FTP via SSH.
I have OpenSSH installed and running (can establish an SSH session with the system)
as well as vsftpd (again can FTP to the system)
All well and good.

For security reasons (why else?) the client would prefer to use encrypted file transfer.
While there is a file transfer component to the SSH (win32 SecureShell) client being
used the clients users prefer to do file transfers via their HTML editors. It is a lot more 
convenient.

Secure shell configured for tunnel from 127.0.0.1:2021
In tests with several straight FTP clients (connect to 127.0.0.1:2021 - passive)
I was able to establish a connection to the FTP server via the SSH, HOWEVER
whenever the FTP client tried to get a directory/file listing the FTP daemon responds
with "illegal port command".

Now I think I understand that the FTP daemon does not like returning results to a client
that is masquerading as itself (ie the 127.0.0.1 address), but I believe that some FTP
systems can be configured to allow this strategy.

Obviously have searched the redhat site, the vsftpd site and various Linux howto sites
but not come across an obvious answer.

Is there a way to configure vsftpd to allow this strategy?
Do I have to change to another FTP system that does?
Am I barking up the wrong tree entirely?

PS the firewall settings for this server are high with ports open for
ftp, ssh, http, rpc, mysql, x11 and one or two other only.
I don't think this is where the problem lies as no response from
the daemon would be seen at all.

Any ideas gratefuly received.

Regards

Leigh