HERMES - FTP-over-SSH

FTP-over-SSH

Secure use of an FTP client involves so-called SSL tunnel created between your computer and the FTP server by means of a SSH (secure shell) software. Such a use of ftp is called FTP-over-SSH. The idea is to set up a proxy FTP server in your computer that:

makes a connection to the actual FTP server using SSH (tunnel),

accepts ftp requests from your FTP client,

encrypts and transmits them to the server,

receives and decrypts responses from the server,

transfers them back to your FTP client.

All Linux distributions provide SSH suit of programs by default. For Windows, there is an excellent TELNET, RLOGIN and SSH free software called PUTTY, available from http://www.chiark.greenend.org.uk/~sgtatham/putty.html.

An SSH client used for this purpose should be provided with the following arguments:

www.hermes.net.au SSH server,
1998 connection port (non-standard; the standard one is 22 - routinely scanned by hackers hoping to break in with many random combinations of username/password),

The tunneling options of the client (Connection - SSH - Tunnels in PUTTY) should be chosen as follows:

localhost proxy server (your own computer),
Lnnnn local port, where nnnn stands for any number in the range 3001-65534 e.g. 3456,
www.hermes.net.au:21 destination (21 is is the standard port for exchange of control data - user name, password, commands, and responses - between the FTP client and the server).

When running your SSH client with such arguments and options, and asked for your username and password, type ssh-user and 535am3 correspondingly. This combination is a special one, to be used only for FTP-over-SSH purposes. It does not provide access to anything else.

Successful ssh login to www.hermes.net.au with the above arguments and options results in the following message:

You have 40 seconds to start your FTP-over-SSH client.

Your FTP client should now be started for the connection to localhost port 3456 instead of www.hermes.net.au port 21. Being asked for your username and password, respond with your HERMES username and password. They will be encrypted by your SSH client before being transfered through the tunnel to www.hermes.net.au. Then, you may use the data transfer facilities of your FTP client as usual. However, data is transfered through port 20 of www.hermes.net.au, thus bypassing the tunnel, i.e. with no encryption.

In other words, FTP-over-SSH ensures security of your username and password only. Files and directories are still transfered in their unencrypted form.