Can't get ssh and wu-ftpd to work together

Discussion in 'Linux Networking' started by Richard Brandt, Oct 26, 2003.

  1. I am trying to follow the example in the "SSH-The Secure Shell" book for
    tunneling the control channel thru ssh.
    I setup the initial tunnel per the example
    client% ssh -L2001:server:21 server
    This works fine
    client% ftp -vd localhost 2001
    This also works fine (login has no problems)
    but when I try to do any commands like "ls" it fails with

    ftp:setsockopt (ignored ): permission denied
    ---> PASV
    Entering passive mode(192,168,1,50,232,45)
    ftp:connect: Connection refused

    I see that the client does try to connect to the server at the right address
    and port but gets a RST
    When I run netstat on the server it shows LISTENING with the local address
    127.0.0.1:59437
    So I'm guessing the connection is refused since the server is just listening
    on the loopback
    But I don't know what else to change.
    I have wu-ftpd 2.6.1-18
    ftpaccess looks like this

    class Test_guest_class guest *
    limit Test_guest_class 2 Any /var/ftp/too-many.msg
    # noretrieve /*
    loginfails 2
    private no
    banner /var/ftp/banner.msg
    hostname ftpserver
    email root@localhost
    message /welcome.msg LOGIN
    message .message CWD=*
    readme README* LOGIN
    readme README* CWD=*
    chmod no anonymous,guest
    delete no anonymous,guest
    overwrite no anonymous,guest
    rename no anonymous,guest
    umask no guest
    passwd-check rfc822 warn
    log commands guest
    log security guest
    log transfers anonymous,guest,real inbound
    log transfers anonymous,guest,real outbound
    guestgroup rftpusers
    limit-upload guest 10000
    limit-download guest 1
    file-limit in 1 Test_guest_class
    file-limit out 0 Test_guest_class
    pasv-allow guest *
    port-allow all
    passive address 192.168.1.50 0.0.0.0/0


    Richard Brandt
     
    Richard Brandt, Oct 26, 2003
    #1
    1. Advertisements

  2. You tunnel to the server, but have no -R tunnel coming back for ftp-data.
    But since you do not know what port passive mode would use, you would
    likely need to do a -R tunnel for the normal ftp-data port (20), but you
    would have to ssh as root on the server to do that.

    You could configure the ftp server to use high ports (> 1024) so ssh
    tunnel could be done as a normal user (the ftp-data port would be the port
    under the ftp port). Or if all else fails, ssh to server, ftp file to
    server, scp file back to you.
     
    David Efflandt, Oct 27, 2003
    #2
    1. Advertisements

  3. I know there are problems with a ssh tunnel for the data channel. I was
    just trying to get the basics done and get a tunnel for the control
    connection with a functional passive yet unencrypted data channel.
     
    Richard Brandt, Oct 28, 2003
    #3
  4. Don't bother. Proceed directly to an entirely SSH solution, with chroot
    cages if you need them to control user access to the server system, or go to
    WebDAV (which is built into Apache these days and runs over SSL quite
    nicely).
     
    Nico Kadel-Garcia, Oct 30, 2003
    #4
  5. Richard Brandt

    John Doe Guest

    I used the tunnel approach in the past.

    IIRC, need to rebuild the wu-ftpd package from the source code,
    something like "./configure --disable-pasvip" before running make.

    I have now also moved to an all ssh solution, as free ssh2 / sftp
    clients are now more readily available.
     
    John Doe, Nov 7, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.