So as a quick summary for others.....what Sharky is trying to do is the so called "holy grail" for dreamweaver users....macromedia dreamweaver like many other web design applications tend to think that everyone is on a secure internet and that unencrypted logins is perfectly ok....we all now know that this is wishful thinking. So the idea is, since Macromedia refuses to integrate SFTP/SCP into their application, and we all have users that refuse to just publish to a local disk and then upload with SFTP....well sysadmins all over the net have needed a compromise.
The compromise is to tunnel the FTP request to the target server through an SSH tunnel...think of it as putting the FTP envelope inside an SSH envelope...then when it gets to the other side, the SSH envelope is torn open, and then the FTP envelope is routed through the internal company snail mail system. This way the un-encrypted FTP login never gets out onto the network, because it's only sent over the internal data bus of the linux/unix box. The big issue is the pasv port theft problem....because the macromedia "site synchronize" feature is pointed at the SSH tunnel (ie. ftp to 127.0.0.1 which is the local host port and TCP port#2021 as an example) the source address is changed from the 127.0.0.1 port 2021 to 128.171.10.160 port 21 at the destination server. This is commonly a problem with machines that have illegally been turned into a reflector for denial of service attacks, smurfs, etc.... lots of possible mischief. So to make this work, you have to allow this type of address change as indicated in the config file (snippet) below. Lastly, we now have the SSH tunneling working on uhunix just fine, but only on the commercial SSH and on the wintel platform. It doesn't work on linux and mac osX yet....this is a problem with wu-ftpd. I've got it working on all platforms with proftpd just fine. The only stuff I had to add out of the norm is listed below in the cutout... Here's the section of the proftpd.conf file that you really need.... # Allow foreign addresses to support SSH tunneling AllowForeignAddress on # Port 21 is the standard FTP port. Port 21 # This is an attempt to limit access only from the localhost so that users are # forced to use the SSH tunnels to access the FTP service <Limit LOGIN> Order allow, deny Allow from 128.171.10.160, 127.0.01 Deny from all </Limit> So this will allow you to setup ssh with a listen port on your local machine like: ssh -L2021:128.171.10.160:21 [EMAIL PROTECTED] The passv error is what we've been getting on the wu-ftpd and by moving to proftpd the problem goes away...the docs on the macromedia site is nearly worthless...but at least pointed me in the correct direction..... /brian chee University of Hawaii ICS Dept Advanced Network Computing Lab 1680 East West Road, POST rm 311 Honolulu, HI 96822 808-956-5797 voice, 808-956-5175 fax ----- Original Message ----- From: "Erich S." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 09, 2002 9:48 AM Subject: [luau] Secure FTP to RedHat 7.3 box? > Hi Folks! > > I'd like to use Dreamweaver's Remote folder facility for working with > files that are on my RedHat 7.3 server. Dreamweaver is set up so that > it'll use SSH to connect to the remote server. They even provide links to > putty.exe and plink.exe. (I've used putty for SSH connections and like it > very much) > > The documentation on the Dreamweaver side gets sketchy at that point, only > dealing with what has to be done on the client side. They advise "Check > with your ISP" for server side issues :( Seeing that this is my own server > I guess that leaves me as the clueless "ISP". > > I have very minimal services set up on my machine and FTP by default is > turned off. > > Is there a safe way to open FTP or to open it up only for SSH tunneled > connections? Has anyone else set their Linux boxes to work with > Dreamweaver MX? > > Thanks in advance, > Sharky > > _______________________________________________ > LUAU mailing list > [EMAIL PROTECTED] > http://videl.ics.hawaii.edu/mailman/listinfo/luau >
