FTP over SSH (not SFTP)

FTP over SSH (not SFTP) refers to the practice of tunneling a normal FTP session over an SSH connection.

Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the control channel (the initial client-to-server connection on port 21) will protect only that channel; when data is transferred, the FTP software at either end will set up new TCP connections (data channels) which will bypass the SSH connection, and thus have no confidentiality, integrity protection, etc.

Otherwise, it is necessary for the SSH client software to have specific knowledge of the FTP protocol, and monitor and rewrite FTP control channel messages and autonomously open new forwardings for FTP data channels. Version 3 of SSH Communications Security's software suite, and the GPL licensed FONC are two software packages that support this mode.

FTP over SSH is sometimes referred to as secure FTP; this should not be confused with other methods of securing FTP, such as with SSL/TLS (FTPS). Other methods of transferring files using SSH that are not related to FTP include SFTP and SCP; in each of these, the entire conversation (credentials and data) is always protected by the SSH protocol.


Red Drive is a free file transfer extension that integrates with your Windows Explorer environment allowing you to drag, drop, open and edit files on remote servers without launching a separate file transfer client. Red Drive supports various file transfer protocols including FTP, FTPS (FTP over SSL), SFTP (FTP over SSH) and WebDAV.

SSH tunneling

An SSH tunnel (sometimes referred to as a VPN) is an encrypted network tunnel created through an SSH connection. SSH is frequently used to tunnel insecure traffic over the Internet in a secure way. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount an SMB file system securely, one can establish an SSH tunnel that routes all SMB traffic to the fileserver inside an SSH-encrypted connection. Even though the SMB traffic itself is insecure, because it travels within an encrypted connection it becomes secure.

In order to create an SSH tunnel, the SSH client is configured to forward a specified remote port and IP address (that is accessible on the SSH server) to a port on the local machine. Once the SSH connection has been established, the user can connect to the specified local port to access the network services that would otherwise be available only at the remote IP address and port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services provided that outgoing connections on port 22 are allowed. For example, many institutions prohibit users from accessing Internet web pages (port 80) directly without first being examined by a proxy/filter device. However, if users are able to connect to an external SSH server, it is possible for them to create an ssh tunnel to forward port 80 on an external web server to a given port (probably port 80) on their local machine, and thus access that web page by typing http://localhost in their browser.

More commonly, users may set up their own proxy server at home, using free software such as Squid, and construct a tunnel from their workstation to the proxy. Next, by configuring their browser to use localhost rather than the corporate proxy server, users can access any web page they want, bypassing their company's filters and firewalls.

Another method is to use dynamic port forwarding, which creates a local SOCKS 4/5 proxy server that a user can connect to, effectively creating an encrypted tunnel to the remote SSH server. The user can then configure his/her applications to use the SOCKS proxy server, usually for bypassing filters and firewalls.