Re: Hanging secure FTP from the i

[Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>]

Hi Dave,

Yes, this is one of the most common problems with secure FTP, and is one 
of the primary reasons why I recommend the SSH solutions (such as sftp) 
instead of FTP over SSL.

If the error is what I think it is, you'll have problems with GET, PUT, 
DIR, LS, LIST, etc.   But other commands such as rename, site, ascii, 
binary will work without issue.

Every time data is transferred (either a file or a directory listing) a 
new connection is opened to transfer the data.  This connection isn't 
always made to the same port number, so (in passive mode) the client 
asks the server for the port number, and you get a response.  In your 
log, the response looks like this:

227 Entering Passive Mode (10,48,227,144,133,49)

The stuff in parenthesis are an IP address (10.48.227.144) and a port 
number (133 is the first byte, 49 is the second byte.  So the port 
number is 34097.  (133 = x'85', 49=x'31'.  x'8531' = 34097)

Addresses that begin with '10' are private addresses, so the server is 
probably running behind NAT.  NAT changes addresses dynamically from a 
private address to a public one.   In standard (plain text) FTP, the NAT 
gateway scans the outgoing packets, finds the IP address/port, and 
changes it to the public address.   It can't do that in secure FTP, 
because the data is encrypted.

The result... you can either stop the encryption before you send/receive 
any data.  (Most secure FTP software lets you drop encryption after the 
password is sent, if desired.)  That will let the NAT gateway change 
your data appropriately...

Or, you can use a better protocol than FTP over SSL (which is poorly 
designed, thus your problem) and use something like sftp instead.  sftp 
is both more secure, and works much better across NATs and firewalls.



On 2/18/2011 9:07 AM, daparnin@xxxxxxxxxxxxxx wrote:
> I am trying to work with a remote FTP site with a secure connection.  They
> have specified the address and port that we are to use.  I can get
> connected but whenever I type a command such as ls it just hangs and I
> need to do a SYSREQ-2 to get out of it.  Below is what I typed and what I
> got.  Any ideas?
>
> FTP RMTSYS('ftps-blahgateway.sys.blah.com') PORT(6990) SECCNN(*SSL)
>
>
>                                                        File Transfer
> Protocol
>
> Previous FTP subcommands and messages:
>    Connecting to host wsuser129.user.blah.com at address x.x.x.x using port
> 6990.
>    220 BLAH FTPS Server Ready!
>    234 Security data exchange complete.
>    Connection is secure.
> > user-id
>    331 Password required for user-id
>    230 BLAH FTPS Server Ready!
>    UNIX Type: A
>    200 PBSZ command successful.
>    200 PROT command successful.
>    Data protection level set to P.
> > ls
>    227 Entering Passive Mode (10,48,227,144,133,49)
>
>
> Here is where it hangs with input inhibited.
>
>
> Dave Parnin