Secure local editing (on a Windows box) of remote files (on a Linux box)

[blackriver]

Here's my situation:

I have a Windows XP machine and I have to edit files on several remote Linux boxes. Due to my project's chosen IDE, I can't work directly on the remote machines using VIM or something similar. So, we use the IDE's built-in FTP which allows us to edit files on the remote servers. This is rather insecure, and the IDE doesn't support SFTP.

How can do this securely? I was thinking of building an SSH tunnel (as explained on episode 416), but the IDE also doesn't support using a proxy. Also, it would be a pain in the butt to switch between servers, which happens a lot during the day.

What else can I try? The most ideal solution would be to somehow mount the remote Linux dir to something local in Windows, so I can simply use the IDE's explorer to edit a "local" file (similar to Dropbox, for instance).

I'm using Putty, Plink and Total Commander on my Windows machine so far.

[Sparda]

If you create a SSH tunnel from a random port (e.g. 13456) and point it at 127.0.0.1:21. Then you tell the ftp client to connect to 127.0.0.1:13456, ftp will be transported to the remote host over the ssh tunnel. Alternativly you could just give up on the IDE's ftp client and upload every thing manually using FileZilla (for example) which does have support for SFTP.

[blackriver]

If you create a SSH tunnel from a random port (e.g. 13456) and point it at 127.0.0.1:21. Then you tell the ftp client to connect to 127.0.0.1:13456, ftp will be transported to the remote host over the ssh tunnel.

But won't that just create a secure tunnel from me to the server at the end of the tunnel, and from then on become plain FTP again? The server at the end of the tunnel will still need to go onto the internet to actually FTP my files to the destination host.

[barry99705]

But won't that just create a secure tunnel from me to the server at the end of the tunnel, and from then on become plain FTP again? The server at the end of the tunnel will still need to go onto the internet to actually FTP my files to the destination host.

He means create a ssh tunnel between your computer and the remote server. When you point your ftp application to your machine and the port specified by the ssh tunnel, the ftp traffic will go over the ssh tunnel. Though I like his second option and using a ftp client that's capable of sftp. Or you could scp the files to the remote machine.

[Sparda]

So, there are several boxes running an ftp server that you need to connect to?

Just setup a ssh tunnel for each one, each using a different port.

[blackriver]

Thanks for the replies, guys. I'm still not 100% confident this will keep my traffic secure 100% between point A ("ME" in the drawing, my Windows machine) and point B ("SERVER 2" in the drawing, the Linux server where the files need to go).

I have this SSH tunnel thing in my head like this:

I set up a tunnel between ME and SERVER 1. The traffic between this goes through an SSH tunnel, and all's well. But then SERVER 1 will have to send whatever I want to send to my original destination, SERVER 2. And that's good old FTP, with plain text passwords and all.

Even if I set up a tunnel directly to SERVER 2, won't SERVER 2 still just blindly FTP my data to itself (over the internet) using the original non-local IP adress?

[Jason Cooper]

So, there are several boxes running an ftp server that you need to connect to?

Just setup a ssh tunnel for each one, each using a different port.

Doesn't the ftp protocol have multiple streams (one for the commands, i.e. port 21 and then another for the data). If you run a ssh tunnel for port 21 you would only be encrypting the commands and not the data being returned.

You could run ssh as socks proxy and as long as your ide's ftp client supports socks proxies and your ftp server supports passive mode then you should be fine.

[blackriver]

Thanks again everybody. I dug a little deeper and used the method suggested by Sparda, which indeed seems to work. I can log into the remote FTP server over localhost:21, and according to the logs the login process completes sucessfully.

But then the problem scrapheap mentions arises: FTP needs another port for the actual data, and the remote server chooses a random port for this. I can't possibly know this port on forehand, so it looks like this isn't gonna work after all :(

I came across a tool that might fix my problem, called Tunnelier: http://www.bitvise.com/ftp-bridge.html so I will be giving that a shot.

[Webhostbudd]

Actually, you should be able to guess a range of ports that the data will be sent on, as this is usually established in the ftp config file.

[Sparda]

You are connecting to a server, then connecting to a different server. How is this configured on server 1? The answer to secure the connection between server 1 and 2 might be to used SFTP, as it is (probably) not the IDE that is handling that portion of the file transfer.

[Jason Cooper]

Just out of interest what is the IDE that you are using?

[blackriver]

@Webhostbudd: can I create a tunnel for a port range, then? One group of servers uses the range 3000 to 4000 for instance, it would be a PITA to manually set up Putty or Plink for this.

@Sparda: I think I was confusing a few concepts. I was thinking of how a SOCKS5 proxy works, like how Matt explained on show 416: http://www.mattlestock.com/2008/12/setup-an-ssh-socks-proxy/

@scrapheap: Some are using EditpadPro (more an advanced text editor, if you know it), and others use Netbeans (for PHP). Netbeans actually has SFTP support, but it's impossible to set up. This seems to be a known issue and I hope it'll be fixed soon.

I must say the tool Tunnelier does what it says, and sets up a FTP-to-SFTP bridge without much effort. So far I'm loving this tool, but I feel bad I couldn't set up something more intelligent using proper tools like Plink or Putty.

[digip]

Standard FTP uses port 21 for the session establishment, and port 20 for data transfer.

If I am following this correctly, it would seem the easiest thing is to do is use FileZilla(on windows) which does SFTP for secure file transfer and download from remote servers, download the files you need, edit it locally, then reupload it when done editing the files. FIlezilla can be set up to point to any editor when clicking to view/edit files. It will launch the editor, then save the file, then you can reupload it when done.