Can't get ssh and wu-ftpd to work together

I am trying to follow the example in the "SSH-The Secure Shell" book for
tunneling the control channel thru ssh.
I setup the initial tunnel per the example
client% ssh -L2001:server:21 server
This works fine
client% ftp -vd localhost 2001
This also works fine (login has no problems)
but when I try to do any commands like "ls" it fails with

ftp:setsockopt (ignored ): permission denied
---> PASV
Entering passive mode(192,168,1,50,232,45)
ftp:connect: Connection refused

I see that the client does try to connect to the server at the right address
and port but gets a RST
When I run netstat on the server it shows LISTENING with the local address
127.0.0.1:59437
So I'm guessing the connection is refused since the server is just listening
on the loopback
But I don't know what else to change.
I have wu-ftpd 2.6.1-18
ftpaccess looks like this

class Test_guest_class guest *
limit Test_guest_class 2 Any /var/ftp/too-many.msg
# noretrieve /*
loginfails 2
private no
banner /var/ftp/banner.msg
hostname ftpserver
email root@localhost
message /welcome.msg LOGIN
message .message CWD=*
readme README* LOGIN
readme README* CWD=*
chmod no anonymous,guest
delete no anonymous,guest
overwrite no anonymous,guest
rename no anonymous,guest
umask no guest
passwd-check rfc822 warn
log commands guest
log security guest
log transfers anonymous,guest,real inbound
log transfers anonymous,guest,real outbound
guestgroup rftpusers
limit-upload guest 10000
limit-download guest 1
file-limit in 1 Test_guest_class
file-limit out 0 Test_guest_class
pasv-allow guest *
port-allow all
passive address 192.168.1.50 0.0.0.0/0


Richard Brandt

On Sun, 26 Oct 2003, Richard Brandt <richard1.brandt@attbi.com> wrote:
> I am trying to follow the example in the "SSH-The Secure Shell" book for
> tunneling the control channel thru ssh.
> I setup the initial tunnel per the example
> client% ssh -L2001:server:21 server
> This works fine
> client% ftp -vd localhost 2001
> This also works fine (login has no problems)
> but when I try to do any commands like "ls" it fails with
>
> ftp:setsockopt (ignored ): permission denied
> ---> PASV
> Entering passive mode(192,168,1,50,232,45)
> ftp:connect: Connection refused

You tunnel to the server, but have no -R tunnel coming back for ftp-data.
But since you do not know what port passive mode would use, you would
likely need to do a -R tunnel for the normal ftp-data port (20), but you
would have to ssh as root on the server to do that.

You could configure the ftp server to use high ports (> 1024) so ssh
tunnel could be done as a normal user (the ftp-data port would be the port
under the ftp port). Or if all else fails, ssh to server, ftp file to
server, scp file back to you.

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

I know there are problems with a ssh tunnel for the data channel. I was
just trying to get the basics done and get a tunnel for the control
connection with a functional passive yet unencrypted data channel.

"David Efflandt" <efflandt@xnet.com> wrote in message
news:slrnbppfce.lr3.efflandt@typhoon.xnet.com...
> On Sun, 26 Oct 2003, Richard Brandt <richard1.brandt@attbi.com> wrote:
> > I am trying to follow the example in the "SSH-The Secure Shell" book for
> > tunneling the control channel thru ssh.
> > I setup the initial tunnel per the example
> > client% ssh -L2001:server:21 server
> > This works fine
> > client% ftp -vd localhost 2001
> > This also works fine (login has no problems)
> > but when I try to do any commands like "ls" it fails with
> >
> > ftp:setsockopt (ignored ): permission denied
> > ---> PASV
> > Entering passive mode(192,168,1,50,232,45)
> > ftp:connect: Connection refused
>
> You tunnel to the server, but have no -R tunnel coming back for ftp-data.
> But since you do not know what port passive mode would use, you would
> likely need to do a -R tunnel for the normal ftp-data port (20), but you
> would have to ssh as root on the server to do that.
>
> You could configure the ftp server to use high ports (> 1024) so ssh
> tunnel could be done as a normal user (the ftp-data port would be the port
> under the ftp port). Or if all else fails, ssh to server, ftp file to
> server, scp file back to you.
>
> --
> David Efflandt - All spam ignored http://www.de-srv.com/
> http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
> http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

"Richard Brandt" <richard1.brandt@attbi.com> wrote in message
news:spjnb.44164$Tr4.92799@attbi_s03...
> I know there are problems with a ssh tunnel for the data channel. I was
> just trying to get the basics done and get a tunnel for the control
> connection with a functional passive yet unencrypted data channel.

Don't bother. Proceed directly to an entirely SSH solution, with chroot
cages if you need them to control user access to the server system, or go to
WebDAV (which is built into Apache these days and runs over SSL quite
nicely).

Nico Kadel-Garcia wrote:
>
> "Richard Brandt" <richard1.brandt@attbi.com> wrote in message
> news:spjnb.44164$Tr4.92799@attbi_s03...
> > I know there are problems with a ssh tunnel for the data channel. I was
> > just trying to get the basics done and get a tunnel for the control
> > connection with a functional passive yet unencrypted data channel.
>
> Don't bother. Proceed directly to an entirely SSH solution, with chroot
> cages if you need them to control user access to the server system, or go to
> WebDAV (which is built into Apache these days and runs over SSL quite
> nicely).

I used the tunnel approach in the past.

IIRC, need to rebuild the wu-ftpd package from the source code,
something like "./configure --disable-pasvip" before running make.

I have now also moved to an all ssh solution, as free ssh2 / sftp
clients are now more readily available.