FTP uses two connections - one is called the "control connection", the other the "data connection". When you start an FTP session, it's the control connection that gets started. When you say "GET" or "PUT" (or your FTP client says that) then the server opens up a separate parallel server for your client to connect to; it sends or receives the actual files over this separate data connection.
So what we can do is "tunnel" the control connection over SSH. Since your password is only sent over the control connection, never the data connection, that's all we really care about securing at this point.
What do we mean by tunneling? Most SSH clients support what's called "port forwarding", though tunnelling is a better name for it. It means that you can set up an encrypted link between your machine and the server, and send insecure connections over that link instead of directly over the open Internet. Think of it as a "wormhole" between two universes, the universe of your desktop and the universe of the server.
So what we want to do here is forward the FTP control connection over an established SSH connection. I'll use the configuration of the F-Secure client to describe it; other clients that implement forwarding should be similar.
When you go to connect to the server, you should see a "properties" button next or near the connection button. Follow that to the "forward" panel. Click on "new" to create a new tunnel. We only want to make a "local" tunnel. Use the following:
Name: ftp Source Port: 21 Destination Host: taz.hyperreal.org Destination Port: 21 Allow local connections only: yes (checkbox)
Click "OK", and then connect. If you've connected successfully, you should now have a tunnel between your desktop and taz. Open up Netscape to test it (since Netscape is an FTP client we know works well with this type of system). Go to ftp://user@localhost/, where "user" is your login name on taz. You should get a prompt for your password - enter it, and you're in.
Localhost?? Yes, the tunnel now makes it so that it looks like you're running an FTP server on your own computer! But you're not, don't worry; and the "Allow local connections only" box means that no one else should be able to connect to your machine and follow the tunnel over to taz.
Now, try to download a file... then try to upload a file... both things should work with Netscape.
We have been trying this with other FTP clients on various operating systems. Some FTP clients do not work well with this model. This is because the control connection is on "localhost", but the data connection isn't on localhost, it's not tunnelled - it is directly between the client and the server. Some FTP clients can't grok this; although this is a standard part of the FTP specification, many of them don't understand it when the server tells them to connect to a "different machine" for the data. In fact, *most* FTP clients I've tried fail to do this properly!
The list of clients which we know to work, and we know NOT to work, is kept on the pages for each OS: Unix, Windows, or Mac.
If you want to test this out with another client, make sure to set the transfer mode to "passive". If the client you're testing isn't listed on these pages, please let us know about any successes or failures you have using it.
Finally, you must remember that in order to use this, you must have an active connection over SSH to the server.