FTP Overview

File Transfer Protocol（文件传输协议）

The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

FTP is built on a client-server model architecture using separate control and data connections between the client and the server.[1] FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

The first FTP client applications were command-line programs developed before operating systems had graphical user interfaces, and are still shipped with most Windows, Unix, and Linux operating systems.[2][3] Many FTP clients and automation utilities have since been developed for desktops, servers, mobile devices, and hardware, and FTP has been incorporated into productivity applications, such as HTML editors.

Chinese

文件传输协议（FTP）是一种标准的网络协议，用于在计算机网络上的客户端和服务器之间传输计算机文件。

FTP建立在客户端-服务器模型架构上，在客户端和服务器之间使用单独的控制和数据连接。

[1] FTP用户可以使用明文登录协议对自己进行身份验证，通常以用户名和密码的形式进行身份验证，但是如果服务器配置为允许，则可以匿名连接。

为了保护用户名和密码以及对内容进行加密的安全传输，通常使用SSL / TLS（FTPS）来保护FTP或使用SSH文件传输协议（SFTP）来代替FTP。

第一个FTP客户端应用程序是在操作系统具有图形用户界面之前开发的命令行程序，并且仍随大多数Windows，Unix和Linux操作系统一起提供。

[2] [3]此后，已经为台式机，服务器，移动设备和硬件开发了许多FTP客户端和自动化实用程序，并且FTP已被合并到生产力应用程序中，例如HTML编辑器。

History of FTP servers

The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as RFC 114 on 16 April 1971. Until 1980, FTP ran on NCP, the predecessor of TCP/IP.[2] The protocol was later replaced by a TCP/IP version, RFC 765 (June 1980) and RFC 959 (October 1985), the current specification. Several proposed standards amend RFC 959, for example RFC 1579 (February 1994) enables Firewall-Friendly FTP (passive mode), RFC 2228 (June 1997) proposes security extensions, RFC 2428 (September 1998) adds support for IPv6 and defines a new type of passive mode.[4]

Chinese
FTP服务器的历史
文件传输协议的原始规范由Abhay Bhushan撰写，并于1971年4月16日以RFC 114的形式发布。直到1980年，FTP都在TCP / IP的前身NCP上运行。

[2] 该协议后来被当前规范的TCP / IP版本RFC 765（1980年6月）和RFC 959（1985年10月）代替。几个提议的标准对RFC 959进行了修订，例如RFC 1579（1994年2月）启用了防火墙友好的FTP（被动模式），RFC 2228（1997年6月）提出了安全性扩展，RFC 2428（1998年9月）增加了对IPv6的支持并定义了一种新类型被动模式。[4]

Protocol overview （协议概述）

Communication and data transfer （通讯和数据传输）

Illustration of starting a passive connection using port 21

FTP may run in active or passive mode, which determines how the data connection is established.[5] (Note, somewhat confusingly, this sense of “mode” is different from that of the MODE command in the FTP protocol, and actually corresponds to the PORT/PASV/EPSV/etc commands instead.) In both cases, the client creates a TCP control connection from a random, usually an unprivileged, port N to the FTP server command port 21.

In active mode, the client starts listening for incoming data connections from the server on port M. It sends the FTP command PORT M to inform the server on which port it is listening. The server then initiates a data channel to the client from its port 20, the FTP server data port.

In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive mode may be used. In this mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server,[5] which the client then uses to open a data connection from an arbitrary client port to the server IP address and server port number received.[6]

Both modes were updated in September 1998 to support IPv6. Further changes were introduced to the passive mode at that time, updating it to extended passive mode.[7]

The server responds over the control connection with three-digit status codes in ASCII with an optional text message. For example, “200” (or “200 OK”) means that the last command was successful. The numbers represent the code for the response and the optional text represents a human-readable explanation or request (e.g. ).[1] An ongoing transfer of file data over the data connection can be aborted using an interrupt message sent over the control connection.

The reason why FTP needs two ports (one for sending and one for receiving) is due to the fact that it was originally designed to operate on Network Control Program (NCP), which was a simplex protocol that utilized two port addresses, establishing two connections, for two-way communications. An odd and an even port were reserved for each application layer application or protocol. The standardization of TCP and UDP reduced the need for the use of two simplex ports for each application down to one duplex port,[8]:15 but the FTP protocol was never altered to only use one port, but continued using two for backwards compatibility.

Chinese

FTP可能以主动或被动模式运行，这决定了如何建立数据连接。[5] （注意，有些令人困惑，这种“模式”的含义与FTP协议中的MODE命令的含义不同，并且实际上对应于PORT / PASV / EPSV / etc命令。）在两种情况下，客户端都创建一个TCP控制连接，从随机的（通常是非特权的）端口N到FTP服务器命令端口21。

在活动模式下，客户端开始侦听端口M上来自服务器的传入数据连接。它发送FTP命令PORT M来通知服务器正在侦听的端口。然后，服务器从其端口20（FTP服务器数据端口）启动到客户端的数据通道。

在客户端位于防火墙后面且无法接受传入的TCP连接的情况下，可以使用被动模式。在此模式下，客户端使用控制连接向服务器发送PASV命令，然后从服务器接收服务器IP地址和服务器端口号，[5]然后，客户端将其用于从任意客户端打开数据连接端口到接收到的服务器IP地址和服务器端口号。[6]

两种模式都在1998年9月进行了更新，以支持IPv6。当时，对被动模式进行了进一步的更改，将其更新为扩展的被动模式。[7]

服务器通过控制连接响应ASCII码的三位数状态代码以及可选的文本消息。例如，“ 200”（或“ 200 OK”）表示最后一个命令成功。数字代表响应代码，可选文本代表易于理解的说明或请求（例如<存储文件所需的帐户>）。[1]通过控制连接发送的中断消息可以中止通过数据连接正在进行的文件数据传输。

FTP之所以需要两个端口（一个用于发送，一个用于接收）的原因是由于它最初是为在网络控制程序（NCP）上运行而设计的，该协议是一种单纯的协议，它利用了两个端口地址，建立了两个连接，用于双向通讯。为每个应用程序层应用程序或协议保留了奇数和偶数端口。 TCP和UDP的标准化将每个应用程序使用两个单一端口的需求降低到一个双工端口，[8]：15，但FTP协议从未更改为仅使用一个端口，而是继续使用两个以实现向后兼容性。

NAT and firewall traversal（NAT 和防火墙穿越）

FTP normally transfers data by having the server connect back to the client, after the PORT command is sent by the client. This is problematic for both NATs and firewalls, which do not allow connections from the Internet towards internal hosts.[9] For NATs, an additional complication is that the representation of the IP addresses and port number in the PORT command refer to the internal host’s IP address and port, rather than the public IP address and port of the NAT.

There are two approaches to solve this problem. One is that the FTP client and FTP server use the PASV command, which causes the data connection to be established from the FTP client to the server.[9] This is widely used by modern FTP clients. Another approach is for the NAT to alter the values of the PORT command, using an application-level gateway for this purpose.[9]

Chinese
在客户端发送PORT命令之后，FTP通常通过使服务器重新连接到客户端来传输数据。这对于NAT和防火墙都是有问题的，它们不允许从Internet到内部主机的连接。[9] 对于NAT，另一个麻烦是PORT命令中IP地址和端口号的表示是指内部主机的IP地址和端口，而不是NAT的公用IP地址和端口。

有两种方法可以解决此问题。一种是FTP客户端和FTP服务器使用PASV命令，这将导致从FTP客户端到服务器的数据连接建立。这是现代FTP客户端广泛使用的。 NAT的另一种方法是使用应用级网关为此目的更改PORT命令的值。

Data types（数据类型）
While transferring data over the network, four data types are defined:[2][3][4]

ASCII (TYPE A): Used for text. Data is converted, if needed, from the sending host’s character representation to “8-bit ASCII” before transmission, and (again, if necessary) to the receiving host’s character representation. As a consequence, this mode is inappropriate for files that contain data other than plain text.

Image (TYPE I, commonly called Binary mode): The sending machine sends each file byte by byte, and the recipient stores the bytestream as it receives it. (Image mode support has been recommended for all implementations of FTP).

EBCDIC (TYPE E): Used for plain text between hosts using the EBCDIC character set.

Local (TYPE L n): Designed to support file transfer between machines which do not use 8-bit bytes, e.g. 36-bit systems such as DEC PDP-10s. For example, “TYPE L 9” would be used to transfer data in 9-bit bytes, or “TYPE L 36” to transfer 36-bit words. Most contemporary FTP clients/servers only support L 8, which is equivalent to I.

An expired Internet Draft defined a TYPE U for transferring Unicode text files using UTF-8;[10] although the draft never became an RFC, it has been implemented by several FTP clients/servers.

Note these data types are commonly called “modes”, although ambiguously that word is also used to refer to active-vs-passive communication mode (see above), and the modes set by the FTP protocol MODE command (see below).

For text files (TYPE A and TYPE E), three different format control options are provided, to control how the file would be printed:

Non-print (TYPE A N and TYPE E N) – the file does not contain any carriage control characters intended for a printer

Telnet (TYPE A T and TYPE E T) – the file contains Telnet (or in other words, ASCII C0) carriage control characters (CR, LF, etc)

ASA (TYPE A A and TYPE E A) – the file contains ASA carriage control characters

These formats were mainly relevant to line printers; most contemporary FTP clients/servers only support the default format control of N.

Chinese

通过网络传输数据时，定义了四种数据类型：

ASCII（TYPE A）：用于文本。必要时，数据在传输之前从发送主机的字符表示形式转换为“ 8位ASCII”，并（必要时再次）转换为接收主机的字符表示形式。因此，此模式不适用于包含非纯文本数据的文件。

Image（类型I，通常称为二进制模式）：发送方的计算机将逐字节发送每个文件，而接收方在接收字节流时将其存储。（建议对FTP的所有实现都使用图像模式支持）。

EBCDIC（TYPE E）：用于使用EBCDIC字符集的主机之间的纯文本。

Local（TYPE L n）：设计为支持在不使用8位字节的机器之间进行文件传输，例如36位系统，例如DEC PDP-10。例如，“ TYPE L 9”将用于传输9位字节的数据，或者使用“ TYPE L 36”来传输36位字。大多数当代的FTP客户端/服务器仅支持L 8，它等效于I。

过期的Internet草案定义了使用UTF-8传输Unicode文本文件的TYPE U； [10]尽管该草案从未成为RFC，但已由多个FTP客户端/服务器实现。

请注意，这些数据类型通常被称为“模式”，尽管这个词也常常被用来表示主动与被动通信模式（请参见上文）以及由FTP协议MODE命令设置的模式（请参见下文）。对于文本文件（TYPE A和TYPE E），提供了三种不同的格式控制选项，以控制文件的打印方式：

Non-print（TYPE A N和TYPE E N）–该文件不包含任何用于打印机的笔架控制字符

Telnet（TYPE A T和TYPE E T）–文件包含Telnet（或ASCII C0）回车控制字符（CR，LF等）

ASA（TYPE A A和TYPE E A）–文件包含ASA托架控制字符这些格式主要与行式打印机有关。大多数现代的FTP客户端/服务器仅支持默认格式N。

File structures（文件结构）

File organization is specified using the STRU command. The following file structures are defined in section 3.1.1 of RFC959:

F or FILE structure (stream-oriented). Files are viewed as an arbitrary sequence of bytes, characters or words. This is the usual file structure on Unix systems and other systems such as CP/M, MSDOS and Microsoft Windows. (Section 3.1.1.1)

R or RECORD structure (record-oriented). Files are viewed as divided into records, which may be fixed or variable length. This file organization is common on mainframe and midrange systems, such as MVS, VM/CMS, OS/400 and VMS, which support record-oriented filesystems.

P or PAGE structure (page-oriented). Files are divided into pages, which may either contain data or metadata; each page may also have a header giving various attributes. This file structure was specifically designed for TENEX systems, and is generally not supported on other platforms. RFC1123 section 4.1.2.3 recommends that this structure not be implemented.

Most contemporary FTP clients and servers only support STRU F. STRU R is still in use in mainframe and minicomputer file transfer applications.

Chinese
使用STRU命令指定文件组织。 RFC959的3.1.1节中定义了以下文件结构：

F或FILE结构（面向流）。文件被视为字节，字符或单词的任意序列。这是Unix系统和其他系统（例如CP / M，MSDOS和Microsoft Windows）上的常用文件结构。（第3.1.1.1节）

R或RECORD结构（面向记录）。文件被视为分为记录，记录可以是固定长度或可变长度。这种文件组织在大型机和中型系统（例如MVS，VM / CMS，OS / 400和VMS）上很常见，它们支持面向记录的文件系统。

P或PAGE结构（面向页面）。文件分为页面，页面可以包含数据或元数据。每个页面还可以具有提供各种属性的标题。该文件结构是专为TENEX系统设计的，通常在其他平台上不受支持。 RFC1123第4.1.2.3节建议不要实现此结构。
大多数现代的FTP客户端和服务器仅支持STRUF。STRUR仍在大型机和小型计算机文件传输应用程序中使用。

Data transfer modes （数据传输模型\方式）

Data transfer can be done in any of three modes:[1][2]

Stream mode (MODE S): Data is sent as a continuous stream, relieving FTP from doing any processing. Rather, all processing is left up to TCP. No End-of-file indicator is needed, unless the data is divided into records.

Block mode (MODE B): Designed primarily for transferring record-oriented files (STRU R), although can also be used to transfer stream-oriented (STRU F) text files. FTP puts each record (or line) of data into several blocks (block header, byte count, and data field) and then passes it on to TCP.[4]

Compressed mode (MODE C): Extends MODE B with data compression using run-length encoding.

Most contemporary FTP clients and servers do not implement MODE B or MODE C; FTP clients and servers for mainframe and minicomputer operating systems are the exception to that.

Some FTP software also implements a DEFLATE-based compressed mode, sometimes called “Mode Z” after the command that enables it. This mode was described in an Internet Draft, but not standardized.[11]

GridFTP defines additional modes, MODE E[12] and MODE X,[13] as extensions of MODE B.

Chinese
数据传输可以通过以下三种模式之一进行：

流模式（模式S）：数据以连续流的形式发送，从而使FTP不再进行任何处理。而是，所有处理都由TCP完成。除非数据分为记录，否则不需要文件结束指示符。
块模式（MODE B）：主要设计用于传输面向记录的文件（STRU R），尽管也可以用于传输面向流（STRU F）的文本文件。 FTP将数据的每个记录（或行）放入几个块（块头，字节数和数据字段）中，然后将其传递到TCP。
压缩模式（MODE C）：使用游程编码对数据压缩进行扩展以扩展MODEB。
大多数现代的FTP客户端和服务器都未实现MODE B或MODEC。大型机和小型计算机操作系统的FTP客户端和服务器除外。

一些FTP软件还实现了基于DEFLATE的压缩模式，有时在启用它的命令后称为“模式Z”。 Internet草案中对此模式进行了描述，但未对其进行标准化。

GridFTP将其他模式MODE E [12]和MODE X，[13]定义为MODE B的扩展。

FTP login uses normal username and password scheme for granting access.[2] The username is sent to the server using the USER command, and the password is sent using the PASS command.[2] This sequence is unencrypted “on the wire”, so may be vulnerable to a network sniffing attack.[14] If the information provided by the client is accepted by the server, the server will send a greeting to the client and the session will commence.[2] If the server supports it, users may log in without providing login credentials, but the same server may authorize only limited access for such sessions.[[2]

Chinese

FTP登录使用普通的用户名和密码方案来授予访问权限。

用户名使用USER命令发送到服务器，密码使用PASS命令发送。此序列“在线”未加密，因此可能容易受到网络嗅探攻击。如果服务器接受了客户端提供的信息，则服务器将向客户端发送问候语，会话将开始。如果服务器支持，则用户可以在不提供登录凭据的情况下登录，但是同一服务器可以仅授权对此类会话的有限访问。

Anonymous FTP （匿名 FTP）

A host that provides an FTP service may provide anonymous FTP access.[2] Users typically log into the service with an ‘anonymous’ (lower-case and case-sensitive in some FTP servers) account when prompted for user name. Although users are commonly asked to send their email address instead of a password,[3] no verification is actually performed on the supplied data.[15] Many FTP hosts whose purpose is to provide software updates will allow anonymous logins.[3]

提供FTP服务的主机可以提供匿名FTP访问。[2] 提示用户输入用户名时，用户通常使用“匿名”（小写且区分大小写）帐户登录服务。尽管通常要求用户发送电子邮件地址而不是密码，[3]实际上并没有对提供的数据进行验证。[15] 许多旨在提供软件更新的FTP主机都允许匿名登录。

Differences from HTTP （与HTTP的不同之处）

HTTP essentially fixes the bugs in FTP that made it inconvenient to use for many small ephemeral transfers as are typical in web pages.

FTP has a stateful control connection which maintains a current working directory and other flags, and each transfer requires a secondary connection through which the data are transferred. In “passive” mode this secondary connection is from client to server, whereas in the default “active” mode this connection is from server to client. This apparent role reversal when in active mode, and random port numbers for all transfers, is why firewalls and NAT gateways have such a hard time with FTP. HTTP is stateless and multiplexes control and data over a single connection from client to server on well-known port numbers, which trivially passes through NAT gateways and is simple for firewalls to manage.

Setting up an FTP control connection is quite slow due to the round-trip delays of sending all of the required commands and awaiting responses, so it is customary to bring up a control connection and hold it open for multiple file transfers rather than drop and re-establish the session afresh each time. In contrast, HTTP originally dropped the connection after each transfer because doing so was so cheap. While HTTP has subsequently gained the ability to reuse the TCP connection for multiple transfers, the conceptual model is still of independent requests rather than a session.

When FTP is transferring over the data connection, the control connection is idle. If the transfer takes too long, the firewall or NAT may decide that the control connection is dead and stop tracking it, effectively breaking the connection and confusing the download. The single HTTP connection is only idle between requests and it is normal and expected for such connections to be dropped after a time-out.

HTTP本质上修复了FTP中的错误，这些错误使它不方便用于网页中常见的许多小型临时传输。

FTP具有状态控制连接，该连接维护当前工作目录和其他标志，并且每次传输都需要辅助连接，通过该辅助连接可以传输数据。在“被动”模式下，此辅助连接是从客户端到服务器，而在默认的“主动”模式下，此连接是从服务器到客户端。在活动模式下这种明显的角色转换以及所有传输的随机端口号是防火墙和NAT网关使用FTP如此困难的原因。 HTTP是无状态的，并且通过众所周知的端口号通过从客户端到服务器的单个连接多路复用控制和数据，这些端口可轻松通过NAT网关，防火墙易于管理。

由于发送所有必需命令和等待响应的往返延迟，建立FTP控制连接的速度非常慢，因此习惯上要建立一个控制连接并将其保持打开状态以进行多次文件传输，而不是丢弃然后重新打开-每次重新建立会话。相反，HTTP每次传输后最初都删除了连接，因为这样做非常便宜。虽然HTTP随后具有重用TCP连接进行多次传输的能力，但是概念模型仍然是独立的请求而不是会话。

当FTP通过数据连接传输时，控制连接处于空闲状态。如果传输时间太长，则防火墙或NAT可能会确定控制连接已死并停止对其进行跟踪，从而有效地断开了连接并导致下载混乱。单个HTTP连接仅在请求之间是空闲的，并且正常的并且期望此类连接在超时后被丢弃。

Web browser support （网站浏览器支持）

Most common web browsers can retrieve files hosted on FTP servers, although they may not support protocol extensions such as FTPS.[3][16] When an FTP—rather than an HTTP—URL is supplied, the accessible contents on the remote server are presented in a manner that is similar to that used for other web content. A full-featured FTP client can be run within Firefox in the form of an extension called FireFTP.

As of 2019, major browsers such as Chrome and Firefox are deprecating FTP support to varying degrees,[17] with Google planning to remove it entirely by Chrome 82. Mozilla is currently discussing proposals, including only removing support for old FTP implementations that are no longer in use to simplify their code.[18][19]

大多数常见的Web浏览器可以检索FTP服务器上托管的文件，尽管它们可能不支持协议扩展，例如FTPS。

当提供FTP（而不是HTTP）URL时，将以与其他Web内容相似的方式显示远程服务器上的可访问内容。功能齐全的FTP客户端可以以Firefox扩展的形式在Firefox中运行。

截至2019年，Chrome和Firefox等主要浏览器都在不同程度上弃用FTP支持， Google计划通过Chrome 82完全删除FTP支持。Mozilla目前正在讨论提案，包括仅删除对不支持旧FTP实现的支持。

Syntax （句法）

FTP URL syntax is described in RFC 1738, taking the form: ftp://[user[:password]@]host[:port]/url-path (the bracketed parts are optional).

For example, the URL ftp://public.ftp-servers.example.com/mydirectory/myfile.txt represents the file myfile.txt from the directory mydirectory on the server *public.ftp-servers.example.com*as an FTP resource. The URL ftp://user001:secretpassword@private.ftp-servers.example.com/mydirectory/myfile.txt adds a specification of the username and password that must be used to access this resource.

More details on specifying a username and password may be found in the browsers’ documentation (e.g., Firefox[20] and Internet Explorer[21]). By default, most web browsers use passive (PASV) mode, which more easily traverses end-user firewalls.

Some variation has existed in how different browsers treat path resolution in cases where there is a non-root home directory for a user.[22]

FTP URL语法在RFC 1738中描述，格式为：ftp：// [用户[：密码] @]主机[：端口] / url-path（方括号中的部分是可选的）。

例如，URL 代表服务器public.ftp-servers.example.com上目录mydirectory中的文件myfile.txt作为FTP资源。。

URL ftp：//user001：secretpassword@private.ftp-servers.example.com/mydirectory/myfile.txt添加了用于访问该资源的用户名和密码的规范。

有关指定用户名和密码的更多详细信息，可以在浏览器的文档中找到（例如Firefox [20]和Internet Explorer [21]）。

默认情况下，大多数Web浏览器使用被动（PASV）模式，该模式更容易遍历最终用户防火墙。

在存在用户的非根主目录的情况下，不同的浏览器如何处理路径解析，存在一些差异。[22]

Security （安全）

FTP was not designed to be a secure protocol, and has many security weaknesses.[23] In May 1999, the authors of RFC 2577 listed a vulnerability to the following problems:

Brute-force attack

FTP bounce attack

Packet capture

Port stealing (guessing the next open port and usurping a legitimate connection)

Spoofing attack

Username enumeration

DoS or DDoS

FTP does not encrypt its traffic; all transmissions are in clear text, and usernames, passwords, commands and data can be read by anyone able to perform packet capture (sniffing) on the network.[2][23] This problem is common to many of the Internet Protocol specifications (such as SMTP, Telnet, POP and IMAP) that were designed prior to the creation of encryption mechanisms such as TLS or SSL.[4]

Common solutions to this problem include:

Using the secure versions of the insecure protocols, e.g., FTPS instead of FTP and TelnetS instead of Telnet.

Using a different, more secure protocol that can handle the job, e.g. SSH File Transfer Protocol or Secure Copy Protocol.

Using a secure tunnel such as Secure Shell (SSH) or virtual private network (VPN).

FTP并非被设计为安全协议，并且具有许多安全漏洞。[23]在1999年5月，RFC 2577的作者列出了一个针对以下问题的漏洞：

蛮力攻击

FTP反弹攻击

数据包捕获

端口盗用（猜测下一个开放端口并篡改合法连接）

欺骗攻击

用户名枚举

DoS或DDoS

FTP不加密流量。所有传输均以明文形式进行，并且任何能够在网络上执行数据包捕获（嗅探）的人都可以读取用户名，密码，命令和数据。[2] [23]对于创建诸如TLS或SSL之类的加密机制之前设计的许多Internet协议规范（例如SMTP，Telnet，POP和IMAP）来说，这个问题是很常见的。

[4]该问题的常见解决方案包括：

使用不安全协议的安全版本，例如，FTPS代替FTP，TelnetS代替Telnet。
使用可以处理作业的其他更安全的协议，例如SSH文件传输协议或安全复制协议。
使用安全隧道，例如安全外壳（SSH）或虚拟专用网络（VPN）。

FTP over SSH

FTP over SSH is the practice of tunneling a normal FTP session over a Secure Shell connection.[23] Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the control channel (the initial client-to-server connection on port 21) will protect only that channel; when data is transferred, the FTP software at either end sets up new TCP connections (data channels) and thus have no confidentiality or integrity protection.

Otherwise, it is necessary for the SSH client software to have specific knowledge of the FTP protocol, to monitor and rewrite FTP control channel messages and autonomously open new packet forwardings for FTP data channels. Software packages that support this mode include:

Tectia ConnectSecure (Win/Linux/Unix)[24] of SSH Communications Security‘s software suite

FTP over SSH是通过安全Shell连接建立普通FTP会话的通道。[23] 由于FTP使用多个TCP连接（对于仍在使用的TCP / IP协议，这是不常见的），因此通过SSH隧道传输特别困难。对于许多SSH客户端，尝试为控制通道建立隧道（端口21上的初始客户端到服务器连接）将仅保护该通道。传输数据时，两端的FTP软件都会建立新的TCP连接（数据通道），因此没有机密性或完整性保护。

否则，SSH客户端软件必须具有FTP协议的特定知识，监视和重写FTP控制通道消息并自动打开FTP数据通道的新数据包转发。支持此模式的软件包包括：

SSH Communications Security软件套件的Tectia ConnectSecure（Win / Linux / Unix）[24]