Jared Evans Global Microbrand

This is the server and client configuration that you’ll need minimally in order to offer secure SSH tunnel for FTP clients.

This is useful for your FTP program that doesn’t have SFTP capabilities. The FTP program can take advantage of a SSH tunnel to securely connect to the FTP server.

inside /etc/hosts.allow :

# The rules here work on a "First match wins" basis.
# Let localhost users access any service on this box
ALL     : localhost 127.0.0.1 your_server_ip_address   : allow
# Let anybody with a RSA key in
sshd    : ALL                                                   : allow
# Everybody else can buzz off
ALL     : ALL                                                   : deny

Make sure this line is included at the end of /usr/local/etc/xinetd.conf

includedir /usr/local/etc/xinetd.d

in the file /usr/local/etc/xinetd.d/ftp

service ftp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/libexec/ftpd
        server_args     = -llS
        disable         = no
}

Restart xinetd

/usr/local/etc/rc.d/xinetd restart

For your FTP client:
If you notice above in /etc/hosts.allow, FTP will only accept connections from the localhost on the server. 

(ALL     : localhost 127.0.0.1 your_server_ip_address   : allow) which is satisfied before hitting this line:

(ALL     : ALL                                                   : deny )

This means that you’ll need to start a SSH tunnel on your end that will allow a server local connection to the FTP port (21) on your behalf.