[Mac Write]

I know on server it's a simple GUI check box. Is there a file to edit that will enable AFP on OS X client (10.2 and 10.3) to allow AFP to work over a SSH connection I also while I am at it would like to refuse none secure connections.

I am not require al connections to my home network from the outside andinside to tunnel everything via SSH. I am using SFTP, SAFP to the OS X Server I use, and now need AFP to require an SSH connection on OS X client. doing a manual tunnel is not the route I want to go.

Thanks

[Mac Write]

Bump anyone?

[Simon]

I'm very interested in this myself.

In the Finder, when I do a cmd-k and select one of my remote Macs I get a dialog with a button labeled 'Options...'. In these options I can set 'Allow Secure Connections using SSH'. However, when I proceed to connect, I get a message telling me that the remote Mac doesn't support secure connections via SSH. Even though the port 22 (SSH) is open on both machines and I am able do remote shell sessions over ssh all the time.

I don't know for how long this has been broken now, but it's a PITA and it's damn pathetic that Apple (which likes to brag about OS X and security) can't get this to work after 5 updates of Panther.

Actually, AFP over anything else than SSH is what should be broken.

[Mac Write]

AFP over SSH is available in Server, but not client (via the GUI)

But there has to be a file that can be edited to enable it on client.

[samslaves]

Here:

http://www.corsaire.com/white-papers...g-mac-os-x.pdf

Sam

[piracy]

The key is to add the stanza

<key>SSHTunnel</key>
<true/>

to /Library/Preferences/com.apple.AppleFileServer.plist, and restart AFP.

Out of curiosity, why do you NEED to tunnel AFP through SSH? The credential exchange is already encrypted; do you HAVE to protect the actual AFP datastream? No usernames or password are at risk.

[piracy]

Originally posted by Simon:
I'm very interested in this myself.

In the Finder, when I do a cmd-k and select one of my remote Macs I get a dialog with a button labeled 'Options...'. In these options I can set 'Allow Secure Connections using SSH'. However, when I proceed to connect, I get a message telling me that the remote Mac doesn't support secure connections via SSH. Even though the port 22 (SSH) is open on both machines and I am able do remote shell sessions over ssh all the time.

I don't know for how long this has been broken now, but it's a PITA and it's damn pathetic that Apple (which likes to brag about OS X and security) can't get this to work after 5 updates of Panther.

Actually, AFP over anything else than SSH is what should be broken.

AFP over SSH does NOT use port 22, and does not require ssh be enabled on either the server or the client. It tunnels AFP through an SSH tunnel.

But to repeat, the username and password are SECURE in a normal AFP connection. Your subsequent data connection is not secure, but unless you're working with classified data or worry that someone wants to steal your MP3s by capturing AFP traffic, there is no need to use AFP over SSH.

[C.J. Moof]

Ummm... sorry, but there are a number of inaccuracies in the above to straighten out.

Yes, it does use port 22. Unless the server side's SSH deamon has been reconfigured for a non-standard port, an SSH tunnel is going to be on port 22. Ethereal will prove it to you.

If sshd isn't enabled on the server, what's going to handle an SSH tunnel? Yes, it DOES have to be enabled on the server. But not on the client- we only care that the one answering the request has the server enabled. Problem is, this isn't a check-box option on OS X client, it's a Server feature. I don't know any way to make the "use secure connection" checkbox automagically get you AFP over SSH when the server is not OS X server.

Piracy is right about the relative security of an AFP connection. The user/pass pair are pretty well secured, but the data exchange after that is out in the open.

[Mac Write]

I am not transferring MP3's since I buy all my music, but I want my network as secure as possible, and the only way to do that is to run everything over SSH excluding my webserver.

I want my network to be as secure as possible. I go away each month and need remote access to my home network and want everything secure, so having AFP, all my other servers secure allows me to have an extremely secure network. I don't download or share music. Some people actually care about security and privacy without doing illegal activity.

[C.J. Moof]

Then put your home network behind a good VPN router that you can authenticate to.

Piracy- where in the plist did you add the SSHTunnel True key? I put it at the end, before the last </DICT>, and I can't make an SSH connection.

[CharlesS]

Originally posted by piracy:
The key is to add the stanza

<key>SSHTunnel</key>
<true/>

to /Library/Preferences/com.apple.AppleFileServer.plist, and restart AFP.

Doesn't work here - claims my password is incorrect, although if I connect insecurely without SSH, my password works.

Yes, I know the password is correct, because it's my computer.

[samslaves]

The document

http://www.corsaire.com/white-papers...g-mac-os-x.pdf

reports how you can do what you asked via Terminal. And there are other security hints for PM HW/OS X. I'm using the same procedure for VNC.

[CharlesS]

Originally posted by samslaves:
The document

http://www.corsaire.com/white-papers...g-mac-os-x.pdf

reports how you can do what you asked via Terminal. And there are other security hints for PM HW/OS X. I'm using the same procedure for VNC.

Yeah, but the original poster said that he'd rather not do a manual tunnel if he doesn't need to. Since I'm a bit curious about this as well, it would be nice to know if there's a way to enable the AFP over SSH feature with OS X Client.

[samslaves]

Originally posted by CharlesS:
Yeah, but the original poster said that he'd rather not do a manual tunnel if he doesn't need to. Since I'm a bit curious about this as well, it would be nice to know if there's a way to enable the AFP over SSH feature with OS X Client.

If it is not possible (no GUI) write an AppleScript and, with AppleScript Studio, develop even an interface with fields etc...

Sam