|
|
afp over ssh
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Hello,
With the 10.3.4 update, when I try to make an SSH encrypted connection to an AFP share, it now says that the server doesn't support SSH connections.
I'm confused. Do we have to setup SSH to do forwarding and all that to create an SSH tunnel, or should this be created automatically with the option checked in the options section of the AFP connection dialog? Anybody know when this option was added, and if this option replaces the need to jump into the terminal to setup the tunnel? Anybody know how to create an SSH encrypted AFP connection w. 10.3.4?
(I know there are other threads w. 10.3.4 support questions, but I'm not sure if this is an AFP/SSH or 10.3.4 problem/question).
THanks very much for your help!
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
The option for ssh connections to AFP shares has been there at least since Jaguar. What is new in 10.3.4 is the message that notifies you when ssh connections fail. This was a security issue that was brought up before because you didn't know when ssh connections failed and you fell back to standard connections. If you have an AFP share that supports ssh connections (ie OS X Server shares) then everything happens automatically.
|
Vandelay Industries
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Art Vandelay:
The option for ssh connections to AFP shares has been there at least since Jaguar. What is new in 10.3.4 is the message that notifies you when ssh connections fail. This was a security issue that was brought up before because you didn't know when ssh connections failed and you fell back to standard connections. If you have an AFP share that supports ssh connections (ie OS X Server shares) then everything happens automatically.
Ahhh...
So is there any way to allow OS X Client or Netatalk-enabled Unix machines to support SSH connections?
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: California
Status:
Offline
|
|
I'm bringing this back up because I'm having no success connecting to OS X Server using AFP via SSH. I've checked the server to make sure secure connections are allowed in the AFP settings (even restarted AFP to be sure). I've set the option in the "Connect to server..." dialog on my client machine to allow secure connections. Yet I'm still getting the error message:
"The server xyz does not support secure connections via SSH. To continue with reduced security, click continue."
From everything I've read here and at the apple discussion boards, AFP via SSH is supposed to work when connecting to OS X Server.
Am I missing some settings somewhere? Or do we have a bug of some kind in our midst?
TIA,
Scott
PS. I've got 10.3.5 on both client and server.
|
MacBook Pro 2.4GHz; 4GB RAM; 23" Cinema Display
iPhone
Mac OS X 10.5.4
______________________________________
If you don't know where you want to go, any road will take you there.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Sinemacula:
I'm bringing this back up because I'm having no success connecting to OS X Server using AFP via SSH. I've checked the server to make sure secure connections are allowed in the AFP settings (even restarted AFP to be sure). I've set the option in the "Connect to server..." dialog on my client machine to allow secure connections. Yet I'm still getting the error message:
"The server xyz does not support secure connections via SSH. To continue with reduced security, click continue."
From everything I've read here and at the apple discussion boards, AFP via SSH is supposed to work when connecting to OS X Server.
Am I missing some settings somewhere? Or do we have a bug of some kind in our midst?
TIA,
Scott
PS. I've got 10.3.5 on both client and server.
Do you have port 22 open with your Firewall? Have you tried enabling SSH?
Is the machine you are connecting to really old? SSH does require some overhead... this is a real long shot.
Have you tried checking your log files? Find anything useful?
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: California
Status:
Offline
|
|
Originally posted by besson3c:
Do you have port 22 open with your Firewall? Have you tried enabling SSH?
Is the machine you are connecting to really old? SSH does require some overhead... this is a real long shot.
Have you tried checking your log files? Find anything useful?
22 is open. SSH is enabled through Server Admin in the AFP settings. Remote Login is enabled.
The server is an XServe running 10.3.5 Server.
The log files didn't show anything interesting (well, at least the ones available through the AFP settings panel in Server Admin - I haven't gone in and looked in the Console), in fact, the log files didn't even show the attempt to connect - but they did show the successful connection when I said okay to connecting with reduced security.
I'll check out the Console to see if there's anything of interest there... but for now, I'm still stumped.
|
MacBook Pro 2.4GHz; 4GB RAM; 23" Cinema Display
iPhone
Mac OS X 10.5.4
______________________________________
If you don't know where you want to go, any road will take you there.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Sinemacula:
22 is open. SSH is enabled through Server Admin in the AFP settings. Remote Login is enabled.
The server is an XServe running 10.3.5 Server.
The log files didn't show anything interesting (well, at least the ones available through the AFP settings panel in Server Admin - I haven't gone in and looked in the Console), in fact, the log files didn't even show the attempt to connect - but they did show the successful connection when I said okay to connecting with reduced security.
I'll check out the Console to see if there's anything of interest there... but for now, I'm still stumped.
I was actually thinking about a more traditional Unix-centric approach to troubleshooting in actually looking at the log file in a text editor. I don't have access to a 10.3 server right now, but in 10.2 server these files exist in /Library/Logs. In traditional Unix you would find these in /var/log. You should find a specific AFP log (in 10.2 Server it is called AppleFileService, I believe).
When you find this file, try a:
sudo tail filename
It should give you some very specific feedback.
Hope this helps!
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: California
Status:
Offline
|
|
Originally posted by besson3c:
I was actually thinking about a more traditional Unix-centric approach to troubleshooting in actually looking at the log file in a text editor. I don't have access to a 10.3 server right now, but in 10.2 server these files exist in /Library/Logs. In traditional Unix you would find these in /var/log. You should find a specific AFP log (in 10.2 Server it is called AppleFileService, I believe).
When you find this file, try a:
sudo tail filename
It should give you some very specific feedback.
Hope this helps!
Afraid it's not much help.
The AppleFileServiceAccess.log does not even register anything at all when I attempt to connect via SSH, if I cancel rather than go ahead after the warning message. If I do "continue less secured" then it shows:
IP 67.1xx.xx.xxx - - [10/Aug/2004:22:05:45 -0800] "Login admin" 0 0 0
IP 67.1xx.xx.xxx - - [10/Aug/2004:22:05:48 -0800] "OpenFork .DS_Store" 0 0 0
And when I unmount the server from my client it adds a line for Logout admin.
There's nothing else there to give me any clues.
I'm going to dig around to see if there are any other kinds of access logs or something that might give me a clue.
|
MacBook Pro 2.4GHz; 4GB RAM; 23" Cinema Display
iPhone
Mac OS X 10.5.4
______________________________________
If you don't know where you want to go, any road will take you there.
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: California
Status:
Offline
|
|
Hmmm... now here's something, from the system log:
Aug 10 22:06:15 localhost xinetd[362]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Aug 10 22:06:15 localhost xinetd[362]: START: ssh pid=2049 from=67.1xx.xx.xxx
Aug 10 22:06:21 localhost sshd[2049]: reverse mapping checking getaddrinfo for adsl-67-1xx-xx-xxx.dsl.sntc01.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
In doing some quick testing, I found that initiating an SSH session in terminal produced the above in the system.log. When I try to do it in Finder through "Connect to server..." (i.e. AFP) nothing shows up in the log at all.
However, it seems to my unknowledgeable eyes, that even from Terminal, SSH is failing.
Does that help come up with any other ideas?
|
MacBook Pro 2.4GHz; 4GB RAM; 23" Cinema Display
iPhone
Mac OS X 10.5.4
______________________________________
If you don't know where you want to go, any road will take you there.
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2000
Location: Denmark
Status:
Offline
|
|
|
--hengx
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2000
Location: Denmark
Status:
Offline
|
|
edit: duh! nevermind... I read afp as afs...
|
--hengx
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2000
Status:
Offline
|
|
Originally posted by Sinemacula:
Hmmm... now here's something, from the system log:
Aug 10 22:06:15 localhost xinetd[362]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Aug 10 22:06:15 localhost xinetd[362]: START: ssh pid=2049 from=67.1xx.xx.xxx
Aug 10 22:06:21 localhost sshd[2049]: reverse mapping checking getaddrinfo for adsl-67-1xx-xx-xxx.dsl.sntc01.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
In doing some quick testing, I found that initiating an SSH session in terminal produced the above in the system.log. When I try to do it in Finder through "Connect to server..." (i.e. AFP) nothing shows up in the log at all.
However, it seems to my unknowledgeable eyes, that even from Terminal, SSH is failing.
Does that help come up with any other ideas?
I've been told that message just means that there is no DNS mapping for my client machine, but that in Terminal, if you start an as an ssh session it either will connect or it won't - but it won't connect and be unsecured. So, I'm guessing it really doesn't help track down the problem at all.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|