Encrypted passwords for AFP?

After more than a year as a DreamHost customer, I just found out yesterday that the Apple Filing Protocol (AFP) is supported out-of-the-box. This is fantastic, since I needed a way to mount my home directory as a drive, and WebDAV wasn't an option because it interferes with shell access.

The only problem is that when mounting the home directory, AFP reports that my password is being sent in the clear. Is there any way around that? I tried enabling the SSH option for AFP, but it didn't work.

Thanks!

It's a fix that has been added to the request system. You might want to vote for it from the control panel. With enough requests they'll do it.

(As far as I'm concerned it's a security problem and should be fixed or the feature turned off).

You do know how to use https://panel.dreamhost.com/index.cgi?tree=home.sugg& right? (I'd been here three months before I found it).



Wholly

Done; thanks for the tip!

I didn't even know it was possible on a non OS X server. From what I've read, it's a feature of OSX Server, but hadn't heard of it being available elsewhere. I'll give it a vote.

-Scott

AFP was around well before OS X came to life. It's even available from Microsoft in certain versions of Windows! I use it on my Linux servers via the netatalk library.

http://en.wikipedia.org/wiki/Apple_Filing_Protocol

I wasn't very specific in my post. It's the encryption that I didn't think was widely available, except on OS X Server.

-Scott

You can use an ssh tunnel to secure the password. See this posting for an example:

http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=forum_troubleshooting&Number=66732

A damn fine solution! Thanks for the advice!

Wholly

Thanks, but edges' suggestion doesn't seem to work. I can connect to localhost as expected, but I still get a warning saying that my password is in the clear.

I think I'll just cross my fingers and hope DreamHost implements this feature soon.

Because it *is* sent in the clear - over an fully encrypted channel. All traffic is encrypted when you tunnel it.

It's what the big boys do. (I have done work for banks, they use it a LOT.)

I'm embarrased I didn't think of it first.

Wholly

Oh, I see. One more question, then: Is there a way of doing the SSH tunneling without logging in? When I do "ssh -L ...", it logs me in to DreamHost, so I have this terminal sitting there doing nothing (except tunneling things in the background). I suppose I could work around this by using the screen utility or something, but I'm guessing there's a better way. Thanks.

You'd have to ask an apple junkie the right way to do that. I'm just a run of the mill linux/unix/windows kinda guy.

Wholly

But I'm just talking about the command-line SSH utility, same as Linux/UNIX. Nothing Apple-specific.

The nature of tunnelling with SSH is that the terminal has to stay open unless you want to run it in the background, but then you leave that connection open as a security risk.

Personally I like leaving the window open as a reminder that I'm connected.

Wholly

Sorry, I should have mentioned that. To OS X it will still look as if the password is sent in the clear, because the protocol is the same. Therefore it still gives you a warning. In reality, however, the password is sent through the encrypted ssh tunnel to the server, so it won't be visible over the Internet. (And as a bonus, all file transfers will also be encrypted between your machine and the server.)

There are several programs on OS X that can manage ssh tunnels without a terminal window. I use SSHKeychain (www.sshkeychain.org).

To revive an old thread, Leopard now appears to use encrypted-only AFP, which DreamHost doesn't support. Now what? I suppose I could resort to using Transmit like it's a Finder window, but that seems so kludgy.

-Scott

The best thing is to install MacFUSE (the 1.0 version was just released) and use the ssh filesystem. I also use a separate program called MacFusion, which provides a convenient menu of shortcuts.

Larry

No joy here. I installed MacFUSE 1.0 for 10.5, but when I run MacFusion, it says MacFUSE isn't running. Am I missing a step?

I sure wish DreamHost would set up encrypted AFP. Someone said it's in the Suggestions section, but I don't see it up for a vote. Anybody got a link?

-Scott

MacFusion hasn't been updated to match the 1.0 MacFuse; it worked for me on 10.4, but maybe it doesn't work on 10.5. I would try to download the sshfs application (from the main MacFUSE site) and see if that works.


Larry

sshfs does nothing after I enter the host and username. No errors, nada. Is MacFusion a persistent process? I didn't see it in a 'ps' listing.

-Scott

MacFUSE is a kernel extension + filesystem. I don't know about 10.5, but on 10.4 you can do kextstat | grep fusefs to see if it is loaded. Maybe there's a bug running on 10.5.

MacFusion is a frontend to the ssh and ftp file systems. It is a persistent process that manages the menu.

Larry

Nothing in kextstat. I did run the install for the 10.5 MacFuse. Now I'm trying to dig around and see if I did the install wrong. When it was done, it did say "Successful."

-Scott

Turns out it was working, after all. It just doesn't show up in the Finder, but it does show up as a mounted volume in the Terminal.

Better news. Found a way to enable cleartext AFP (better than nothing, and my stuff's not that sensitive):

defaults write com.apple.AppleShareClient afp_cleartext_allow -bool true


-Scott