Extra Pepperoni

After a discussion with Rich Mogull, where we both agreed that AFP is a threat (note that Apple fixed 4 different AFP threats in Security Update 2006-004), I decided to require ssh tunneling for AFP connections to www.reppep.com. Apple provides a neat feature for automatically tunneling AFP through ssh, but unfortunately it’s broken in half a dozen ways…

My initial report:

It is impossible to connect to an AFP server without access to port 548 — this should work if ssh is available, and AFP-over-SSH is enabled. Instead, with 548 blocked by a firewall, the AFP connection times out — even using an alias created when connected via AFP-over-SSH.

Connect To Server should accept afps://host as a scheme that specifies AFP-over-SSH. Instead it gets converted to afp://afps/host, which is wrong and nonfunctional.

It’s impossible to require ssh for AFP from the server.

It’s impossible to support AFP on the server without leaving port 548 open, even though with ssh tunnelling 548 shouldn’t be needed.

Note: These are not exploits, but they are real problems with the security of Mac OS X (Server & client).

An addendum:

Mac OS X client should be able to serve AFP-over-SSH. Now would be an excellent time to fix this weakness in X’s security posture.

Mac OS X client should be able to close firewall ports for active services, to force tunnelling; I’m particularly interested in ARD/VNC and AFP. Right now, any service enabled in Sharing must be open in Firewall (if the firewall is enabled through System Preferences). This should be optional.

Update, 2006/08/13:

I tried connecting through a manually created SSH tunnel, and it doesn’t work. Connect To Server doesn’t honor ports in the URL, so “afp://www.reppep.com:1548″ tries to find a machine named “www.reppep.com:1548“, which of course fails. This means a) I can’t do it without root-level access to create the tunnel on 548/tcp, and b) I can’t create the tunnel while File Sharing is on on the client (all my clients run Personal File Sharing).

Additionally, when I try to point Connect To Server to 127.0.0.1, it tells me “Connection failed” “This file server is running on your machine. Please access the volumes and files locally.”

It’s possible I could bind another interface on 127.0.0.2 and use “sudo mount_afp“, but that’s not even worth exploring. I cannot provide VPN access to all my users.

So AFP over the Internet is fundamentally broken, beyond any semi-reasonable means to fix. Please fix in Leopard!

For a long time, Apple’s put an LED on all Macs. When it’s flashing, the machine is asleep. Modulo some limitations on “deep sleep” imposed by non-compliant PCI cards, sleep has been very simple. When a Mac is asleep, it’s almost off — it consumes very little power, and you can’t do much besides wake it up. When you wake a Mac up, it comes back to full functioning quickly.

I have a MacBook Pro at work, and strongly believe computers should never sleep — I do most of my job via ssh, without looking at whatever system I’m working on. So I always set System Preferences > Energy Saver > Power Adapter to Never sleep.

Intel-based PCs have several different low-power modes, including at least one (”hibernate”) where they save the contents of RAM to disk, so the machine can completely shut off but still “wake up” without booting again. This type of behavior will feature more prominently in Vista. Apparently booting Vista is so slow that people are going to spend real money for large flash drives to reduce booting…

Anyway, Apple has apparently redefined the meaning of the white LED on the MacBook Pro. Even though I’d set cayenne (my MBP) to never sleep when plugged in, I kept noticing that while on my desk, the screen would go black and the LED would flash. “Hmm, this is not as intended!”, I thought.

I checked “pmset -g“, which confirmed sleep cayenne was configured never to sleep when plugged in, but it kept happening. I called Apple to ask about this, and was told that the LED meant the MBP was indeed sleeping despite the configuration. I reset the power manager a few times, and Apple sent me a box. Wednesday I got cayenne back, with an upgraded logic board, but after sitting on my desk, the screen again went black, and the “sleep” LED again started flashing.

“Hmm,” thought I, “perhaps Alex was right and 3 Apple Support reps were wrong.” Alex had told me that the LED flashing on his MacBook did not mean it was in fact sleeping, but foolishly I believed Apple Support and my own historical experience instead.

I was able to ssh into cayenne while the LED kept blinking, which proved that it wasn’t really asleep in the PowerBook sense at all.

Moral of the story: Apple upgraded my logic board through ignorance of its own equipment, and I lost use of the MacBook for a week because I didn’t take Alex’s word for it.

Update: It’s more complicated. The documentation doesn’t match my experience, and Apple actually started changing the sleep behavior with the next (final?) generation of PowerBooks, released immediately after my 1.5GHz PBG4.