Extra Pepperoni

Comments

1. On Monday, December 11 2006, 10:20 by edoug

I want to make sure I understand you properly, are you saying you think secure afp connections are broken, or that allowing their use does not guarantee their use? when i attempt a secure afp connection from Finder->Go->Connect to Server and use the options button to allow only secure afp it appears to work.

2. On Monday, December 11 2006, 11:16 by reppep

edoug,

If you manage to make an AFP-over-SSH connection, I believe you get full encryption for your file transfers. The problem is that it doesn't work without AFP(-not-over-SSH) accessible to carry the initial connection, due to poor design.

This has two implications. First, this means I can't provide AFP-over-SSH access without allowing users to connect via AFP without SSH -- I want to require SSH for AFP, but Apple's implementation doesn't permit this. Second, I cannot simply firewall off port 548 without losing AFP entirely. Apple fixes major AFP bugs often enough that I don't want that port exposed to the Internet. As a result I no longer allow my (Internet) users AFP access. That's a shame.

3. On Sunday, May 20 2007, 03:27 by RichardG

There is a work-round for this, you can add an extra IP address to the loop-back device and then forward AFP to that manually.

In terminal, type:

sudo ifconfig lo0 add 127.0.10.10 sudo ssh username@gateway -L127.0.10.10:548:remotehost:548

(you need to be super user to forward ports < 1024 , also to run ifconfig)

then in the finder, connect to afp://127.0.10.10

this lets me contact an AFP server behind a firewall that only allows through SSH. You can also SSH directly into a client machine and forward AFP over that link in the same way.

sudo ssh username@clientmachine -L127.0.10.10:548:localhost:548

though this lacks the Apple 'it just works' elegance...

4. On Sunday, May 20 2007, 20:31 by reppep

RichardG,

Does this actually work for you? First, I had to turn off Personal File Sharing on the client (since port 548 was in use). Once that was done, I ran "sudo ssh -v pepper@www -L 127.0.10.10:548:localhost:548", and the output included:

debug1: Local connections to 127.0.10.10:548 forwarded to remote address localhost:548
debug1: Local forwarding listening on 127.0.10.10 port 548.
bind: Can't assign requested address
channel_setup_fwd_listener: cannot listen to port: 548
Could not request local forwarding.

I'd think this indicated 548/tcp was still in use on my client, but "netstat -an|grep 548" indicates it is not.

More to the point, when I try to make an AFP connection to afp://127.0.0.1, I get the expected error message because the AFP client refuses to talk to myself:

5. On Friday, December 7 2007, 11:41 by ExpanDrive - Secure Access To Remote Filesystems - The Apple Blog

[...] allowing remote SMB networking has a host of perils and secure, remote AFP connections have their own challenges. Isn’t there a simple and secure way to have share-like access to your remote [...]

6. On Thursday, August 28 2008, 05:03 by DanBUK

Hey Reppep,

In order to get the tunneled version to work you must ifconfig first to add the extra address.

db:~ dbartlett$ sudo ifconfig lo0 add 127.0.10.10 db:~ dbartlett$ sudo ssh -L 127.0.10.10:548:REMOTEAFPHOST:548 dan@GATEWAYSSHHOST

It worked first time when I did both of those!

7. On Thursday, August 28 2008, 21:48 by reppep

Dan,

That's a different issue. Mine is that the AFP client recognizes 127.0.0.* is the local host, and won't let me connect back to myself.

Search

• Home -
• Archives