After a discussion with Rich Mogull, where we both agreed that AFP is a threat (note that Apple fixed 4 different AFP threats in Security Update 2006-004), I decided to require ssh tunneling for AFP connections to Apple provides a neat feature for automatically tunneling AFP through ssh, but unfortunately it's broken in half a dozen ways...

My initial report:

It is impossible to connect to an AFP server without access to port 548 -- this should work if ssh is available, and AFP-over-SSH is enabled. Instead, with 548 blocked by a firewall, the AFP connection times out -- even using an alias created when connected via AFP-over-SSH.

Connect To Server should accept afps://host as a scheme that specifies AFP-over-SSH. Instead it gets converted to afp://afps/host, which is wrong and nonfunctional.

It's impossible to require ssh for AFP from the server.

It's impossible to support AFP on the server without leaving port 548 open, even though with ssh tunnelling 548 shouldn't be needed.

Note: These are not exploits, but they are real problems with the security of Mac OS X (Server