Encrypted passwords for AFP?


After more than a year as a DreamHost customer, I just found out yesterday that the Apple Filing Protocol (AFP) is supported out-of-the-box. This is fantastic, since I needed a way to mount my home directory as a drive, and WebDAV wasn’t an option because it interferes with shell access.

The only problem is that when mounting the home directory, AFP reports that my password is being sent in the clear. Is there any way around that? I tried enabling the SSH option for AFP, but it didn’t work.



It’s a fix that has been added to the request system. You might want to vote for it from the control panel. With enough requests they’ll do it.

(As far as I’m concerned it’s a security problem and should be fixed or the feature turned off).

You do know how to use https://panel.dreamhost.com/index.cgi?tree=home.sugg& right? (I’d been here three months before I found it).



Done; thanks for the tip!


I didn’t even know it was possible on a non OS X server. From what I’ve read, it’s a feature of OSX Server, but hadn’t heard of it being available elsewhere. I’ll give it a vote.



AFP was around well before OS X came to life. It’s even available from Microsoft in certain versions of Windows! I use it on my Linux servers via the netatalk library.


I wasn’t very specific in my post. It’s the encryption that I didn’t think was widely available, except on OS X Server.



You can use an ssh tunnel to secure the password. See this posting for an example:



A damn fine solution! Thanks for the advice!



Thanks, but edges’ suggestion doesn’t seem to work. I can connect to localhost as expected, but I still get a warning saying that my password is in the clear.

I think I’ll just cross my fingers and hope DreamHost implements this feature soon.


Because it is sent in the clear - over an fully encrypted channel. All traffic is encrypted when you tunnel it.

It’s what the big boys do. (I have done work for banks, they use it a LOT.)

I’m embarrased I didn’t think of it first.



Oh, I see. One more question, then: Is there a way of doing the SSH tunneling without logging in? When I do “ssh -L …”, it logs me in to DreamHost, so I have this terminal sitting there doing nothing (except tunneling things in the background). I suppose I could work around this by using the screen utility or something, but I’m guessing there’s a better way. Thanks.


You’d have to ask an apple junkie the right way to do that. I’m just a run of the mill linux/unix/windows kinda guy.



But I’m just talking about the command-line SSH utility, same as Linux/UNIX. Nothing Apple-specific.


The nature of tunnelling with SSH is that the terminal has to stay open unless you want to run it in the background, but then you leave that connection open as a security risk.

Personally I like leaving the window open as a reminder that I’m connected.



Sorry, I should have mentioned that. To OS X it will still look as if the password is sent in the clear, because the protocol is the same. Therefore it still gives you a warning. In reality, however, the password is sent through the encrypted ssh tunnel to the server, so it won’t be visible over the Internet. (And as a bonus, all file transfers will also be encrypted between your machine and the server.)


There are several programs on OS X that can manage ssh tunnels without a terminal window. I use SSHKeychain (www.sshkeychain.org).


To revive an old thread, Leopard now appears to use encrypted-only AFP, which DreamHost doesn’t support. Now what? I suppose I could resort to using Transmit like it’s a Finder window, but that seems so kludgy.



The best thing is to install MacFUSE (the 1.0 version was just released) and use the ssh filesystem. I also use a separate program called MacFusion, which provides a convenient menu of shortcuts.



No joy here. I installed MacFUSE 1.0 for 10.5, but when I run MacFusion, it says MacFUSE isn’t running. Am I missing a step?

I sure wish DreamHost would set up encrypted AFP. Someone said it’s in the Suggestions section, but I don’t see it up for a vote. Anybody got a link?



MacFusion hasn’t been updated to match the 1.0 MacFuse; it worked for me on 10.4, but maybe it doesn’t work on 10.5. I would try to download the sshfs application (from the main MacFUSE site) and see if that works.