10.3.4 and AFP over SSH

[homer]

Since updating to 10.3.4, whenever I try to connect to my other Mac using AFP, I get the following message:

Code:

Can't make a secure connection to Bender:
The server Bender does not support secure connections via SSH.  
To connect with reduced security, click Continue.

This happens whether I'm connecting from Bender to Fry, or from Fry to Bender. I've changed nothing in the configurations of either machine, so now I'm not sure whether I've ever been connecting securely or not.

I do have both SSH and AFP sharing enabled, so I don't know why this shouldn't work. Also, I have the Allow Secure Connections using SSH box checked in the Options dialog of the Connect To .... dialog.

Is anyone else experiencing this? Is there something I can change to make it work? It's not a big deal, because I'm on a home network behind a firewall, but it would be nice if it worked.

[biovizier]

Maybe with the update, Panther is now smart enough to realize that no amount of security can protect you when dealing with the likes of Bender...
To answer your first question, several people in the apple discussions (look in Home > Mac OS X > Mac OS X v10.3 Panther > Using Mac OS X Panther) have reported SSH problems.
I think I'll hold off upgrading until the dust settles.

[homer]

Oh, Bender's misunderstood. All he needs is a good dose of alcohol, and he'll behave.

Anyway... I had done a search on the Apple discussions forums for the problem, but came up with nothing. Now, however, I see it. We'll see how it develops... Anyway, thanks for the tip.

[Brian Kendig]

Just a 'me too' - I'm seeing the same problem here. It started happening immediately after I upgraded my server to 10.3.4.

[homer]

I'm thinking Apple should be delivering a fix before too long. And maybe close those security holes too. Ugh.

[yellow]

Unchecking "Allow Secure Connections Using SSH" in the Options window of the AFP login window should make that message go away. I suspect this is a bug that will be addresses in a future update.

[gomez@owlhouse.o]

I was having this issue as well. It turns out that AFP over SSH connections were _never_ working, but MacOS X wasn't informing the user that it was an unsecure connection! This failure to notify has been corrected in 10.3.4.
Here's the answer I found:

in http://www.macintouch.com/panreader33.html, Daniel Figucio writes:

"Only Mac OS X Server can be connected to via AFP over SSH - AND you have to enable it at the server end. You cannot connect to a Mac OS X Client with AFP over SSH. What used to happen was that the attempted connection would fail and it would connect without using SSH without letting you know. Now it lets you know... So in reality, its a feature improvement, as it plugs a security issue."

So that addresses the question about what was going on. But it leaves me wondering if there is no secure way to remotely connect to my home box through the GUI. I don't suppose there is any way to mount volumes on the remote connecting machine through any other sharing system (SMB, NFS, etc) without using AFP but still connecting through SSH? Or would I have to be running MacOS X Server?

Anyone?

[Ptitboul]

Quote: Originally Posted by gomez@owlhouse.o "Only Mac OS X Server can be connected to via AFP over SSH - AND you have to enable it at the server end. You cannot connect to a Mac OS X Client with AFP over SSH." (...) So that addresses the question about what was going on. But it leaves me wondering if there is no secure way to remotely connect to my home box through the GUI. I don't suppose there is any way to mount volumes on the remote connecting machine through any other sharing system (SMB, NFS, etc) without using AFP but still connecting through SSH? Or would I have to be running MacOS X Server? Anyone?

I tried to add <key>SSHTunnel</key><true/> in /Library/Preferences/com.apple.AppleFileServer.plist and it almost works : the AppleFileServer tells to the client that SSH is allowed, but the problem I am facing is that the authentication is always rejected. Therefore I currently don't know how to have an AFP over SSH server with MacOS X desktop.

SMB over SSL is possible, but the smbclient provided with MacOS X is version 3 and SMB over SSL apparently exists only for smbclient version 2.

[mkv22]

http://docs.info.apple.com/article.html?artnum=25758

However, you do not have to do all those steps that is mentioned in that Apple support article, at least in Mac OS X Tiger 10.4.6. I did the following excatly:
1. I enabled SSH server (Remote login) and Personal File Sharing in 'Sharing' preferences pane in System Preferences in the Server running client version of Mac OS X Tiger 10.4.6
2. This needs to be done only once and that only if you have not previosuly done so or the OS was reinstalled/ upgraded that your Server's key has changed (Please refer to documentation on SSH for explanation on this point's technical details). I SSH-ed into this server from the client in which I intend to connect to the server using AFP. This adds my servers key to a file called known_hosts in a hidden folder, .ssh, in my home folder.
3. I copied this file '.ssh/known_hosts' to '/etc/ssh_known_hosts' when logged in as a admin user.
sudo cp ~/.ssh/known_hosts /etc/ssh_known_hosts
4. From the client machine I tried to connect to the server using AFP as usual.
5. In the login dialogue that appears after clicking 'connect,' please change the options as below (click on the 'wheel' like button and click on 'options' in the lower left corner of the dialogue)
a. Uncheck 'Allow sending password in clear text'
b. Check 'Allow secure connections using SSH'
c. Uncheck 'Warn when connection does not support SSH' - Yes, uncheck this! As the AFP server is not configured to advertise its ability to accept SSH connections, if you do not uncheck this you will be defaulted to 'clear text password' otherwise.

Hope this helps somebody!