ISP-In-A-Box: Remotely Managing Your Mac Using AFP and SSH Tunnels

We've been exploring remote access and remote management options for the Mac mini and other Macs running Mac OS X Panther or Tiger for several months, and today we'll turn our attention to another solution that is ideally suited for those with multiple Macs at different locations. Every copy of Mac OS X ships with client and server versions of the Apple File Protocol (AFP) over TCP/IP. Enabling the server is a one-click operation. Choose System Preferences->Sharing and put a check mark beside Personal File Sharing. Assuming you have enabled the Mac's built-in firewall (which we always recommend), this automatically opens ports 548 and 427. If you have a hardware-based firewall (which we also recommend), you'll need to open port 548 and point it to the internal IP address of your Mac. If you have two Macs with Internet connections at different locations, you'll need to do the same thing on the other end. To connect to a remote Mac, you'll need to know its IP address or fully qualified domain name. Using a web browser on the remote Mac, you can obtain the IP address of your Mac by clicking on this link.

Once you enable Personal File Sharing and open the necessary ports in your firewalls, anyone can access and upload files to your Macs knowing nothing more than your IP address or fully-qualified domain name. Only those with actual user accounts can read and write files and execute programs on your remote Mac, and their access is restricted just as if they had logged in sitting at the desktop. The anonymous write access may or may not be what you had in mind. One very real risk of this design is that, given enough time, a malicious passer-by can flood your Mac with data and fill your entire hard disk with junk which will eventually crash the operating system since there will be no room for temporary files. If you couldn't already tell, this isn't our favorite Apple engineering design so here's how to fix it.

As delivered from Apple, every user's account has a Public folder with a Drop Box subfolder. The owner-user has read-write-execute privileges. The owner's group and everyone else have write and execute privileges to the Drop Box folder. This means strangers can upload files but can't see what's been uploaded. To adjust this so that strangers have no access privilegs, open a Terminal window and switch to root privileges: sudo su. Switch to the directory which houses user accounts: cd /Users. Display a directory listing for this folder: ls -all. Then repeat the steps below for every user account on your Mac substituting the name of each user's file folder for thisuser:

  • chmod -R o-rwx thisuser/public
  • ls -dl thisuser/public
  • Make certain that the public directory listing in Step #2 begins with the following:

    drwxr-x---

    There should be three trailing hyphens following the "x" and these are the important part. Don't worry if the rest of the rights don't match. Continue repeating the steps above until you've done it for every user account on your Mac. Forgetting just one means someone can fill your disk with garbage!

    Now that we've gotten the security housekeeping out of the way, we're ready to test your AFP access. This can be done from another Mac on your local area network or from a Mac elsewhere on the Internet. If you're trying it from your LAN, use the private IP address of the remote Mac (we'll call the Mac we're connecting to the AFP host or AFP server). If you're trying this from elsewhere on the Internet, use your AFP host's Internet IP address, the one you obtained in the first paragraph above. Now, click on your Desktop and press Command-K. For the server address, type afp://192.168.0.102 substituting your AFP host's IP address, of course. Click the Connect button to make the AFP connection, and assuming you got the IP address typed correctly you will see an AFP login window which looks similar to the one shown in the inset to the left. Notice the Guest and Registered User options. Now you know why we did what we did above to disable Guest access. Technically, strangers still can connect. They just can't get to anything or do any damage. To see how this works, try Guest access to our beach house Mac by going to this address: afp://windswept.dyndns.org.

    For our purposes, you'll want to log in as a Registered User. So type your username and password just as you would sitting in front of your AFP Mac host. If you have Administrator rights, you'll be asked whether to mount your user directory or one of your mounted drives. Mounting the internal drive gives you access to everything on your Mac just as if you had logged in as the root user. You now can perform almost any task as if you were sitting in front of your remote Mac ... only slower. If you're using a modem, make that "painfully slower." If you have broadband connections at both ends of your AFP connection, you'll find AFP is perfectly acceptable for transferring files back and forth but probably not desirable for executing most applications, such as Word or iTunes. Another drawback of pure AFP is that data is sent in clear text and is unencrypted meaning all of the data including your account names and passwords are subject to compromise especially from a "Man in the Middle" attack. A good example would be a curious college geek managing the routers for your local Internet service provider.

    That brings us to the second half of this article which is how to use an encrypted SSH tunnel to protect your AFP sessions. In one of many great articles on the subject O'Reilly put it this way:

    A tunnel is a networking term with an appropriate name. It refers to a connection, usually encrypted, that connects two computers together across another, usually untrusted network. Picture a mountain of evil 3l33t d00dz sitting between your laptop and a server on your internal, protected network. You don't want to just throw your traffic really hard at the mountain and hope it gets there; you want to first form a protected tunnel from you to your machine, and then send the traffic through it.

    Without getting into too much detail, what we want to do is set up an encrypted tunnel using Mac OS X's SSH tools, and then we'll pass all of our AFP traffic through that tunnel to keep the bad guys from reading its contents. Once we finish our AFP session, we'll shut down the tunnel until we need it again. For this to work reliably, you'll need to set up identical user accounts with identical passwords on both the remote host and client machines, and these accounts should have administrator privileges. A user with admin privileges need not be logged in on the remote host to establish the tunnel successfully. On the remote host, you'll need to enable Remote Login by checking the appropriate box in System Preferences->Sharing. This will enable Port 22 traffic on your Mac firewall; however, you also will need to adjust your hardware-based firewall to route port 22 traffic to the internal IP address of your Mac. Now log in to your client Mac using the same account name with admin privileges that you established on your remote Mac. Open a Terminal window and type: ssh 192.168.0.102 substituting the remote IP address of your remote Mac host. You'll be warned that this machine may not be who you think it is. Type Yes to proceed anyway. Type your admin password when prompted. Once the tunnel is established, you can shut it down by typing Exit. You now know how to establish an SSH tunnel and, once established, you can do anything on the remote Mac that you could do sitting in front of it with a Terminal window.

    But we want to tunnel our AFP session through the SSH tunnel. That gets a little trickier, and we've created yet another code snippet to save you a semester's worth of work trying to figure it out yourself. Nothing in this script is original incidentally. It merely combines various suggestions I've scoured from around the 'Net to save you a bunch of time. So download afptunnel.txt to your browser by Control-Clicking on it and choosing to open it in a new tab or window. Press Command-A and then Command-C to copy the contents of the snippet to your clipboard. Now open a Terminal window and create a new file: pico afptunnel. Once the Pico editor opens, press Command-V to copy the contents of the clipboard into the editor. Now search for "windswept": Ctrl-W,windswept,enter. With the cursor positioned over the w in windswept, use Ctrl-D to delete windswept.dyndns.org. Now type the fully qualified domain name or IP address of your remote Mac AFP host but make certain the line ends with a semicolon with no blank spaces between the address and the semicolon. Now save the file: Ctrl-X,Y,enter. Change the file attributes to support script execution: chmod 770 afptunnel. Now try out the script to connect from your local machine to your remote Mac host through an SSH tunnel: ./afptunnel. Type Yes if asked whether to trust the host. Provide your admin password when prompted. When the tunnel is established and the AFP connection is made, log in to the remote host using your remote account created earlier. Heed the Terminal window warning and leave the window open until you end your AFP session by dismounting your AFP drive. Then click in the Terminal window and press the ENTER key to close down your SSH tunnel. You're now an expert on AFP and SSH. Now you can securely connect to your remote Mac from any other Mac on the planet!

    Security Alert. Just a heads up that earlier this week Apple announced a security vulnerability in the AFP server for Mac OS X Tiger only. You can read all about it here. Before using AFP Server on a Tiger system with or without an SSH tunnel, you are well advised to download and install Security Update 2005-006 for Mac OS X 10.4.1.

    Other Mac Projects and HOW-TO's. We tackle a new open source project for the Mac almost every week on Nerd Vittles. You can review the complete list at any time by going here.

    Be Sociable, Share!

    2 Responses to “ISP-In-A-Box: Remotely Managing Your Mac Using AFP and SSH Tunnels”

    1. Steve Drake says:

      This looks wrong to me – I think your script makes a secure connection to the local computer, and then forwards the afp connection in the usual manner across the internet.
      I tried it this way:

      ssh -L 10548:localhost:548 -f -N @

      This worked for me and I think it is correct.
      “localhost” here refers to the localhost on the remote side of the ssh connection – you could use a different name to connect to another computer on the remote machine’s local network.
      You don’t need to be an administrator on either machine to do this.

      Regards
      Steve

    2. Jose says:

      Hey, I love all the tutorials here and have found them all very helpful. Just wanted to add that there’s a way to disable Guest Access through the AFP sharing method. I found it on this site: http://www.princeton.edu/~psg/unix/osx/osxsecurity.html

      The tip is to just run this command from terminal:


      defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false

      It will turn off guest access permanently. Don’t forget to reset the AFP service to have it activated.

    Ringbinder theme by Themocracy