Mac OS X 10.3, 10.4: Configuring AFP to use OpenSSH exclusively

Learn how to configure an AFP (Apple File sharing Protocol) client to exclusively use OpenSSH as the connection method, instead of a clear connection. This is an advanced document for Mac OS X 10.3 and 10.4.

AFP includes a feature to use OpenSSH as the data transport mechanism. To prevent OpenSSH from using a clear connection, these three preferences must be set by editing a configuration file (com.apple.AppleShareClientCore):

afp_ssh_allow=1
Enables the feature and instructs the client to try OpenSSH if the server advertises it

afp_ssh_force=1
Instructs the client to use OpenSSH even if the server does not say it is available

afp_ssh_require=1
Causes the login attempt to fail if OpenSSH cannot automatically connect

Important: This settings must be made for each user account. They cannot be made globally.

Note: When these settings are in effect, if OpenSSH cannot establish a connection a "bad password" dialog box appears. The most common cause of OpenSSH failure is when the host key for the server is unknown or is changed. Administrators should distribute and maintain the /etc/ssh_known_hosts files in accordance with best security practices. Without the /etc/ssh_known_hosts file, users will need to manage their own known_hosts file and pre-establish the correct server key.

Editing the configuration file

There are two ways to do this:

Manually edit the file

Open the .GlobalPreferences.plist (which is in each user's ~/Library/Preferences/ folder) in a editor such as TextEdit. Change the three preferences described above.

Repeat this process for each additional account's .GlobalPreferences file.


Make a script

The following script can be saved into a file and run once for every account that will be using AFP over SSH. Follow these steps:

1. Create a new document in TextEdit.
   
2. Copy and Paste in the text that is in the section below, beneath "Begin copying below this line"
   
3. Choose Make Plain Text from the Format menu.
   
   Tip: If this command is not present in the Format menu, skip this step (as you have already set plain text as the default format).
   
   
4. Save this file to the /Users/Shared folder with the name "SecureAFP.command"
   
   Note: Do not append the txt filename extension to the file.
   
   
5. Open the Terminal application (located in the Utilities folder).
   
6. Type: sudo chmod 555 SecureAFP.command
   
7. Press Return.
   
8. Enter your administrator password when prompted.
   
9. Run the script by double-clicking it in the Finder.
   
10. Log in with a different account, and use the same script.
    
11. Repeat for other accounts as needed.

Begin copying below this line:
__________________________


#!/usr/bin/perl
$ENV{PATH}="/bin:/sbin:/usr/bin:/usr/sbin";
$defs = `defaults read -g com.apple.AppleShareClientCore`;
$defs =~ s/"afp_ssh_(allow|force|require)"\\s+=\\s+[^;]+;/"afp_ssh_\\1" = 1;/gs;
system qw(defaults write -g com.apple.AppleShareClientCore), $defs;
#end of script

______________________
End copying above this line.

Note that the script's lines begin, respectively, with "#!", "$ENV", "$defs", "$defs", "system", and "#end"

Additional information

OpenSSH requires access to a user's home directory, so you can't use this method to mount the user's home directory.

AFP connections initiated by the automounter cannot use OpenSSH.

When using OpenSSH the AFP client will not attempt automatic reconnect.

Since OpenSSH only works over TCP/IP, you cannot use this method to communicate to a server over AppleTalk.