Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Securely mount AppleShare volumes in one step Network
My work computer is behind a firewall that only allows connections to port 22. Even if it wasn't behind a firewall, since the documents may be sensitive, I would rather not transfer anything without encryption. I want to mount my user directory of my work computer to my laptop wherever I might be. This is relatively easy with .Mac and Back to My Mac in Leopard. If you don't have .Mac and Leopard, however, here is how to do it with one click without spending any money.

First make sure that the computer you want to reach has either a static IP address or has a domain name. If not, go to DynDNS (or similar service) and create a free account. Download DynDNS Updater to the computer you want to reach, and setup your domain name such as work.dyndns.org.

Next, fire up Terminal on your home computer or laptop from which you want to reach the work computer.

[robg adds: The remainder of this hint duplicates and combines information from some existing hints; in that way, it's something of a duplicate. However, I don't believe we've published a full walkthrough like this before. Keep reading for the detailed how-to...]

With Terminal running, here's the remainder of the process...
  1. Generate an ssh key pair. Be sure to leave the passphrase empty. In this example, sname refers to the short login name of your laptop or home computer. Here's what the command looks like; press Return for each option listed:
    sname% ssh-keygen -t rsa
    Enter file in which to save the key (/Users/sname/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /Users/sname/.ssh/id_rsa.
    Your public key has been saved in /Users/sname/.ssh/id_rsa.pub.
    The key fingerprint is:
    69:55:f3:c3:63:f3:af:57:98:c9:45:63:f3:af:57:98:c9:45...
    This will create a private key called id_rsa, and a public key named id_rsa.pub. Both of these will be created in a directory ~/.ssh. (Make sure that the private key is not likely to be seen by anyone, or that person can access your computer without a password!).
  2. The public key needs to be placed on the work computer. Securely copy the file to the work computer, and then login in via ssh and add the key to a file ~/.ssh/authorized_keys (you may not need to create the files/folders on the work machine; check if they exist first):
    sname% scp ~/.ssh/id_rsa.pub user@work.dyndns.org:./id_rsa.pub
    sname% ssh user@work.dyndns.org
    Password:
    workuser% mkdir .ssh
    workuser% chmod 700 .ssh
    workuser% cd .ssh
    workuser% touch authorized_keys
    workuser% chmod 600 authorized_keys
    workuser% cat ~/id_rsa.pub >> authorized_keys
    workuser% rm ~/id_rsa.pub
    workuser% logout
    Now you should be able to ssh to your work computer securely without a password.
  3. Now we'll forward a local port (7777 in this example) on the laptop/home computer over a secure tunnel to port 548 on the work computer. (AppleShare uses port 548).
    sname% ssh –L 7777:localhost:548 user@work.dyndns.org
    You should now be logged into your work computer without having to type a password, with the local port 7777 forwarded to port 548 on the work computer. Do not log out. Follow the next step.
  4. Go to Finder and press Command-K, or use the Go » Connect to Server menu item. Type the following into the box: afp://localhost:7777. This should show you the work computer volumes you can log into. Choose the one you want to mount to your desktop. Be sure to check the box to save the password into your keychain, or you will need to enter it each time.
You should now have mounted your work computer as a volume on your desktop using an ssh tunnel. Now we just need to automate the process so that all of the above can be done with just one click. Click the mounted volume on your desktop and make an alias (command-L) under the File menu in Finder. Drag the alias to a convenient location, such as your Documents folder in this example. Rename it something simple such as Office.Now open Script Editor in the AppleScript folder of Applications, and paste the following text:

tell application "Finder"
    open alias file "Office" of folder "Documents" of folder "sname" of folder "Users" of startup disk
end tell


Save the script with a name such as MountOffice.scpt in your Documents folder as in this example. Check to make sure that the script is working correctly. If you have logged out of your work computer, log back in with port forwarding, as shown above. Then double-click your AppleScript and run it in Script Editor. Your work computer should mount on the desktop without typing a password. Now we will automate the entire process using a Terminal command. Fire up TextEdit and paste the following text: Be sure to replace user@work.dyndns.org with your login and name on the work computer. If you have given a different name to your AppleScript, or placed it in some other location than the Documents folder, be sure to specify the correct location rather than ~/Documents/MountOffice.scpt.. Save this file in a convenient place such as your Documents folder with a name such as One Click Office.term. TextEdit will ask you whether you really want to use .term as an extension. Click on the button "Use .term". Drag this file to your dock. If you haven't logged out of your work computer, do so now.

Now we will test the entire process. Click on the alias in the dock, and your work computer should mount on your desktop in 15 to 20 seconds without any further intervention, using a secure tunnel and not compromising any passwords! And all for free! Finally, a few comments about this hint and its behavior.
  1. In Tiger, once you click the dock icon, Terminal should launch and the window should remain minimized in the dock. The minimized window should disappear from the dock once the volume is mounted on the desktop.
  2. The Terminal in Leopard does not support the IsMiniaturized key, so that is ignored in the MountOffice.term file. The key and its YES string can be safely deleted from the MountOffice.term file in Leopard. Unfortunately, this makes the hint slightly less elegant in Leopard.
  3. Consider giving the .term file a custom icon by copy some icon and pasting it to the icon in the Get Info inspector of the .term file. See this hint for a how-to.
  4. The -f option in the ssh command in the MountOffice.term file puts the ssh command into background. The tunnel remains open even though the Terminal window has been closed by the exit command and the ShellExitAction key. (You can check this behavior with Activity Monitor).
  5. The Terminal keeps running after mounting the volume. If you would like to quit it, you can use the kill command by replacing exit with kill `ps -acx | grep Terminal$ | awk '{print $1}'`. But be careful, as it will abruptly close any other Terminal windows also. (Or consider writing an AppleScript for more graceful behavior.)
  6. Automator is not helpful in executing all these commands. I couldn't get it to keep a tunnel open. See this forum discussion for more on that subject.
[robg adds: Keep in mind that, without using a passphrase, if someone manages to gain access to your account on your laptop, they'll have easy access to your work machine as well. Of course, if they have your laptop with full account access, you've probably got other problems...]
    •    
  • Currently 2.00 / 5
  You rated: 2 / 5 (10 votes cast)
 
[12,920 views]  

Securely mount AppleShare volumes in one step | 7 comments | Create New Account
Click here to return to the 'Securely mount AppleShare volumes in one step' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Securely mount AppleShare volumes in one step
Authored by: robdew on Mar 21, '08 08:50:24AM

Rather that a) subverting your company's firewall which is not just a bad idea but may get you fired and b) enabling and opening an additional service on your desktop (AFP), why not mount the files directly over SSH with something like MacFUSE?



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: lowbatteries on Mar 21, '08 10:04:30AM

I would stick to proven technologies for real-world use (SSH, AppleShare, Samba) over MacFuse. I've used MacFUSE directly, MACFUSE_FS_SSHFS, and MacFusion to connect to SSH, and all had some buggy behavior.



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: taxi on Mar 21, '08 04:12:43PM

Hmm. I use sshfs via MacFuse daily for my work. It has been very stable.

In fact, this is a more stable way of connecting than using SMB, I have found.



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: mubarak on Mar 21, '08 02:30:57PM

This hint does not "subverting your company's firewall". This only tunnels allowed protocols via a secure means to outside. Just like VNC.



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: Asmus Vierck on Mar 21, '08 12:37:33PM

You could ease the process of connecting a lot if you use the following one-liner:

ssh username@server.xyz -f -N -L 10548:127.0.0.1:548 2>/dev/null & (sleep 5; open 'afp://localhost:10548/username/Documents/Office')

It will return the pid of the ssh-tunnel issued and you can kill it afterwards by entering "kill [ number returned above ]". Just be sure to have unmounted the server-partition in Finder before.
The "sleep 5" part above depends on your connection speed and you should set it accordingly.



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: mubarak on Mar 22, '08 06:18:02PM

Thanks for the tip about using the open command and escaping the afp URL. (Couldn't get it to work myself.)

However, what you are doing requires going back into Terminal and killing the process. Doesn't pass the Grandma test. Here is what you can do so that you don't have to fiddle with Terminal:

ssh -f -L 7777:localhost:548 user@work.dyndns.org sleep 30 ; open 'afp://user@localhost:7777/user' ; exit



[ Reply to This | # ]
Securely mount AppleShare volumes in one step
Authored by: pildor on May 15, '08 09:55:56PM

Greetings,

I have copied my id_rsa.pub file from my local Mac Book Pro to authorized_keys on my Mac Pro.

I have successfully ssh into my remote Mac Pro with the following command:

ssh -p 4544 macproipaddress -l username

However when I invoke the following command, I get Permission denied (publickey).

ssh -v -L 4544:localhost:548 macproipaddress

Could someone please explain what I am doing wrong?

Thanks in advance!



[ Reply to This | # ]