Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.5: Connect to AFP shares with unencrypted passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Connect to AFP shares with unencrypted passwords
Authored by: andya on Nov 06, '07 08:23:11AM
i don't think you're getting a secure connection by changing to "NO" for the "afp_cleartext_allow" default. i'm on a 10.5 client connecting to a 10.4 server. clients connected to the server show up in Server Admin with their user name and address in the AFP connected users pane. if the address is the DNS name of the server, they have connected securely, if its the DNS name of their client machine, its not secure. when i changed "afp_cleartext_allow" to NO, "afp_cleartext_warn" to YES and even added the following:
$ defaults write "afp_ssh_allow" -bool YES
i do NOT get a secure connection, nor a warning that i'm sending clear text. here's the relevant parts of my defaults read:

"afp_cleartext_allow" = 0;

"afp_cleartext_warn" = 1;

"afp_ssh_allow" = 1;

i haven't rolled out 10.5 to my users yet, nor got a hold of my 10.5 server copies, but i won't be doing so until this is fixed.

[ Reply to This | # ]
SSH and cleartext are not opposites
Authored by: timkingman on Nov 06, '07 02:31:51PM
Your first sentence is absolutely correct. Getting a secure connection and setting cleartext_allow to NO are not related. If you have cleartext_warn and cleartext_allow turned on, you will get warned if your password is going to be sent in clear text. This is not the opposite of connecting over SSH. All Apple AFP servers and properly-configured netatalk AFP servers will use "secure" authentication mechanisms, whether or not the entire connection is tunneled through SSH.

The problem you're actually seeing is separate and unrelated, and I think I see the same thing, where my 10.5 client isn't making an SSH/secure AFP connection to my 10.4 server, but that doesn't necessarily mean the password is sent in the clear.

[ Reply to This | # ]