Sharing security

At 5:55 AM -0800 2008/01/17, Joe Izen wrote:
>Are afp mounts between ordinary macs, not a mac and an OSX server now
>tunneled through ssh in Leopard? I see an explicit warning about ftp
>mounts being insecure, but nothing afp mounts. In Tiger, afp mounts
>were not secure without manually setting up an ssh tunnel first.

        No, and in fact the UI for tunneling AFP through ssh appears
to be completely gone from Leopard. It was always broken in Tiger,
and I believe Apple decided to excise the feature rather than fix it.

http://www.extrapepperoni.com/2006/08/11/security-flaws-afp-over-ssh-broken/

        Bummer, as AFP is good but needs better security.


                                                Chris

Here's a manual way to tunnel afp through ssh from the Darwin command line that works in both in both tiger and leopard:

ssh -p 22 -L yourfavoriteport:localhost:548 -f -N usernametargetmac; open afp://localhost:yourfavoriteport/

I've been using ports in the 105xx range. After you authenticate from the command line to establish the ssh connection, you will be asked to authenticate again through the usual afp mechanism. Subsequent mounts will go through the same tunnel if you just repeat the

open afp://localhost:yourfavoriteport/

command.

Let's turn to Screen Sharing which I read is built on VNC. Does VNC tunnel authentication and data get transmitted through an ssh tunnel by default? What would be the Darwin command to create a VNC connection (corresponding to the afp open command) through a specified port?

-Joe

joe502 wrote:
> Here's a manual way to tunnel afp through ssh from the Darwin command
>
line that works in both in both tiger and leopard:
>
> ssh -p 22 -L yourfavoriteport:localhost:548 -f -N usernametargetmac;
>
open afp://localhost:yourfavoriteport/
>
> I've been using ports in the 105xx range. After you authenticate from
>
the command line to establish the ssh connection, you will be asked to
authenticate again through the usual afp mechanism. Subsequent mounts
will go through the same tunnel if you just repeat the
>
> open afp://localhost:yourfavoriteport/
>
> command.

Just as an aside, it pays to learn about ssh public key authentication
if you're doing repeated ssh connections to a particular machine. In
Leopard, the ssh-agent is always running and has a GUI interface which
uses Keychain to store the passphrase. Once set up, the "authenticate
from the command line" step disappears. Setting it up, however,
requires that you log in once to the remote machine so you can put your
public key in the proper place. "man ssh-keygen" is the place to start.

>
> Let's turn to Screen Sharing which I read is built on VNC. Does VNC
tunnel authentication and data get transmitted through an ssh tunnel by
default? What would be the Darwin command to create a VNC connection
(corresponding to the afp open command) through a specified port?

You can make VNC connections by using Go->Connect to Server in Finder
and using a vnc:// URL. Perhaps the :port method will work there.

--
Paul Schinder
schinderpobox.com

On Jan 19, 2008, at 1:58 PM, Paul Schinder wrote:

> Just as an aside, it pays to learn about ssh public key authentication
> if you're doing repeated ssh connections to a particular machine.

I agree. In fact, I'd go as far as saying one should require the use
of public-key authentication and disable password and challenge-
response authentication on any machine on which ssh is regularly
enabled, especially if it is accessible over the internet (and not
just the LAN). Doing so eliminates the chance of a dictionary attack
succeeding because of a weak password on a user account with a common
name.

> In Leopard, the ssh-agent is always running and has a GUI interface
> which
> uses Keychain to store the passphrase. Once set up, the "authenticate
> from the command line" step disappears. Setting it up, however,
> requires that you log in once to the remote machine so you can put
> your
> public key in the proper place. "man ssh-keygen" is the place to
> start.

Even in Leopard, you would still need to open the ssh tunnel from the
command line before establishing the AFP connection. You could
eliminate the need to use the command line altogether by using
SSHKeychain. Once you set a tunnel up in SSHKeychain, establishing the
connection merely requires selecting it from list in a menubar item.

<http://www.sshkeychain.org/>

On Jan 19, 2008, at 1:58 PM, Paul Schinder wrote:

> Just as an aside, it pays to learn about ssh public key authentication
> if you're doing repeated ssh connections to a particular machine. In
> Leopard, the ssh-agent is always running and has a GUI interface which
> uses Keychain to store the passphrase.

Which defeats the security benefits of using public key
authentication, unless other annoyances are put up with.

As it is used without help from keychain or various available
"agents," requiring public key authentication with ssh provides two
factor authentication:
    1. something you have--the private key file
    2. something you know--the passphrase associated with the public
key.

A purloined machine (or open session on your machine) lacks the
something you know and provides the something you have (that is--easy
access to the other machine).

At the very least, do use a passphrase for the private key, and if you
keep it in the keychain, don't have the keychain unlock automatically,
and give it a short time before it auto-locks. (And don't tape the
keychain password to the machine.)

Yes, that is less convenient. Convenience and security are usually in
conflict--this is one of those times.

   --John

joe502 wrote:
> Here's a manual way to tunnel afp through ssh from the Darwin command line that works in both in both tiger and leopard:
>
> ssh -p 22 -L yourfavoriteport:localhost:548 -f -N usernametargetmac; open afp://localhost:yourfavoriteport/
>
> I've been using ports in the 105xx range. After you authenticate from the command line to establish the ssh connection, you will be asked to authenticate again through the usual afp mechanism. Subsequent mounts will go through the same tunnel if you just repeat the
>
> open afp://localhost:yourfavoriteport/
>
> command.

        Cool. I had trouble with the client refusing to connect to 127.0.0.1,
complaining about talking to itself; perhaps Apple fixed that sometime
during Tiger (I haven't tested recently).

> Let's turn to Screen Sharing which I read is built on VNC. Does VNC tunnel authentication and data get transmitted through an ssh tunnel by default? What would be the Darwin command to create a VNC connection (corresponding to the afp open command) through a specified port?

        VNC does not encrypt authentication data. Leopard's Screen Sharing has
a preference to do so. According to Apple, SS does *not* do ssh
tunneling (although ARD3, which it is derived from, does), but instead
has its own proprietary Apple encryption scheme for authentication, so
it's not plaintext (with that radio button set).

        It should be "open vnc://127.0.0.1:5901", but that doesn't work (does
nothing for me). Instead I use this alias:

alias stssalias stss='echo 127.0.0.1:5901 | pbcopy; open
/System/Library/CoreServices/Screen\ Sharing.app; ssh -C -4 -L
5901:127.0.0.1:5900'

        I type "stss salt". The system opens a tunnel to salt. I paste, and hit
Return (the pbcopy command leaves an extra CR on the clipboard, but
Screen Sharing ignores it), and am connected to the tunnel.

        If you find a way to open an SS session from the command line, please
share!

                                                Chris

--On January 20, 2008 10:09:15 AM -0800 johnbaxterlistsmac.com wrote:

> Which defeats the security benefits of using public key
> authentication, unless other annoyances are put up with.
>
> As it is used without help from keychain or various available
> "agents," requiring public key authentication with ssh provides two
> factor authentication:
> 1. something you have--the private key file
> 2. something you know--the passphrase associated with the public
> key.

I use public key authentication. I don't let keychain or ssh-agent remember
the password. I keep the key on a thumbdrive rather than the machine
itself. If you create a config file in the .ssh folder of your home
directory (in Finder do a go to folder: ~/.ssh). In the config file edit,
or add, at the top, using appropriate paths and filenames:

Host [SHORTNAME]
        IdentityFile=/Volumes/Thumbdrive/path/to/private/key/id_rsa
        HostName=[HOSTNAME]
        User=[USERNAME]
        PasswordAuthentication=no
        PubkeyAuthentication=yes

Replace [SHORTNAME] with an identifier you want to use on the commandline
(i typically use the hostname without domain).

[HOSTNAME] is the fully qualified hostname (or an IP address)
[USERNAME] is the username you login with on the remote system

Now if you remove your thumbdrive, even if the machine is compromised it
can't be used to access remote systems.

Do samba mounts smb:// or mount_smbfs encrypt authentication and data info, or do they too require an ssh tunnel?

-Joe

At 6:16 AM -0800 2008/01/23, joe502 wrote:
>Do samba mounts smb:// or mount_smbfs encrypt authentication and
>data info, or do they too require an ssh tunnel?

        The base SMB/CIFS protocol does not include data encryption,
although I believe this is an option in Windows 2003 Server, and I
read something that implied Leopard could mount such encrypted
shares. You can look at the Samba docs to see if they've added server
encryption support yet.

<http://www.samba.org/samba/>

        Note that Finder SMB mounts do *not* use Samba; Samba's smbfs
is Linux-specific, and Apple uses a BSD-derived FS module.

        8 ports are assigned to SMB/CIFS: 137-139 & 445, TCP & UDP
flavors. In modern flavors, most things go over 445/tcp, but you
might also need to tunnel 139 or 137-139 (can all be done with a
single "ssh" command and multiple "-L" arguments). Note that ssh
cannot tunnel UDP, although I don't *think* it's necessary for normal
SMB/CIFS volume mounting.


                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
                              <http://www.extrapepperoni.com/>
The Rockefeller University: <http://www.rockefeller.edu/>