# Secure file sharing between OS X and Linux



## mdooner (Feb 21, 2005)

I'd like to set up some sort of file sharing facility to keep my notes and classwork, among other things, synced between my iBook and G5 workstation. Optimally, I would like to have the files served on my Linux server to make use of its SCSI RAID Array and Tape Backups. I would also like to keep as many ports as possible closed on my G5. The server is on an insecure network (college dorm) and I need to access the server through both campus and public wireless connections. The server has a static ip. I would like to be able to mount a volume on my iBook to access the files for ease of use (excluding the obvios sftp). I am exploring my options right now and this is what I have found searching the forums.

NFS: not good for insecure networks, even through an ssh tunnel.
SMB: here I have some questions... user based auth? can it be used through an ssh tunnel?
SHFS: this would be the optimal solution, but there is no HFS module for the darwin kernel, correct?
WebDAV: no ssl support
AFB: I'm pretty new to Mac OS and don't really know much about it, but from my understanding there is no support in linux for this?

Does anyone have any suggestions or corrections?


----------



## scruffy (Feb 21, 2005)

AFP is pretty comparable to SMB for security - there is no server-to-client authentication, the passwords can be encrypted but the files are always sent in the clear.  

http://netatalk.sourceforge.net/ is a Linux, BSD, and Solaris implementation of AFP.

There is a way, if you have OS X server, to tunnel the entire AFP connection over ssh (the regular OS X will do this as a client only).  Don't know if that would be possible with Linux, but it might be worth looking into.


----------



## mdooner (Feb 21, 2005)

I'll read up on AFP, as long as it uses a constant port number it should be able to work through an ssh tunnel


----------



## mdooner (Feb 24, 2005)

I have AFPd setup on my Linux server and can connect to it from both of my mac over either an unencrypted connection or a manually created ssh tunnel. I would like to be able to use a feature in OS X that automatically creates the tunnel for the connection (when using "Connect to Server" for AFP, check out the options on the user login dialogue). Here is an email I wrote to a LUG about the problem;

I am trying to set up AFP through an ssh tunnel for secure file sharing to make class notes and other files available from my workstation and laptop. netatalk is running on a Gentoo Linux server. Manually establishing the tunnel works fine, but I would like to be able to use a facility in Mac OS X that allows the tunnel to be established automatically. The netatalk docs talk a little about ssh tunnels (http://netatalk.sourceforge.net/2.0/htmldocs/configuration.html#authentication) and according to the docs afpd needs the -advertise_ssh and -fqdn flags for OS X to automatically use a ssh tunnel to connect. I tried just adding those flags in afpd.conf and that does not work, presumably because -fqdn requires a parameter (a name and optionally a port number). According to the man page for afpd.conf, the -fqdn flag "Specifies a fully-qualified domain name" and I am not quite sure what to do with this. I don't have a fqdn because my server is connected in a college dorm, but I don't see why it should require one just for establishing an ssh tunnel. Could anyone with some experience in this area help me out?


----------



## legacyb4 (Feb 24, 2005)

While OS X doesn't natively support WebDAV over SSL from the Finder, using a client app such as Goliath allows you to connect to an SSL-enabled WebDAV server.

Probably the least complicated way of getting things up and running...


----------



## scruffy (Feb 24, 2005)

Interesting.  

I guess that means that the host has to be resolvable for the clients - wonder why that is.
Perhaps for the sake of ~/.ssh/known_hosts consistency?

I wonder if a name advertised by rendezvous would be sufficient in that case.  It is for some utilities - I can ssh to my wife's Mac from mine, referring to it by the rendezvous name, even though DNS won't resolve it (host frog - no dice; but ssh frog works fine).


----------



## mdooner (Feb 25, 2005)

I'm not using Rendezous but the server has a static ip and i have a entry for it in /etc/hosts. I imagine that would accomplish the same thing. I tried giving the  -fqdn both my ip and my hostname as parameters, but it didn't like that. I suppose I could write a quick script to create the ssh tunnel at boot time and use automount. Does anyone know if automount supports afs?

For the previous suggestion, I'd really like to have a mounted volume in Finder for ease of access. I beleive the best solution with a client app would be sftp


----------



## ema (Feb 27, 2005)

Hello, I have a similar situation.
In a intranet web site, I'd like to publish links like afd://server/folder/sample.doc or smb://.
Then users, using Safari or any other web browser, should click and have MSWord open the file with Save menu enabled.
Do I just need to mess around with Launch Services on each user's machine or is a server-side thing?
disclaimer: I'm a Windows user


----------



## mdooner (Feb 27, 2005)

Here is what I have so far. I made a StartupItems entry to create the ssh tunnel to the server machine. You can grab the script and plist from here (http://129.81.137.53/~matt/securefs/). I also made an entry to automount the share with NetInfo Manager. It is in /mounts and has the following data;

```
name      marvin:/matt
dir       /Network/Servers/
opts      usr==matt:SuperSecretPassword@127.0.0.1:10548/matt
vfstype   url
```
Right now the script works but I can't get OS X to automount the volume. I tried using a static mount in the Startup script but that didn't work very well; I could never get write permissions on the volume for normal users. The volume also got disconnected when my iBook goes to sleep. I can manually mount the AFS share through the tunnel by using "Connect to Server" in Finder.

Does anyone know what might be wrong with this automount entry?


----------



## mdooner (Feb 27, 2005)

ema said:
			
		

> Hello, I have a similar situation.
> In a intranet web site, I'd like to publish links like afd://server/folder/sample.doc or smb://.
> Then users, using Safari or any other web browser, should click and have MSWord open the file with Save menu enabled.
> Do I just need to mess around with Launch Services on each user's machine or is a server-side thing?
> disclaimer: I'm a Windows user



As long as your guest user has write permissions to the share I don't see why publishing a link like that would not work.


----------



## mdooner (Mar 1, 2005)

I tried putting the AFS mount in my Startup Items (System Preferences -> Accounts) and this works for my workstation, but my iBook dumps the tunnel and share whenever its ip address changes. I havn't decided how to work around this yet. Any ideas?


----------



## ema (Mar 2, 2005)

mdooner said:
			
		

> As long as your guest user has write permissions to the share I don't see why publishing a link like that would not work.



thanks mdooner

well, a link such as afp://intranet-server/share1/test.doc would lunch finder but doesn't launch Word.

Now I'm trying webdav. I added webdav support to our apache, but I can't find a web browser supporting webdav on macosx. Finder works ok, Word word, but none of the web browsers I tried worked. They just downloaded the file locally instead of launching the associated application.

I tested the following wbe browsers: safari, firefox, camino, omniweb, ie 5.2

Am i supposed to add weddav support to a mac os x machine or is it up to each application to be webdav-enabled?


----------

