Mount a network (netatalk) AFP volume using a public key instead of an SSH login password?

apple.stackexchange https://apple.stackexchange.com/questions/391957

  •  28-05-2021
  •  | 
  •  

Question

My Linux server does not allow SSH login with password because I have /etc/ssh/sshd_config with "PasswordAuthentication no". I'm not going to be allowed to change that. It's fine and convenient for SSH access as it forces me to set up authorized_keys, which are so convenient once you set them up. So they're set up and my Mac can SSH to my Linux server with no password, np.

However I just set up netatalk to have an AFP volume. The login for the AFP volume via netatalk is the SSH username:password. So theoretically you'd think it would support the same public key login that SSH supports as well. But Mac Finder always asks for a password. My mount_afp command doesn't seem to work. "open afp ..." just opens Finder anyway. None of these in this MacWork Link seem to work without a password.

This differs from Automatically mount AFP for Time Machine (without saving a password in plaintext) in that that answer has the server using a password, but then the Mac side pulls that password directly from the keychain.

Any ideas?

Was it helpful?

Solution

I don't think this is possible (authentication with OpenSSL cert), based on the linux man page, and the Apple tech documentation listing out authentication methods.

If you linux sys admin wants to use passwordless auth, then you're limited to setting up kerberos.

Alternatively, you could do something like setup an ssh tunnel to connect to the server, and send your AFP traffic through it, and just have the server listen on localhost, limited to accepting local requests. It's still not secure, and still using password-based auth, but it's limiting that traffic to within the machine itself. Traffic out on the wire is SSH encrypted, and authed using your cert.

You can start an SSH tunnel as follows:

ssh -f -N -L 10548:[yourserver]:548 [user@yourserver] -i [path/to/your/ssh/key]

This will start an ssh tunnel in the background tunneling from 10548 on your local machine to port 548 on the server.

Then in macOS, in Finder, use the Connect to Server and connect to: afp://127.0.0.1:10548

Or - use something like FUSE and sshfs (not AFP, but it's trivial to setup).

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top