Secure AFP and FTPS (FTP Secure)???? HELP - I NEED SOME UNDERSTANDING!!!

tunnel your stuff through secure shell. At home, turn on remote login and afp and screen sharing on the computer. Forward port 22 in your home router. That is the only port that needs to be forwarded in the router.

Get a free account with dyndns.com so you can get a free host name that updates the external IP address every time your ISP changes your external IPA. You'll need to install their DynDNSUpdater application. That's what senses the change in your external IP address and reports it to the dyndns DNS servers.

From school, launch Terminal.app and type "ssh -L10548:localhost:548 -L15900:localhost:5900 username@yourdyndnshostname"

Once you have a user prompt into your home machine displayed, then switch to Finder, ⌘k to afp://localhost:10548 or vnc://localhost:15900.

This will tunnel your afp and vnc through encrypted secure shell. sftp is secure ftp and is part of the ssh connection, so rather than ssh, you can just type "sftp username@yourdyndnshostname"

AFP: I don't know if password is sent in the clear or not. I have watched wireshark and could definitely see folder names being sent. If it is encrypted, I do not know what encryption scheme it uses.

FTPS: It would actually probably be "s ftp://" but I don't think that it is supported by the ⌘k protocol. You can use sftp from the Terminal command line, in which case you don't use all the "-L" port tunnel options. There are third-party GUI front end applications to the sftp protocol that you could use to give you an encrypted drag-and-drop. I would search macupdate.com or versiontracker.com or similar for "sftp." Years ago, for previous OSs, there was one called "ssh Tunnel Manager." Don't know if it is current for 10.6.4 or supported anymore or not. But if you want to do command line, type "man sftp" for help.

VNC: There is an option to encrypt both username/password and data in Screen Sharing's Preferences. I don't know what encryption algorithm screen sharing uses.

Router security: anybody that can affiliate to the router can sniff all the traffic on the router. So if you don't want other people seeing your stuff, end-to-end encrypt it (https, sftp, ssh, vnc with encryption turned on all, or services tunneled through ssh)

Chance of being hacked: Who knows? Why gamble? If you don't want to type out that ugly long string "ssh -L10548:localhost:548 -L15900:localhost:5900 username@yourdyndnshostname," in Terminal, do the following:
nano ./bash_login
(this launches a basic text editor in the unix environment)
now type (all on one single line -- it word wraps here on the forum):
alias phonehome='ssh -L10548:localhost:548 -L15900:localhost:5900 username@yourdyndnshostname'
^x (control-x) to save and exit from nano
⌘w to close the Terminal window and ⌘n to open a new one, that will make the "phonehome" command become active. Now all you have to do is type phonehome to create the ssh connection.

Also, I bet that if you find a ssh/sftp GUI through macupdate or versiontracker or similar, you will be able to save a "profile" for your home machine connection with all those port tunneling options.

I really prefer ssh tunneling, because you can lock down ssh to not allow username/password login but only allow public key exchange login (need a private certificate on the client computer and the matching public key certificate on the server). That prevents script kiddies from running dictionary attacks on your home ssh connection.

As a sidenote, if you spend any time in Terminal, building up a list of alias commands such as
alias ls='ls -TalkOs' lets you add options to customize various unix commands without having to type out the long list of options. My .bash_login has 35 such aliases... If you don't spend much time in Terminal but think you might want to learn it, an OS X unix tutorial can be found at http://www.osxfaq.com/Tutorials/LearningCenter/

Hi,

in addition to j.v.'s explanations I put several GUI clients for the tasks that can of course be done from terminal shell commands.


1. sftp client - try this (free, latest version: Jun, 15 2010) http://cyberduck.ch/

2. For establishing ssh tunnels (at client side) try this (free, latest version: Feb, 27 2009): http://www.apple.com/downloads/macosx/networking_security/sshtunnel.html
The most you get from this tool if you have to manage connections to a number of servers, but even for a single one there is quite convenient GUI.

3. VNC client (in my opinion the best one for this price) - JollyfastVNC (NOT free: $39) http://www.jinx.de/JollysFastVNC.html


If you plan to use Cyberduck and JollyfastVNC there's no need for additionall tunneling software (2), they have biult-in tunneling options based on the open ssh.

best regards,
jpm