While AFP (Apple Filing Protocol) has been the filesharing mainstay of many Mac users for over ten years, it has been and continues to be problematic in the security department, primarily in that it transmits login usernames and passwords in unencrypted plaintext. In Mac OS X version 10.2 (Jaguar), Apple included the ability to wrap an AFP connection in a secure shell layer (although you had to dig a little to find the feature), which, had it worked properly, would have fixed this security problem. Unfortunately, though, even with this new feature enabled, a client Mac would *not* display an error message if the secure connection were unavailable for some reason (which it often is), and would instead quietly revert to the older, insecure connection method without notifying the user.

Until Apple releases a real fix for this, this article will show you an easy way to tunnel an AFP connection (or any other TCP-based connection) over a secure shell. First, make sure the server you're connecting to has its SSH server enabled - this is done by ticking the "Remote Login" checkbox in "System Preferences -> Sharing." Then, open the terminal application and type the following command, substituting your server login name for "user_name":

ssh user_name@server_name -L5678:localhost:548 -N

You'll be prompted for your password, and once you enter it, the terminal will not give you another prompt. Leave the terminal window open for now. Then go to the finder and select "Connect to server" from the "Go" menu, and type this address:

afp://localhost:5678

You'll then be prompted to enter your AppleShare username and password, which will be sent over a secure ssh connection. When you're done, drag the server volume to the trash and then type "Control-C" in your terminal window to close the ssh connection

To tunnel another service besides afp over a secure shell, just replace the "548" port number in the above command with the other service's tcp port number (i.e. port 143 for IMAP email).