A year of plaintext AFP passwords is enough!A year of plaintext AFP passwords is enough!

Somebody (another Nathan—but in Brooklyn!) tugged on coderspiel’s long tail to ask if Edgy’s Netatalk was any better than ye old Breezy’s at encrypting passwords for AFP connections.

I happened to be in the middle of upgrading the box (notice that downtime Tuesday night?), so I checked. Nope. Same deal. But a year later I know a little bit more about Ubuntu and Debian, and this is what I found in /usr/share/doc/netatalk/README.Debian:

OpenSSL support is currently disabled, because of licensing issues: The Free Software Foundation and Debian consider the GNU General Public License (GPL) under which Netatalk is licensed to be incompatible with the OpenSSL license.

Aha. Here at technically.us, we love free-as-in-freedom software but we love gettin’ shit done even more. After all, we’re responsible for little Databinder, a toolkit known for listening to death metal and calling into both Apache and LGPL licensed libraries without even saying “please.”

So far, hoards of flying monkey reverse-IP lawyers haven’t come crashing through the window. We hope it’s because Databinder doesn’t actually distribute or package any dependency, thanks to Maven. I guess that’s similar to how Debian packages work, though. Um, did I just hear someone scream, “Now fly, fly!” ?

Anywho, the Debian downer quoted above is followed by some terse instructions for building the OpenSSH version that would probably make sense to someone who actually knows Linux. But I figured it out eventually.

If you wanted to do AFP file sharing between Mac OS X and Ubuntu (with universe repositories enabled), this is how it would go down:

sudo apt-get build-dep netatalk
sudo apt-get install cracklib2-dev fakeroot libssl-dev
apt-get source netatalk
cd netatalk-2.0.3/
DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot
sudo dpkg -i ~/netatalk_2.0.3-4_i386.deb
echo "netatalk hold" | sudo dpkg --set-selections

That last command keeps the package manager from overwriting your renegade Netatalk the next time you run it, but it will also hide any updates for it. There’s something you can do about that, but it’s complicated. So I’m going to use the check up on it myself method.

Finally, here’s an inspirational note for IP lawyers, enterprise copy & paste engineers, etc.: the monkeys were only bad because the witch enslaved them.


Thanks for that tip! I stumbled across your other post on the subject but was miffed about the idea of plain text passwords. The only problem I ran into was that I didn’t have fakeroot installed. Fixed with a quick apt-get but a total newbie might not figure that out.

Updated, thanks!

Also need libssl-dev for it to work. If you don’t have it there is no error message, it just doesn’t work.

I followed the same steps on a fresh edgy lamp server installation and it went well.

While starting up a connection from my Mac I noted an error with using tail -f /var/log/syslog This error refferred to some missing cracklib stuff. To solve that I installed: apt-get install cracklib2 cracklib2-dev libpam-cracklib libpam-passwdqc

Now it runs without any error :)

Work brilliantly, thanks

Nice one! I’m going to setup a home server next week once I’ve fully decommissioned an older box. This might be the ticket.

You have to su root before you run DEB_BUILD_OPTIONS… You can not run sudo DEB_BUILD_OPTIONS.

Rookie stuff i know but for some people this may be the first build they attempt.

Add a comment