Security in Lion Server File-Sharing Protocols
The file-sharing protocols available in Lion Server support different levels of security to protect login passwords and transmitted files from snoopers or malware that may have infected users’ computers.
There are two basic levels of security in file-sharing protocols: no encryption and encryption. No encryption, or cleartext, sends the straight characters of a password over the network. AFP is the most secure file-sharing protocol. FTP is the least secure. This is what each protocol provides:
AFP can send login passwords to the server as cleartext or with Kerberos encryption. Cleartext is disabled by default in Lion Server but can be turned on via the command line.
If you upgraded your Snow Leopard Server to Lion Server, your Macs may not be able to authenticate via Kerberos. You can fix the problem by typing this command in Terminal:
sudo sso_util configure -r REALM_NAME -a diradmin afp
The realm name is usually the same as the fully qualified domain name of the Open Directory master, but in all capital letters. Restart the server when done.
SMB supports sending passwords as cleartext or with Kerberos encryption, as well as some older Windows encryption methods. SMB does not support encryption of transmitted data, however.
webDAV requires a user to enter a name and password (authentication) and uses SSL encryption.
NFS authentication always uses Kerberos but is less secure than the other protocols. NFS doesn’t ask the user for a username and password. Instead, the client computer tells the server what the computer ID is.
This means that anyone using that computer has access to whatever the user account has. This makes NFS authentication less secure than AFP and SMB. Like AFP, NFS file transmission can be cleartext or use Kerberos encryption.
FTP sends all data as cleartext. It doesn’t provide for encryption of passwords or data transmission. (The command line also supports FTP over ssh, or sftp, which is a secure connection.)