[kman42]

I need to access my home computer from work. I have a dyndns account and my computer is behind an Airport Extreme which is connected to a cable modem. I would like to use VNC and also AFP, but I would like to tunnel them through SSH for security. First, is this necessary for AFP or is it pretty secure already? Second, I know I need to forward port 22 from my AE to my home desktop and that I need to open port 22 on my desktop. Do I also need to have the ports for AFP (427?) and VNC (5900) open on my desktop or does that get worked out in the tunneling process? And good primers on tunneling? I read the SSH man pages and I am looking into Tunneling Manager.

kman

[kiazer]

Mac to Mac ? Or Windows to Mac ?

I use Windows, Putty (open ssh client) and VNC to securly log into my home ibook.. I configured putty to accept all local connections on port 5901 and forward to my dyndns.org domain. Then I open VNC viewer and connect to "localhost:5901" nice and secure..

[kman42]

Mac to Mac.

[kman42]

Ah, man, this sucks. Once your thread gets sent to the UNIX forum it's all over. It's the black hole of forums.

It's really annoying when the mods do this. Asking a question about ssh tunneling isn't solely about UNIX, it's about OS X. There are several APPLICATIONS out there for configuring it and questions regarding NETWORKING, as well as PERIPHERALS. Not to mention all of the talk of firewalls and sharing prefs that will inevitably come up. There should be more deference given to the posters. I posted it in the OSX forum for a reason--namely, I wanted some answers and it is the most frequented forum.

kman

[kman42]

Now that we're here, I guess.

I've been playing around and I have made a little bit of progress. I fired up Apple Remote Desktop preferences and set it to allow VNC connections (I didn't even know this was there. cool) on my desktop and downloaded Chicken of the VNC on my powerbook. I've been testing it within my home wireless network. I opened port 5900 on the desktop and connected no problem.

I am now experimenting with SSH before trying the connection from work to home. I connected from my PB to my desktop (again, at home behind my airport extreme) using ssh 10.0.1.3. It asked me for a password connected. Does the fact that it is asking for a password mean that it is not using the key pair? How do I setup the key pairs. I have connected before using ssh and it said it couldn't verify, would I like to connect yes/no or something similar. Do I need to run a key generator to get my security up to speed?

kman

[PubGuy]

Well, I set mine up and it works fine. Your home machine (the one you want to tunnel to) needs to be set up with a fixed IP address and you need to port forward port 22 from the router to your port 22 on your home machine.

Next, you need to manually change your /etc/sshd_config file:

First thing I always do after an install of SSHD is edit a few items in the sshd_config file.
- At your terminal, 'su -' to your root account
- 'pico -w /etc/sshd_config'
- Look for the line containing "PermitRootLogin yes"
- Simply change this line to read "PermitRootLogin no" and be sure to remove the # from in from of the line.
- Next, find this line: #Protocol 2,1
- Remove the # at the beginning (it's a comment marker), and then remove the ,1 at the end. This will disable the SSH1 version of the SSH protocol -- it's my understanding that version one is less secure than version two (SSH2), so you might as well disable it (most newer operating systems will use SSH2 anyway).
- AllowUsers User1 User2 User3
The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces.
- Save your changes and exit the editor
- Open your "System Preferences", and choose "Sharing"
- If the check box beside Remote Access is not selected, turn it on if you wish for SSH access to be enabled. If it is already selected, then just cycle it. Click it off, then back on.

Now, for added security, I use OSXvnc.app for my VNC server. It has an option to "Allow Only Local Login" which means that the VNC will only work on LOCAL connections, which is what the SSH connect looks like remotely.

Now to attach to your home machine from work, you need to do two things. First, open Terminal and type ssh -L 5907:127.0.0.1:5901 userLogin@yourdydns.zapto.com. This command activates the SSH. the -L maps the local port on 5907 to the local machine on 5901 (so that your OSXvnc must be set to use port 5901). The userLogin is the UserID that you added to your sshd_config file. The rest is your dydns setting.

Finally, open Chicken of the VNC and the port address is 127.0.0.1 and the display is set to 7.

To manage your tunnels so you don't have to type all this all the time, I use SSH Tunnel Manager. It really isn't as hard as it sounds, especially once you get your home system properly configured.