Use SSH as a replacement to "Back to my Mac"

If you're like me and you find that MobileMe's "Back to my Mac" feature never works, don't fret!

SSH can be used as an alternative.

To do this, enable "Remote login" on your Mac in question by going to System Preferences -> Sharing -> Remote Login. From here you can allow access to one or multiple users.

Once that's done, enable port forwarding on your router and forward a port of your choosing to the IP address of your Mac. Mac OS X does NOT support custom ports for SSH so you'll be forwarding the external port to internal port 22 on your Mac.

I do advise using a custom public port as otherwise you probably will get riddled with bot brute force attempts. More on how to combat this below!

 

Tunneling like a mole!

Now your Mac can be contacted by the outside world. Huzzah. Let's connect in!

The syntax for using SSH tunnels is pretty simple:

ssh [email protected] -CNvL localPort:remoteIPaddress:remote port

Let's explain the flags I'm using:

-C = compression

-N = There will be no interactivity on this shell.

-v = Verbose output. I like green text!

-L = Tunnel time!

Tunneling allows you to set-up an encrypted link from a port on the machine you're using to a port on a remote machine. For example, I wanna connect to a AFP share on my Mac at home.

To do this I use a tunnel of -CNvL 8082:localhost:548

8082 being the port on the machine I'm currently using, localhost being the machine at the other end, 548 being the port for AFP.

You can also use your tunnel to bounce stuff to other computers on your network!

e.g. Controlling a computer on your home network remotely using VNC :: -CNvL localPort:192.168.1.10:5900

Running through the tunnel!

Once your tunnel is up, connecting through the tunnel is easy.

In the case of the AFP connection, simply do a afp://localhost:8082

In the case of the VNC connection, simply open your VNC client of choice and connect to localhost, port 8082.

This method can be applied to any service that uses a TCP port. You can use any local port that's above 1024 provided there's no service already listening.

Securing your SSH connection

If you're like me and get rakes of hits from bots trying to guess your password, you'll want to secure your SSH access.

I recommend using DSA keys.

To make these run the following command in your Terminal:

ssh-keygen -t dsa

Choose the default save location for your certs (~/.ssh).

You can enter a password if you wish. If you choose not to, it can allow you to have password-less connections.

Now we need to exchange keys with your Mac. Enter this in your Terminal:

cat ~/.ssh/id_dsa.pub | ssh [email protected] 'cat - >> ~/.ssh/authorized_keys'

You will be prompted for a password.

Enter it!

Now you need to configure your remote Mac SSH server to disallow any connections who don't have a valid cert.

To do this, open /etc/sshd_config in your text editor of choice. (e.g. vim/nano) and change "UsePAM yes" to "UsePam no".

Then restart SSH.

 

Done. Try connecting in, if you didn't set any password on your DSA cert, your tunnel is live.

If you did set a password, you will be prompted for it.

If you get the password right, then your SSH tunnel is live!

 

Any questions, or mistakes do let me know!