I decided to put together his how-to after setting this up for my dad, and figuring there are probably a number of others out there who serve as the de facto tech support person for friends and family in remote locations. The idea is to be able to remotely view and, if needed, control another Mac to help teach a new Mac user how to do something or fix their problem.
This isn't the fastest thing in the world mind you -- anything they do with much in the way of graphics, like iPhoto, takes a long time to paint on my end -- but it definitely works well enough for what I need. My method certainly isn't the only way of doing it, but it meets my criteria, which are:
So, the first thing I did was upgrade his Mac to the latest ARD client software. This is free on the Apple site. It's called the ARD client, but in truth, it's really a VNC server under the sheets. I had the luxury of being able to do this myself since I had his Mini at the time, but it's really pretty easy and I'm confident I could have talked my dad through the install over the phone.
Once that was installed I went into the Sharing prefrences pane on the Mini and started the ARD service. I also went into the Access Privileges for ARD and enabled "VNC viewers may control screen with Password." Just put any old password in -- it doesn't matter and will be ignored since we'll be tunneling over ssh. I also put a check next to his user account and checked "Observe" and "Control" (not actually sure if this is necessary, but whatever). Note that I did not need to open up the ARD ports on the Mini's software firewall, since this will be tunneled over ssh. In fact, I didn't even need to open up the ssh ports on the Mini, since the Mini is sending the ssh request outbound (it's a reverse tunnel), not receiving ssh requests inbound. It's very secure this way -- his Mini is completely stealthed.
Next I enabled Remote Login (i.e. ssh server) on my PowerBook. I created a dummy, non-priveleged account (called "dummy") to receive the tunnel. I generated a DSA public-private key pair on the Mini under my dad's account (in Terminal, type ssh-keygen -t dsa and accept the defaults). I copied my dad's public key to the ~/.ssh/authorized_keys2 file under the dummy account. This step isn't really necessary if you don't mind your switcher having to remember and type in the dummy user's password, but that didn't meet my "simple" criterion above. Again, I had the luxury of doing this work directly on the Mini. With iChat and a little cutting and pasting, it could be done remotely as well. Note that there's no real security risk having your switcher email or IM you their public key -- that's why it's "public."
Next I installed Chicken of the VNC on my Powerbook. I assume any decent Mac VNC client would do, but CotVNC was lightweight, free, and worked out of the box with no changes. I also set up a dynamic DNS name for my PowerBook using DynDNS.org (again, free). This allows me to hard-code a name instead of an IP on the Mini, since my ISP uses DHCP and the IP might change over time. There are various Dynamic DNS clients for Mac -- I have no experience with them, since my Linksys WRT54G router has DDNS support built-in.
I then created a saved Terminal file on the Mini to launch the reverse tunnel. In Terminal, just do a File -> Save As then give the file a name. Click on "Execute this command" and enter the following:
ssh dummy@mypowerbook.ddnsname.whatever -R 5900:127.0.0.1:5900
Check "Execute command in shell" and click Save. This creates a reverse (hence the -R) tunnel mapping the VNC client port (5900) on my PowerBook to the VNC server port (also 5900) on his Mini. It's a reverse tunnel meaning that, although he established the connection from the Mini to the PowerBook, the "flow" or the port mapping actually goes in the opposite direction: from the PowerBook to the Mini. Why all the trouble? This means that my dad didn't have to screw around with opening up any ports on his Mac firewall, or do any port re-mapping on his router to allow inbound ssh connections. The tunnel eminates from his box, but allows me to go back into his. Now all my dad has to do when he wants to establish the tunnel is double-click on the saved terminal file. Magic!
Mac OS X Hints
http://hints.macworld.com/article.php?story=20050429153115383