Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.5: How to use ssh using 'Back to My Mac'' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: How to use ssh using 'Back to My Mac'
Authored by: the1truestripes on Apr 30, '08 09:50:07AM
Seems like a really useful feature, although I am a bit concerned about the security issues. I wonder how many of us will have their firewall configured correctly. SSL uses port 22 which would have to be open not only on the Apple Firewall, but also on any router / modem. Personally I would be very careful who I give access to port 22 on my machine.

I think the back to my .Mac address is a IPSec tunnel endpoint. So nobody can send traffic to port 22 (or any other port) unless they have the keys for it (and there doesn't need to be anything open in the firewall for the specific traffic going to that endpoint, but there does for the tunnel itself). It also means your ssh will get an extra layer of encryption (from IPSec), but I wouldn't set it up to skip the ssh encryption (or use a faster but weaker form), because it is safer to say "you have to defeat both" then "get my tunnel and you get the ssh". Esp. since IPSec hasn't had as much operational deployment as ssh.

Your milage may vary. I'm not a back2my mac expert or anything. Or even IPSec expert (although I did implment a ssh clinet, since it was a long time ago and ssh v1, I'm not even an ssh expert). So please take your grain of salt. Thank you, drive through.

[ Reply to This | # ]

10.5: How to use ssh using 'Back to My Mac'
Authored by: sabi on May 01, '08 01:53:48AM
It's using a combination of IPsec (for the tunnel) and IPv6 (for routing), with UPnP or NAT-PMP to open a port if you're behind NAT. The IPsec connection is typically made over UDP port 4500 though if that port is in use, it will use another port.

The concept is really elegant and while the implementation was a bit flaky for a while, since 10.5.2 it's been basically reliable for me and it's so nice to no longer need to set up a VPN just to talk to my own machine at home.

You can see the IPsec configuration established by looking at the files in /etc/racoon/remote (you'll need to be root/use sudo to see them, since they contain a shared secret). You'll also find this shared secret in the System Keychain as "Back to My Mac key".

[ Reply to This | # ]