I find “Remote Login” an incredibly useful tool. On a daily basis I employ it to transfer files, screen share, and directly access the shell. Turning this on (located in the Sharing pane of System Preferences) enables the local SSH server. This enables Secure Shell login, and SFTP access to transfer files. This technology is employed by thousands of machines on the internet. It is safe, secure and encrypted as long as it is properly configured and monitored. To keep your machine secure, consider some of these options or habits:
- Turn if off when you don’t need it
- Restrict which users can login remotely (right in the same Preference pane)
- Change the default port (locally and/or at your router)
- Monitor secure.log (manually with Console or with a 3rd-party app)
- Setup SSH keys instead of using passwords
There may be some additional setup to access your machine via SSH remotely. If you’re behind a router, you’ll need to forward an external port to the internal SSH port (default is 22) of your machine. Any firewall will need to be configured to allow the appropriate incoming access. When your machine goes to sleep, it may or may not interfere with SSH access. Turn off sleep or turn on “Wake for network access” (Energy Saver preference pane).
Now that’s it’s running, how do you connect to the shell? In the terminal on another Mac or a linux computer, type:
ssh yourusername@[EXTERNAL IP ADDRESS]
…that’s it. If you’re using a Windows computer to connect, you’ll have to download a client.
If you want to transfer files securely, you can use the same command above but replace
sftp . Then you’d have command line access to downloading and uploading files. Much easier would be to use an App like CyberDuck, or the popular Transmit for SFTP access.
One of the best features of an SSH connection is the ability to forward ports. You can forward ports in either direction, but most common is to forward a remote port to a port on the local machine. This can be setup in the initial command (
ssh user@IP...) or while you’re in the session. To do the latter, once your in a remote session, type
~C at an empty prompt. If it doesn’t work, hit return to get a clear prompt and try again. This will drop you to a prompt like so:
To forward the remote port 5900 to the local port 5901, type the following a the ssh> prompt:
-L5901:localhost:5900 (no spaces)
You can continue to use the shell as normal, or not, but if you close it, so too does the “tunnel” you created close. In the example above, port 5900 is the default port for VNC, the screen sharing protocol. You could now enter “vnc://localhost:5901” in the Finder’s Connect to Server dialog on the local computer, and it would attempt to access the remote computer’s VNC server via the encrypted SSH connection.
Another type of port forwarding is “dynamic”. Using the above method, after connecting to a remote machine and typing
~C, type the following:
-D8888 (again, no spaces)
This creates a SOCKS proxy tunneled through the encrypted ssh connection. Next you would enter proxy settings, either for the entire local computer (in System Preferences) or in specific applications. Here’s how it would look in Firefox:
Now every connection Firefox makes is routed through the encrypted tunnel to the remote host. To the outside world (internet) your requests appears to come from the remote computer. Be aware that it takes proper configuration to mask all your activity. You must check on each application’s use of proxies. As well, DNS requests (resolving domain names to IPs) may not be masked by the proxy at all without additional steps.
Be sure to read the next article, Useful Terminal Commands for Remote Computing, for more ssh fun…