Reference Material for SSH, VNC?
 

I have never succeeded in connecting Chicken of the VNC (on a MBP) to the VNC server on my PM G5 (both Leopard) through my AirPort Extreme(n). Works fine in my LAN, not from the WAN. From what I can read on the web, this is a common problem for which I haven't found a bombproof solution.

This morning, I read about Meerkat, "an easy to use SSH tunnel manager built specifically for the Mac", so I was wondering whether I might succeed by running VNC through an SSH tunnel, assuming I could manage to get tunneling to work through the APExtreme(n).

I say this, however, understanding nothing at all about that process. I've never used SSH for anything. Can someone suggest some reading material to get me started -- I'd like to understand what's going on, not just get it to work. Like a lot of "easy to use" software nowadays, Meerkat's help is light on the details -- assuming that I know what I'm doing and want to use Meerkat to do it.

You need to forward or map port 5900 through your router to your G5. If your router supports UPnP, simply enable it.

I've done that, but have no way of knowing whether an Airport Extreme(n) supports UPnP.

According to a quick google search airport extremes doesn't support uPnP (fortunately).

I'm not aware of any definitive statement from Apple on whether the Airport Extreme Base Stations support UPnP, and third parties make contradictory statements on the subject, with maybe two thirds of the people saying that it does not support UPnP, and a third saying that it does.

There are implications from Apple that the Base Stations does not support UPnP, for example this page discussing Back to My Mac: http://support.apple.com/kb/HT1552?viewlocale=en_US

I wish the statements were more definitive, however.

Trevor

Oh to me that isn't implication it's fact. Airport extreme base stations use nat-PMP instead of UPnP.

Really? I don't see it. It says
1. Airport Extreme Base Stations use NAT-PMP.
2. Some third party routers use UPnP. (Implying but not stating that AEBS do not.)
3. Back to My Mac uses either NAT-PMP or UPnP.
4. If you have a third party router, enable UPnP.

But this leaves open the possibility that Airport Extreme Base Stations support both NAT-PMP and UPnP. There is the implication that this is not the case, but nowhere is it stated. Nor can I find it stated anywhere else in Apple's documentation. If someone else sees any statement one way or the other from Apple somewhere, a link would be great.

Trevor

Now you see why I said the above. I agree with trevor -- we don't know -- and the AirPort Utility doesn't expose that capability if it exists.

It doesn't mater. NAT-PMP will suffice as well as UPnP.

You should be able to access your MBP by addressing the IP address of your Router (not the MBP) from outside of your LAN.

I agree that I should. I have a dynDNS.org custom DNS service that always points at my AirPort Extreme's connection and software to keep the address updated (dynamic), but the connection is always refused if I'm outside the LAN, always accepted if I'm inside.

Are you always trying to SSH/VNC in from the same location outside your LAN, e.g. your local library? It is possible they have blocked outgoing port 22.

I pulled some hair over this recently; SSH/VNC combo was working perfectly within my LAN but not when I took my laptop to the library. I've since confirmed that the library is blocking that port because SSH works from my car dealership's wifi network.

Just a thought.

And a good thought, too -- I'll try another venue.

Having read all the Googled stuff I can find on SSH and Tunnels and what little's available about Meerkat, I confess I'm having a "5 - 3 = 5" experience**. The penny hasn't dropped. Can't SSH from laptop to desktop within the LAN.

** Small children, just learning subtraction, when presented with "five take away three leaves ..." often say "5" (ignoring all those other symbols). Makes sense, too; but it isn't subtraction, it's parsing the sentence.

These make sense -- but don't get me there:

http://www.applematters.com/article/...on-man-part-i/

http://www.applematters.com/article/...n-man-part-ii/

Just to make sure: have you ever been able to connect to your home computer from the outside in any way?

Is your external IP in one of these ranges?
10.x.x.x
192.168.x.x
172.16.x.x-172.31.x.x
because if it is then its impossible.

And for ssh from laptop to desktop is sshd running on the desktop?
check by:
netstat -na|grep "\.22 "
answer should be

Not using any variant of VNC. In earlier days I used Timbuktu successfully from home to office and vice versa. Now I want to use VNC from laptop to home only, and I do have the home machine assigned a reserved LAN address on the Airport Extreme, NAT Port Mapping Protocol enabled, Apple Remote Desktop enabled, which enables UDP and TCP ports 3283, 5900 pointing at the internal machine's fixed address.

I understand that those are not routable; they are all private address ranges. My IP address is public (24.xxx.yyy.zz but dynamic, though rarely changing) and I have a registered name pointing to it (with daemon keeping it current) at dynDNS.org

I get:
The last one (67.205.22.67) surprised me; a lookup says that's 10base-t.com from which I recently downloaded "DropCopy 1.4.7", a very useful app for transferring files between my laptop and desktop machines. Why is that still there though (or will it expire eventually)?

I should say, however, that since I've been "playing" with SSH and Meerkat, I have not tried to VNC in from outside because I can't get the tunnel working within my LAN.

Ok good so far.

Yes it will timeout.
What happens when you do:
ssh username@desktop_ip
in terminal from your laptop ( Of course with username and desktop_ip changed to your values) ?

Oh and how do you try to setup the tunnel ?

Thank you, Bengt-Arne: following your "ssh ... " instructions and using the password appropriate to the desktop (not the same as the laptop), I find myself with a terminal session to my G5. It worked -- don't know what I did yesterday that fouled up.

I was assuming that Meerkat would do that, if I understood how to use it. Other than that, I don't know how to set up a tunnel -- what I've got is a terminal session from one to the other.

Yes that is what you should get from that command. This is whats always behind the scenes when using ssh. You can then add options to create a tunnel either on the command line or with something like Meercat.

Ok step 2.
assumption for demo.
your desktop has ip 192.168.1.2 otherwise change it to your real internal one.

ssh -L 55900:127.0.0.1:5900 user@192.168.1.2
this will give the same password prompt as before, answer that and don't close it. Now try running vnc client and tell it to connect to localhost:55900 and we'll see what happens.

Connection terminated. Terminal said "channel 3: open failed: administratively prohibited: open failed" Chicken of the VNC connects as it should without the tunnel.

Point of clarification: if you're trying to do this outside your LAN then substitute the 192.168.1.2 with your external IP or your dyndns (or equivalent) domain name.

Understood. I'm currently inside, so I'm using the static LAN address of the box.

In /etc/sshd_config on the desktop check for
AllowTcpForwarding without a hash mark first.
if you have
AllowTcpForwarding no
change no to yes
if you dont have a line like that add this
AllowTcpForwarding yes

then retry:
ssh -L 55900:127.0.0.1:5900 user@192.168.1.2
and cennecting with vnc.

Owned by root -- opened in BBEdit, removed hash mark, saved (pw required by BBEdit's command line tools). I did this on the target then tried the command on the laptop and was connected to the target. Then in CotVNC I entered for host: 127.0.0.1:55900 (the target:the port) and the connection was successful. Thank you, thank you.

Now, to try this from outside my LAN, what ports have to be opened in my AirPort Extreme? Just TPC 5900?

No. TCP port 22.

What you have done now is first create a communication "pipe" from your laptop to the desktop, that communication goes to port 22.
The -L ... part makes ssh listen locally on port 55900 on your desktop.
What comes there gets sent over the already existing "pipe" to the desktops sshd and that one sends it to port 5900 on it self.
So only port 22 needs to be reachable for this to work.
The beauty of this is that you can have several of these -L ... in one command so you can reach several services and or internal computers with one single ssh command.

The meaning of that -L 55900:localhost:5900 is listen here on 55900 and send it to localhost:5900 there so it could as well be -L 55901:192.168.1.3:5900 to reach another computer inside your router on that ones port 5900.
Hope you understand this. If you don't have vnc server running on your laptop you could instead use -L 5900:localhost:5900 and then you would connect the vnc client to just localhost but I wanted to avoid the possibility that you had one running.

Also if you want you could try with Meercat again as that missing "AllowTcpForwarding yes" made it impossible for it to succeed.
Unfortunately this can't be detected until something tries to use the tunnel. But Meercat ought to have detected that when you used vnc but it doesn't. I would have liked it to detect that "channel 3: open failed: administratively prohibited: open failed" and put up an error dialog.

That paragraph clarifies a lot of my misunderstandings of tunneling. Thank you.

Done -- Airport Extreme doesn't let you choose the number, but it does let you choose SSH as a service to be port forwarded.

I'd like to have one for 5901, but the VNC server on my G5 doesn't seem to recognize it (5901 is my second screen). Chick of the VNC doesn't enable viewing the second screen, probably because the server isn't configured correctly.

I do, finally. I'm also supposing that 55900 could be anything larger than 1024 and smaller than 64K. I guess I'm not running a server on the laptop, ssh -L 5900:localhost:5900 user@.... works too.

How is the built-in VNC server configured?

Also one extra flag that sometimes helps is -C see excerpt from man ssh

so a full line might be
ssh -C -L 55900:localhost:5900 xxx@yyy
But as they say that -C sometimes helps and sometimes slows thing down

You're welcome.

Read but not quite understood.
Warning guesswork
Have you tried to connect the chick to that computers port 5901? What happens?

Anything free in that range yes. check with:
netstat -naf inet |grep LISTEN
And you will get something like:
This means that ports 22,631,6000,1033 and 515 are already used.

And if you really want to use a low port you can do
sudo ssh -L low_number:remote_computer:remote_port user@server

Sorry don't know.

a 5901 connection is simply refused.

Discovered that vnc://xxx.xxx.xxx.xxx/ will open the built-in screen sharing app. It has preferences, but doesn't seem to include an option for a second screen. Before the 10.5.3 upgrade, Chick ot VNC showed the full screen with window sliders to access the second -- now it doesn't. I'll have to write an AppleScript to make certain that any window that opens on the second screen is moved to the first.

Thank you very much for these patient lessons in VNC via a tunnel. Much appreciated. Luleå university is well served.

Hi, I'm the developer of Meerkat. Sorry I'm a bit late to the scene. Where are you at with this now and is there some way that I can help? Also feel free to reach me at http://codesorcery.net/contact if you'd like to take it offline.

Did you read baf's post #25 in this thread? At the end, I just wrote a shell script to open the tunnel, but haven't been away yet to test it remotely. Also haven't resolved the bi-directional issue.