Chapter 20. FTP, SSH, VPN & Web Sharing
Email and web surfing may be the most popular internet activities, but the world’s most gigantic network has many other uses. The general idea is always the same, though: letting one computer reach out and touch another.
MacOS offers a few features that embrace the more literal aspects of that notion. For example, this chapter explores various advanced methods of manipulating your own Mac from the road, including remote access technologies like long-distance file sharing, FTP, SSH, and virtual private networking (VPN).
FTP
FTP (file transfer protocol) sites store pieces of software that can be accessed from the internet. If you’ve heard of FTP at all, it was probably under one of two circumstances—either you’ve downloaded software from an internet FTP site, or you’ve created and maintained your own website.
Uploading and Downloading from FTP Sites
Hooking into an FTP site generally requires an FTP client program that runs on the kind of computer you use (Mac, Windows, or whatever). On macOS, popular FTP client programs include the shareware programs Transmit, CyberDuck, Fetch, Interarchy, and Captain FTP, and the free RBrowser (which is available from the “Missing CD” page at missingmanuals.com).
Using these programs, web designers, for example, can view a list of all the text and graphics documents, sitting there on an internet-connected computer somewhere, that make up their web pages. The effect is shown in Figure 20-1.
When they want to update one of those pages, they add it to this list; to delete a web page, they remove it from this list.
Figure 20-1. Top: To access your macOS machine from across the internet, fire up a program like RBrowser and use the address ftp://111.222.33.4 (or whatever your public IP address is).
Bottom: Once you’re looking at an FTP server’s contents, you can drag files from your desktop into the list, copy them to your Mac by dragging them out of the list onto your desktop, or open them by double-clicking.
Just Downloading from FTP Sites
If you’re just going to look at and download files (but not upload or delete any), you don’t even need a special FTP program. You can get to the files much more directly using one of these two methods:
Any old web browser will work. Open Safari, for example, and type ftp://ftp.apple.com (or whatever the address is) into the address/search bar. A dialog box asks for an account name and password, if they’re required. Once you’re in, you switch to the Finder and see the contents of the FTP site as a window full of file icons. (In other browsers, you may see the list of the FTP site right in the browser window.)
Using the Finder’s Go → Connect to Server command, you can mount read-only FTP volumes right on your desktop. In other words, they appear just like any other disk icons.
In the Connect to Server dialog box, just enter the address of the file server you would like to mount—ftp://ftp.apple.com, for example. You’ll soon see the ftp.apple.com icon appear on your desktop, looking just like your other disks. Open it up and drag out whatever you want to download.
Connecting from the Road
You can also connect to your Mac’s regular File Sharing feature (“File Sharing: Three Ways”) from over the internet. This feature is a blessing to anyone who travels, whether with a laptop or to a branch office, because you’ll never be up a creek without a paddle if you discover that you left an important file at home.
You can also set up a remote file-sharing system on your own. Start by setting up the home-base Mac for file sharing, as directed in Chapter 13; then figure out your Mac’s public IP address, as described in the box on the next page.
Finally, once you’re on the road, go online and proceed like this:
Choose Go → Connect to Server.
The Connect to Server dialog box appears, as shown in Figure 20-2.
Figure 20-2. The Connect to Server dialog box lets you type in the IP address for the shared Mac you want to access. (Ensuring that the shared Mac is turned on and connected to the internet is the network administrator’s problem.)
Type in the public IP address of the Mac to which you want to connect, and then click Connect (or press Return).
See the box on the next page for a discussion of public vs. private IP addresses.
Enter your name and password, and then click Connect.
From here, it’s just as though you were connecting to another computer on your office network (Chapter 13), although it’s a good bit slower. But when you’re in Hong Kong and need a document from your Mac in Minneapolis, you may not care.
Remote Access with SSH
Are you a geek? Take this simple test at home: Do you get excited about macOS’s ability to permit SSH access?
If you answered “What’s SSH?” or “I’m already being quiet,” then the following discussion of Unix remote control may not interest you. To be sure, SSH is not a program with a graphic user interface (icons and menus). You operate it from within a program like Terminal by typing commands. (For details on Terminal, see the free downloadable appendix called “Terminal Crash Course” on this book’s “Missing CD” page at missingmanuals.com.)
If you’re willing to overlook that little peccadillo, though, SSH (Secure Shell) is an extremely powerful tool. It lets you connect to your Mac from anywhere—from across the network or across the internet. And once you’re connected, you can take complete control of it, copying files, running commands, rearranging folders, or even shutting it down, all by remote control.
Getting In
Here’s how you go about using SSH:
Set up your Mac by opening the Sharing panel of System Preferences and then turning on the Remote Login checkbox.
You’ve just told the Mac it’s OK for you (or other people with accounts on your machine) to connect from the road. Quit System Preferences.
Go away.
You can move to another machine on the network or another computer on the internet (if you’ve dealt with the port-forwarding issue described in the box on the facing page). Once you’re online with that other machine, you can contact your home-base machine from within a program like Terminal.
Tip
It doesn’t have to be Terminal, and it doesn’t have to be a Mac. You can get SSH client programs for almost any kind of computer.
For pre–OS X Macs, for example, you can try MacSSH or NiftyTelnet SSH, both of which you can download from this book’s “Missing CD” page at missingmanuals.com. For Windows, try Putty (puttyssh.org).
At the prompt, type ssh -l chris 111.222.3.44. Press Return.
Instead of chris, substitute your short account name (as you’re known on the Mac you’re tapping into), and replace the phony IP address shown here with your real public address. (If your Mac back home has a domain name unto itself, such as macmania.com, you can type that instead of the IP address. And if you’ve turned on port forwarding, use your cable modem/DSL box’s IP address.)
If all goes well, the ssh command acknowledges your first successful connection by displaying a message like this: “The authenticity of host ‘111.222.3.44 (111.222.3.44)’ can’t be established. RSA key fingerprint is d9:f4:11:b0:27:1a:f1: 14:c3:cd:25:85:2b:78:4d:e7. Are you sure you want to continue connecting (yes/no)?” This message won’t appear on subsequent connections. You’re seeing SSH’s security features at work.
Type yes and press Return.
Now you see one more note: “Warning: Permanently added ‘111.222.3.44’ (RSA) to the list of known hosts.” You’re then asked for your account password.
Type your account password and press Return.
You’re in. Issue whatever commands you want. You can now conduct a full Unix Terminal session—but by remote control.
Remote Control Program Killing
One of the most common uses of SSH is quitting a stuck program. Maybe it’s a program that doesn’t respond to the usual Force Quit commands—maybe even the Finder or Terminal. Or maybe, having just arrived in Accounting on the fifth floor, you realize that you accidentally left your web browser, open to Dilbert.com, up on your screen in clear view of passersby.
In any case, you’d fire up Terminal and proceed like this (what you type is shown in bold; the Mac’s responses are in normal type):
home-mac:~ chris$ ssh 172.24.30.182 The authenticity of host '111.222.3.44 (111.222.3.44)' can't be established. RSA key fingerprint is d9:f4:11:b0:27: 1a:f1:14:c3:cd:25:85:2b:78:4d:e7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.24.30.182' (RSA) to the list of known hosts. [email protected]'s password: fisheggs Last login: Thu Apr 22 17:23:38 2010 Welcome to Darwin! office-mac:~ chris$ top -u
The top -u command displays a list of running programs. After a block of memory statistics, you might see a list like this:
1156 top 6.6 00:00.27 1/1 0 28 29 1344K+ 216K 2052K+17M 139 Terminal 2.4 00:34.24 5 1 130-192- 11M- 28M 26M- 51M 788 bash 0.0 00:00.02 1 0 20 24 656K 840K 1436K 17M 787 login 0.0 00:00.04 2 1 34 62 880K 260K 2144K 49M 283 Finder 0.0 00:23.02 9 3 247 666 33M 96M 81M 0M 426 SystemUIServ 0.0 00:14.24 3 1 290 410 30M 47M 47M 112M 151 Dock 0.0 00:05.95 4 2 201 851 22M 36M 59M 73M
As you can see, the Finder is process number 283. If that’s the stuck program, then you could quit it like so:
office-mac:~ chris$ kill 283
Or if you’re sure of the program’s exact name, just use the killall command with the program’s name instead of its process ID. To handle a stuck Finder, you would type this:
office-mac:~ chris$ killall Finder
Either way, the Finder promptly quits (and relaunches in a healthier incarnation, you hope). You could also, at this point, type sudo shutdown -h now to make your Mac, elsewhere on the network, shut down. (Terminal doesn’t type any kind of response.)
If you ended your SSH session by shutting down the other Mac, you can just close the Terminal window now. Otherwise, type exit to complete your SSH session.
Tip
Want a quicker, dirtier method of doing SSH that doesn’t even require knowing the other machine’s IP address? OK: Open Terminal. Choose Shell → New Remote Connection. In the list of connection types, choose ssh/ftp/telnet. Every Bonjour-enabled Mac on your network shows up; click one and then click Connect to connect!
Virtual Private Networking
After reading the previous pages, you might assume it’s a piece of cake for businesspeople to connect to their corporate networks across the internet from wherever they happen to be: their homes, hotel rooms, or their local Starbucks. But even though the steps on the preceding pages work fine if you’re dialing into your home machine, they’ll probably fail miserably when you want to connect to a corporate network. There’s one enormous obstacle in your way: internet security.
The typical corporate network is guarded by a team of steely-eyed administrators, for whom Job One is preventing access by unauthorized visitors. They perform this job primarily with the aid of a super-secure firewall that seals off the company’s network from the internet.
So how can you tap into the network from the road? One solution is to create a hole in the firewall for each authorized person—software that permits incoming internet traffic only from specified IP addresses like your Mac’s. Unfortunately, this setup isn’t bulletproof, security-wise. It’s also a pain for administrators to manage.
Back in the dial-up modem days, you could dial directly into the corporate network, modem-to-modem. That was plenty secure, but it bypassed the internet and therefore wound up being expensive. (Want proof? Make a call from the Tokyo Hilton to the Poughkeepsie Sheet Metal home office. Have a look at your hotel bill when you check out.)
Fortunately, there’s a third solution that’s both secure and cheap: a virtual private network, or VPN. Running a VPN allows you to create a super-secure “tunnel” from your Mac, across the internet, and straight into your corporate network. All data passing through this tunnel is heavily encrypted; to the internet eavesdropper, it looks like so much undecipherable gobbledygook.
And it’s free—whether you’re accessing the internet via your home DSL, a local ISP number from a hotel, or wirelessly from your stool at Starbucks.
Remember, though, that VPN is a corporate tool, run by corporate nerds. You can’t use this feature without these pieces in place:
A VPN server. If your tech department tells you it doesn’t have one, then that’s that—no tunneling for you.
If they do have one, then you’ll need to know what type of server it is. MacOS’s VPN software can connect to VPN servers that speak PPTP (Point-to-Point Tunneling Protocol), L2TP/IPSec (Layer 2 Tunneling Protocol over IP Security), or Cisco IPSec. Most corporate VPN servers work with at least one of these protocols.
You’ll also need to know the internet address of your VPN server (for example, vpn.ferrets-r-us.com).
An account on the remote network that allows VPN access. Your remote network can be set up in many different ways, but in every case, you’ll still need to confirm with your network administrator that your account on it allows VPN access.
All necessary account information. Make sure you have all the scraps of connection information you’ll need to dial in. That would include your user (account) name, at the very least. You may also need a Windows Domain name; VPN servers are often part of Microsoft Windows Server networks, which won’t let you in until you know this domain name.
Some networks also may require that you type in the currently displayed password on an RSA SecurID card, which your administrator will provide. This James Bondish, credit card–like or flash drive–like thing displays a password that changes every few seconds, making it rather difficult for hackers to learn “the” password. (If your network doesn’t require a SecurID card, then you’ll need a standard password instead.)
Finally, if your office offers L2TP connections, then you’ll need yet another password called a Shared Secret to ensure that the server you’re connecting to is really the server you intend to connect to.
Setting Up the VPN Connection
If you’re lucky, your company’s network geek has provided you with a VPN settings file, a little double-clickable icon that automatically opens the Network pane of System Preferences and fills in the blanks for you. If not, you can do all that manually:
Note
OpenVPN is a free, very popular VPN program. If your VPN uses OpenVPN, then you’ll need to get some connection software from your company’s network geeks.
Open System Preferences. Click Network. Click the + below the list of connections at the left side.
The “Select the interface” sheet appears.
From the pop-up menu, choose VPN.
Now a new pop-up menu appears, called VPN Type; you’re supposed to choose either L2TP over IPSec (Layer 2 Tunneling Protocol over IP Security), PPTP (Point-to-Point Tunneling Protocol), or Cisco IPSec (IP Security). Find out which system your company’s network uses.
Note
MacOS can’t connect to all Cisco setups; in some cases, you’ll still have to use Cisco’s own connection software to dial in.
After you choose the type of VPN from the VPN Type pop-up menu, type a name for this connection (it can be anything you want). Click Create.
You return to the main Network pane, where the settings boxes for your VPN are waiting (Figure 20-3).
Figure 20-3. You’re on your way to joining the corporate network—from thousands of miles away. Virtual private networking is ideal for the paranoid (because it’s very secure) and the cheap (because you’re using the internet as a giant wire connecting you to your office).
Fill in the server address and account name. Click Authentication Settings to specify your password and other security settings.
Here, for example, is where you indicate that you have one of those SecurID cards.
Click Connect. Turn on “Show VPN status in menu bar.”
That checkbox makes the VPN menulet (
) appear; it’s your ticket to getting connected (Figure 20-3, top).
Tip
If you always connect to the same VPN, you can turn on VPN on Demand. It autoconnects you to your corporate VPN every time you direct your web browser to a website, file server, or resource that requires the VPN connection, saving you some steps.
To set this up, click Advanced. (You can see this button in Figure 20-3.) Click VPN on Demand; click +. Enter the corporate VPN domain. You’re good to go—as long as you’ve got your network geek’s permission. (Some of them get understandably nervous about you storing your network password in your Keychain. It’s convenient, yes, but it could open up your company’s entire network to the evil intentions of whoever walks up to your laptop while you’re away from your desk.)
Close System Preferences. You’re ready to connect.
Connecting to a VPN
Connect the way you normally do—via cable modem, DSL, office network, modem, AirPort, or whatever. Once you’re online, choose your VPN’s name from the menulet. You’ll be asked for your credentials: your password, for example, or the code displayed on your SecurID card.
If all goes well, several status messages go by. The last one says “Connected To” and gives the IP address of the network equipment you’ve reached out and touched.
At this point, you’re connected to the corporate network. You can perform the same network-related tasks you could if you were actually in that office: check your email, view internal corporate web pages, access internal FTP servers, make printouts on laser printers thousands of miles away, and so on.
Depending on your network, you might even be able to use your Sidebar to view a list of the other computers on the office network or see a list of networked printers.
If not, to access these services, you must know their IP addresses. For example, to connect to a shared folder on another computer, choose Go → Connect to Server, type its network address, and press Return.
Tip
To connect to a shared folder on a Windows machine, the address looks like this: smb://111.222.33.4/sales-docs. Of course, you’d substitute the correct IP address for the dummy one shown here and insert the actual name of the shared folder. (You can also use its DNS name instead of the IP address, if you know it, like this: smb://big-blue-server.ferret-lan.com/sales-docs.)
When you’re finished accessing the remote network, choose Disconnect from the VPN menulet. (Accessing other websites can be slow while you’re on a VPN.)
The Fine Points of VPN
For all the wonders of VPN, here are some possible complications:
If you’re using a router at home (a little box that shares one cable modem or DSL box with several computers), it might not be able to handle the tunneling protocols, or it might not have that feature turned on. Check the router’s manual, or ask its manufacturer for more information. For example, the first-generation (silver) AirPort base stations can’t handle VPNs at all.
If the corporate network doesn’t seem to like your name and password, you might need to add your NT domain name and a backslash to the beginning of your account name (like this: dom01msmith) before trying again.
If you’re able to make the connection but experience trouble reaching services by their DNS names (for example, big-blue-server.com), then your Mac could be having difficulty finding the right DNS server. Working with your network administrator, open the Network pane of System Preferences. Click VPN, then Advanced, and then DNS; enter the desired DNS server addresses in the DNS Servers box. Click OK, then Apply, and then try the VPN connection again.
If you’re still having problems using the VPN, look at the logs (automatically kept technical records) for clues to share with your network administrator. To view these records, open the Console program (in Applications → Utilities). Click Show Log List, expand the /var/log section, and click ppp.log.