JellyFiSSH: secure shell the easy way

Well normally I'd agree that a strong password would be enough to keep a service secure (in fact my VNC password is the same as my SSH password, and I have no problem opening port 22). But VNC is a special case. For a start any attack (and admittedly I said dictionary where I should have said probabilistic) wouldn't need to match a username/password combo, because VNC access on the mac is password-only. So a probabilistic attack only has to match one factor and that brings me to my second point: OS X's built-in VNC server has no way of preventing multiple attempts to access it with incorrect passwords. So a script can sit there randomly generating passwords, not having to bother about matching them with usernames, and throwing them at the VNC server until it grants access, and the script can know a machine's vulnerable for targeting because the machine will respond in the negative on port 5900. And in this scenario we're talking about a service that's supposed to be left on all the time so that it can be accessed conveniently. In that case my strong password on its own is not enough to give me peace of mind. But as I said, I realised what was wrong in my tunnel setup and 5900 does not have to be open to the world, so no harm done.

Dictionary attack? That's only a problem if your VNC server has a password that's in the dictionary.

One of my favorite flags for ssh (other than -L) is -D. Bam! I have a dynamic SOCKS proxy. oh, how sweet it is.

Ah, I realise what I was doing wrong. In the tunnel setup I had the remote address as the WAN side of my router, whereas it should have been the LAN side (ie 192.168.1.*), so SSH on the host was trying to go back out and in through the firewall.

This is great, but it seems to require keeping the VNC port - 5900 - open to the world on my server. Doesn't that make it vulnerable to a dictionary attack?

Also check out SSHKeychain (http://www.sshkeychain.org/) - it does a fine job at managing authentication keys as well as tunnels.