Inside Back to My Mac
Back to My Mac, a new feature in Leopard, performs the nifty magic of letting you remotely access other computers you own over a local network or the Internet by gaining access to its shared volumes and controlling its screen. Apple enabled this by using .Mac to handle a lot of transactions needed to traverse the network address translation (NAT) that’s found in most home and small-business Wi-Fi and broadband gateways.
Back to My Mac is the first mainstream application to take advantage of a combination of several Apple-originated technologies that aim to publish locally discoverable services—services advertised by Bonjour over a local network—for global access.
The service requires a few steps to get up and running, after which we’ll walk through the security concerns raised about the service. For a technical look behind the scenes for how Back to My Mac works, read my companion article, Back to My Mac: Apple’s Internet Mashup.
Warning: Right upfront let me note that your mileage will vary with Back to My Mac. In testing and talking with colleagues about their experiences since Leopard was released, Back to My Mac does not work consistently or reliably in all cases. Apple will certainly be releasing bug fixes and improving the service, part of which relies on servers that they operate. Apple has acknowledged that improvements are coming.
Making the connection
Back to My Mac requires an active .Mac subscription, and only works by using the same account on each machine in a set that you want to have control over. E-mail-only .Mac accounts won’t work with Back to My Mac, although an Apple spokesperson said that they should. In some ways, Back to My Mac appears a work in progress; this may be one of them.
The service also requires either a public, routable IP address—a rare item on home networks and most work networks—or a broadband or Wi-Fi router that supports one of two port-mapping protocols noted just below.
After entering your .Mac account name and password, you can turn Back to My Mac on and off from the Back to My Mac tab in the .Mac preference pane.
Here are the steps to get Back to My Mac working:
File Sharing in Leopard allows you to choose specific volumes or folders to share, and set permission for whom has access to those volumes or folders remotely. Back to My Mac should pick up those settings, but I’ve been unable to confirm whether it consistently offers all mounted volumes or just shared folders with the right permissions.
With Screen Sharing, you can choose which users to enable, or choose to allow all users remote access. If you exclude your account from Screen Sharing, you won’t be able to use it with Back to My Mac even if Screen Sharing is turned on.
Apple relies on one of two special protocols that allow Back to My Mac to punch through any gateways or routers on your local network: NAT-PMP (Network Address Translation Port Mapping Protocol) or UPnP (Universal Plug and Play). You need to make sure your router has one of these protocols built in and turned on. And the router has to be directly connected to your broadband modem, not one step removed in the network.
NAT-PMP must be turned on for Back to My Mac to work; it punches the service through a gateway so it’s reachable from the rest of the Internet.
NAT-PMP is an Apple-developed protocol, and is available in all AirPort Extreme and Express Base Stations but not in the earlier AirPort Base Station models. (See this Apple document for more details.) Follow these steps to enable it:
For other Wi-Fi and broadband routers, consult the manual for UPnP and how to turn it on. In many cases, it may be enabled by default.
Now go through the steps to get Back to My Mac working; start with steps 1 to 5 (and optionally 6 and 7) above on another computer.
In any Finder window, the sidebar’s Shared section will show your computer using its Computer Name as defined in the Sharing preference pane. (If you don’t see the other computers you’ve enabled in this list, you may need to wait: Apple’s still improving the service to work with more routers and network peculiarities.) To use remote services, follow these steps:
For file sharing:
For screen sharing:
(You can use Screen Sharing with colleagues and friends via iChat using a somewhat different mechanism that can also traverse hidden networks like Back to My Mac. But you can’t pre-approve the connection.)
Almost immediately after Leopard shipped, security experts in the Mac community started raising concerns about Back to My Mac because it opens up tremendous remote access to machines that are otherwise passively protected by NAT. The fact that a .Mac password opens access provides a lot of leverage to a cracker. .Mac passwords and the .Mac authentication process have never been cracked, but social engineering or a malicious Web site taking advantage of an unpatched exploit could fool someone into revealing their password.
Let’s look first at Back to My Mac’s security provisions:
.Mac Password Authentication To use Back to My Mac, as noted earlier, you have to have an active .Mac account, and enter your account name and password in the .Mac preference pane. When you do so, Leopard uses a secure authentication process to validate your account information with .Mac, which, if successful, hands back a couple digital certificates that are used to validate sharing sessions cryptographically. These can be viewed in Keychain Access: They’re named starting with your .Mac account name and then “(.Mac Sharing Key)” and “(.Mac Sharing Certificate).”
Kerberos Tickets Back to My Mac relies on a somewhat obscure security system developed at MIT that typically falls far below the purview of all but information technologists and security experts. Kerberos lets two parties who have previously identified themselves to each other—in this case, through digital certificates that Leopard has installed on each Back to My Mac computer—to validate each other’s identity and share information securely. The system can issue tickets, which authorize specific access for specific periods of time.
For the very technical, this new utility hides the even higher complexity of a command-line tool found in Tiger.
In the case of Back to My Mac, the .Mac sharing key and certificate are used to validate one Back to My Mac computer to another, after which a ticket is issued that lasts for 10 hours and allows remote control or remote file sharing. Tickets can be viewed via Keychain Access by selecting Kerberos Ticket Viewer from the Keychain Access menu.
This new program lets you view entries, including those that have expired. For Back to My Mac, these entries start with
for file sharing and
for remote screen sharing. (Kerberos is also now used with Bonjour for local network file sharing, using tickets that are issued after you log into a server with a password.)
You can use the Kerberos Ticket Viewer to delete tickets and extend their lifespan.
IPsec Tunneling IPsec (short for IP security) is more commonly seen as part of the L2TP-over-IPsec (Layer 2 Tunneling Protocol over IPsec) virtual private network (VPN) protocol that’s used by Apple and other firms. IPsec lets two parties establish a secure connection, and Back to My Mac uses this connection for screen sharing and file serving.
Each set of machines that have Back to My Mac enabled establish their own secure tunnels. If you had five machines registered with Back to My Mac, and had file servers or screen sharing enabled among all of them—a pretty mammoth set of operations—you could have as many as 40 tunnels, two for each connection among each machine!
In general, the connection is only formed when a service is accessed; other Back to My Mac computers show up in the Shared area of the sidebar even before you connect to them. The secured tunnels are created only when you access a file server or remote screen.
Despite these strong measures, there are concerns about how the .Mac password winds up being the root for much more secure measures.
One troubling basic bit of bad behavior is that the Leopard firewall, about which much has been written critically already, doesn’t prevent the use of Back to My Mac even when its most restrictive setting is applied to block all incoming connections. Blocking UDP connections to port 4500 through a third-party firewall package will prevent Back to My Mac from functioning. (Newly updated firewall software for Leopard can accomplish this task. DoorStop X from Open Door [$49] and Intego NetBarrier X4 [$69.95] can both block ports.)
Given the variety of services that the Leopard firewall allows through when it shouldn’t, I would expect this Back to My Mac flaw to be fixed or at least better explained in a Leopard security update.
Less fundamental to Leopard, but more fundamental to security, is the concern that a single password for .Mac enables such broad access to one’s computer, despite the measures taken to secure the .Mac authentication process and Back to My Mac.
Rich Mogull, a security researcher who runs the Securiosis blog, said via e-mail, “I’m just uncomfortable with using certificate-only authentication to allow full remote access to my system. If they only added a password prompt for the remote system’s password, I’d be happy.” Mogull said he prefers at least two-factor authentication, in which two different elements are required to gain access, each of which has separate security mechanisms to protect the secret.
Alan Oppenheimer of Open Door Networks raised the alarm early on about Back to My Mac’s behavior on his company’s blog. He said via e-mail that there are too few steps involved in allowing remote access. (While Oppenheimer’s firm profits from selling firewall software, this particular issue is more of a gestalt security problem in which a firewall offers blanket protection instead of improving the security model.)
“The system assumes that since you, on both machines, successfully logged into .Mac and then enabled Back to My Mac, that you really don’t want to be bothered with any further authentication,” Oppenheimer wrote. “This is the part that’s just wrong from a security perspective, in our opinions of course. And definitely something Apple should have highlighted big-time if they had a different opinion.”
In addition to blocking port 4500 when Back to My Mac is not in use, as noted above, Oppenheimer also recommends changing your keychain password to something other than your Mac OS X account’s login password. This will prompt for a keychain password whenever you use Back to My Mac instead of connecting silently. (It might seem too much like Vista for some people, however, as you’ll be prompted and have to deny NetAuthAgent whenever it asks for access, as well as entering your keychain password as needed.)
Back to My Mac is a huge step forward for those people who maintain multiple mobile and fixed computers and need easy, secure access. Apple needs to improve the reliability of the service so that it’s consistently available. The company also needs to provide more documentation and more granularity. And, finally, it needs to add a “more paranoid” option that would allow those concerned with too easy an access to one’s remote information one more factor in controlling access.
This article was reposted at 8:10 p.m. ET to add more information on how Back to My Mac handles File Sharing permission settings and to clarify the steps on using remote services for file sharing and screen sharing. A second update at 3:25 p.m. ET on November 8 clarified information about kerberos.