Mac OS X includes the OpenSSH suite of command-line tools, most notably ssh for tunneling, a mechanism for securely shunting data across the Internet on behalf of other programs. Tunneling is useful for secure communications between two computers, and tunnels are often used for working around firewalls (which may allow ssh but block other useful services) and for providing secure communications to programs with less sophisticated encryption capabilities.
Unfortunately, establishing OpenSSH tunnels directly is complicated. For example, here’s a snippet of code I use to tunnel Screen Sharing (VNC) through firewalls and initiate a Screen Sharing connection:
alias ivnc='(sleep 4; open vnc://127.0.0.1:5901) & ssh -C -4 -L 5901:127.0.0.1:5901 inspector'
Code Sorcery Workshop’s Meerkat provides a more comprehensible way of doing the same thing. Meerkat’s well-designed Mac interface lets you more easily take advantage of OpenSSH tunneling, and offers a number of useful extra features including Bonjour auto-discovery.
To set up a tunnel using Meerkat you must first provide, in the program’s Accounts settings, an account name and address for the remote host to which you’re connecting. (The ssh program connects to the designated server using a specific Unix username.)
Next, you provide—using Meerkat’s Assistant or by filling in the appropriate fields in the Tunnel settings window—the necessary information to create the tunnel. Each tunnel requires a nickname as well as the address and port for the remote computer. The VNC tunnel in my example, above, gives me a connection to the VNC (Screen Sharing) service on a server named “inspector,” so I’ve called my tunnel “vnc@inspector.” You can also choose a different local port; for example, port 5900 is already busy on my Mac, so I chose port 5901 for the tunnel under This Mac. A useful option lets you enable Bonjour, so the tunnel’s service will appear in the Shared section of Finder sidebars on local Macs.
(If you’re confused that I entered localhost—rather than the address for the remote host, inspector—in the Hostname field, you’re not alone. One of the things that makes ssh tunneling complicated is that the “target” is determined from the perspective of the remotesshd server—in this case, inspector, as specified previously in Accounts settings. So most tunnels will have localhost or 127.0.0.1 in the Hostname field, with the remote computer designated in the associated Account.)
Meerkat can also establish a tunnel automatically when a specified application launches. I’ve configured my Screen Sharing tunnel to be activated automatically whenever I start OS X’s Screen Sharing application.
Unfortunately, Meerkat’s Tunnel Setup Assistant is a bit less magical than I expected. For example, it would be much easier to use if instead of having to enter port numbers directly, you could just choose a service name, such as iTunes. It would also be helpful if the program provided a few built-in tunnel configurations, such as “Access Screen Sharing/VNC on [hostname],” “Stream from iTunes on [hostname],” or “Access IMAP email on [hostname].”
Meerkat also provides a meerkat command-line tool, which can be installed from the main Preferences window. Why, yes, it is a delightful, circular irony that the meerkat command-line tool drives the Meerkat graphical application which runs the system’s built-in ssh command-line tool. But meerkat vnc up and meerkat vnc down are indeed much simpler commands than ones like the example I provided above.
Still wondering if Meerkat might be useful to you? Here are some real-world scenarios where Meerkat could come in handy:
If you have an account at an old-school ISP that offers ssh access but only standard POP/IMAP/SMTP, instead of the more-secure SSL/TLS variants, Meerkat can provide secure access to your e-mail.
Mac OS X’s Screen Sharing (VNC) feature offers encryption for network transfers, but only when connecting between Macs. If you need to make secure VNC connections to Linux servers, Meerkat can provide the missing security.
Using Bonjour, Meerkat can make an iTunes library at home available from work or on the road (you might also use DynDNS or an equivalent if your home IP address is not static).
If these types of scenarios sound useful or interesting, Meerkat offers a 14-day demo. If you end up successfully—and securely—streaming iTunes or connecting to previously inaccessible servers, Meerkat is worth the money.
Want to stay up to date with the latest Gems? Sign up for the Mac Gems newsletter for a weekly e-mail summary of Gems reviews sent directly to your Inbox.