Meerkat Digs SSH Tunnels

Apple includes the OpenSSH suite of tools in Mac OS X. OpenSSH's most commonly used functions are ssh for logging into remote servers, and sftp for moving files to and from remote servers; it also includes scp, a simpler alternative to sftp. But OpenSSH offers much more, including the ability to shunt data across the Internet on behalf of other programs, securely protected by the same encryption used for ssh and sftp -- commonly called 'tunneling'.

This tunneling capability is useful for accessing remote services, and making local services accessible to remote computers. Tunnels are often useful for working around firewalls (which may allow ssh but block other useful services), or providing security (encryption) to programs that don't provide it directly. Code Sorcery Workshop's Meerkat provides a well-designed Mac interface for taking advantage of OpenSSH tunneling, which can be very confusing to use. Additionally, Meerkat provides a few extra features; including Bonjour auto-discovery, as well as automatically starting & stopping tunnels when selected applications launch and quit.

Some real-world scenarios where Meerkat could be useful:

• If you have an account at an old-school ISP, which offers ssh access and POP/IMAP/SMTP, but not the secure SSL/TLS variants, Meerkat can provide secure access to the email account despite the ISP's failure to provide strong encryption.
• Using Bonjour, Meerkat can make an iTunes library at home available even from work or on the road (you might also use http://www.dyndns.com/ or an equivalent if your home IP address is not stable).
• Apple's Screen Sharing offers encryption for network transfers, but it's only compatible with Mac OS X. If you need to make secure VNC connections to Linux servers, or block direct access to the VNC port over the Internet, Meerkat can provide the additional security.
• If you don't have or want to use a full VPN, Meerkat can fake one by establishing several tunnels to private services through one ssh server.

Unfortunately, establishing OpenSSH tunnels directly is complicated. I use this handy recipe to rim Screen Sharing through firewalls with higher security; it also starts the Screen Sharing connection for me:

alias ivnc='(sleep 4; open vnc://127.0.0.1:5901) & ssh -C -4 -L 5901:127.0.0.1:5901 inspector'

But that's pretty inscrutable. Meerkat provides a more understandable way of doing the same thing. Because Meerkat can establish a tunnels when a specified application launches, this tunnel is configured to launch automatically after I start Screen Sharing. As a bonus, when the tunnel is up, Screen Sharing is available through the Finder sidebar under SHARED.

Installing Meerkat is pleasantly simple -- simply accept the license and drag the icon to the Applications folder. Meerkat also provides a meerkat command-line tool, which can be installed from its Preferences. It is a delightful circular irony that the meerkat command-line tool (#1) drives the Meerkat graphical application (#2) run the system's built-in ssh command-line tool (#3). But 'meerkat vnc up' and 'meerkat vnc down' are indeed much simpler.

Unfortunately, Meerkat's Tunnel Setup Assistant is a bit less magical than I expected. It doesn't accept service names, such as 'iTunes' or even 'daap', but instead requires you to enter port numbers directly. Also, it doesn't offer a menu of canned standard tunnel configurations, such as:

• Give me access to the iTunes library on host hostname.
• Give me access to a Mac VNC server on host hostname. (port 5900)
• Give me access to a non-Mac VNC server on host hostname. (generally port 5901)
• Expose my VNC port (5900) to remote servers.
• Give me access to the iTunes library on host hostname.
• Give me access to IMAP email on host hostname.

• PRODUCT: Meerkat 1.2.1
• RATING: 4.5 (if you need tunneling, it's useful)
• COMPANY: Code Sorcery Workshop
• OS COMPATIBILITY: 10.4

up