Apple has finally spoken up on Back to My Mac, sort of. Apparently, with the shipping of 10.5.1, they felt it was stable enough to send out an announcement about it to their .Mac users. Among other things, the announcement talks about the availability of the Back to My Mac User’s Guide. There’s also a tech note: About Back to My Mac security. Both of these are quite helpful in clarifying (if not completely fixing) the Back to My Mac “security hole” raised here.

The User’s Guide, which of course should have been there from day one, does not explicitly say that Back to My Mac ignores your machine’s login name and password for File Sharing and Screen Sharing, but the step-by-step process makes it pretty clear that this is the case. (Confusingly, the video on the site, however, still shows, and talks about, entering this machine password).

The tech note emphasizes the newfound importance of your .Mac password, finally making the key statement that should have been made right from the beginning:

1. Choose a good password for your .Mac account. Anyone who knows your .Mac password can access all the computers in your BTMM network, therefore it is very important to choose a strong password and keep it safe.
   

The User’s Guide says pretty much the same thing, but with insufficient emphasis (especially since many more people will read it than the tech note):

1. Back to My Mac uses advanced authentication and data encryption technologies to protect your data. However, creating a good password is essential to keeping your data safe.
   

2. 
   

3. If your Mac is lost or stolen, you should immediately change your password to prevent unauthorized access to your other computers.
   

It would still clearly be better if Apple allowed users who want more advanced security to be able to require their machine’s password for Back to My Mac access, but at least the issues are getting better documented and understood. (The User’s Guide and tech note, for instance, confirm that you can use a traditional firewall, but not the built-in one, to block UDP port 4500 if you want to block or limit Back to My Mac).

A final piece of security advice from the User’s Guide is quite confusing, however: after instructing the user to enable File Sharing and/or Screen Sharing, the Guide goes on to say:

1. Important:  For added security, you should select the “Only these users” button under “Allow access for” and add your user name to the list.
   

To start with, this option is only available for Screen Sharing, not File Sharing. Secondly, for Screen Sharing, if you add your name to the list, things behave exactly as they did before (no additional name/password required). Interestingly, however, if you add only a different name to the list (for instance a sharing-only user, or another account on the machine), then the additional name/password is required. In other words, things actually work “the way they should,” although only for Screen Sharing.

Perhaps most telling of all, the tech note suggests an alternate “patch” to Back to My Mac’s ignoring of your machine’s password for Screen Sharing: lock your Mac’s screen through the screen saver, thereby requiring anyone who accesses it remotely to enter the machine password after all! It could come up with no such workaround for File Sharing however.