Back-to-My-Mac and ssh both require that you know the username AND the password. BTMM as you have observed can have additional factors to the login.
BTMM and ssh both encrypt the entire connected session, including the username/password actions.
VNC (AND I DO NOT MEAN Screen Sharing)
VNC does NOT require a username, just the password.
VNC sends the password across the internet as clear text. No encryption.
VNC does NOT encrypt the rest of the session. While VNC traffic is not clear text, it is not encrypted, so it can be viewed with the correct software.
Screen Sharing does require a username/password, and the username/password exchange is encrypted.
By default Screen Sharing does not encrypt the rest of the session, but you can go to the Screen Sharing preferences and change that.
Back-to-My-Mac does not require you to open any ports in your router. The initial connection is established via Apple servers which facility finding the remote Mac and then after telling both systems where the other is locate, the Apple servers step out of the way.
ssh uses a known port (22) and will be the subject of constant probes, just the the VNC port (5900).
I personally take advantage of the fact that every ssh client will allow you to specify an alternate port for the connection
ssh -p 23456 remote.host.name
scp -P 23456 remote.host.name:file.to.copy /local/dir
scp -P 23456 /local/dir/file.to.copy remote.host.name:/remote/dir
sftp -P 23456 remote.host.name
And every ssh GUI client I've seen also allows specifying the port to be used.
Now you just tell your router to accept connections on port 23456 and direct them to port 22 on the Mac of your choice. Most routers will allow you to do this internet port A directed to local Mac port B.
Because you have NOT opened a known port on your router, it is much less likely to be probed non-stop looking for an opening. This is NOT security, it is just keeping the useless noise to a minimum.
23456 is just an example of a high port number. Just pick a number less then 65535 and you should be fine.
Since you are using ssh, why not tunnel your VNC transport over ssh, and then you do NOT need to open the VNC port on your router at all. And as an added benefit, all your VNC traffic is encrypted including the password on the initial connection.
ssh -p 23456 -L 34567:localhost:5900 remote.host.name
open vnc://localhost:34567
The ssh command will establish an ssh connection to the remote Mac using the 23456 router port you have opened and directed to port 22 of the remote Mac.
The -L 34567:localhost:5900 ssh option will create an encrypted ssh tunnel connecting the local Mac's port 34567 to the remote Mac's port 5900 (the remote Mac's VNC port).
At no time will your remote Mac's VNC port be exposed to the internet, as you will not have opened 5900 on your router. You will ONLY be able to access it via the ssh tunnel, and the ssh connection is much more secure than VNC, especially if you use a good password, and you take the precaution of using a non-standard port on your router for ssh connections.
You can create multiple tunnels on the same ssh command line. For example, you could create a file sharing tunnel as well
ssh -p 23456 -L 34567:localhost:5900 -L 45678:localhost:548 remote.host.name
open afp://localhost:45678
open vnc://localhost:34567
This will create 2 tunnels. One for VNC, and one for Appleshare File Protocol (AFP).
The open commands will start a file sharing connection and a VNC connection to the remote Mac using the ssh tunnels. Again, you do not open any new ports, just the ssh port and all communications are encrypted end-to-end.
If you are using a non-Mac computer to make these connections, then you will have to use my suggestions as a guide, and translate them to the PuTTY or Linux or other Unix command set.
All non-standard high port numbers are examples, and you should choose for yourself, just so long as you can remember them.
