1. Install socat and dtach on all hosts, and openssl on at least one host. And vim on the server!

2. Generate two self-signed keypairs. You can accept all default values.

   for h in server client; do
   openssl req -newkey rsa:2048 -nodes -keyout $h-key.pem -x509 -days 365 -out $h-cert.pem
   done

3. Place server-cert.pem, server-key.pem, and client-cert.pem on one host. Place client-cert.pem, client-key.pem, and server-cert.pem on the other host. Repeat as many times as desired, reusing the server-* files and generating a new set of client-* files for each client.

4. On the server, run

   socat OPENSSL-LISTEN:12346,method=TLS1.2,cert=server-certificate.pem,key=server-key.pem,cafile=client-certificate.pem,verify=1,cipher=HIGH,commonname='' UNIX-CONNECT:dtach-vim
   dtach -c dtach-vim vim

   Note the use of commonname=''; in socat >= 1.7.3.0, this must match the certificate.

5. On the client(s), run

   socat UNIX-LISTEN:dtach-vim OPENSSL:server-hostname:12346,method=TLS1.2,cert=client-certificate.pem,key=client-key.pem,cafile=server-certificate.pem,commonname=''
   dtach -a dtach-vim

6. The server and client(s) now all have simultaneous full access to the server's dtach session. vim is only running on the server. If you're pair programming, remember that there is only one cursor!

7. Consider running vim in restricted mode (-Z, http://vimdoc.sourceforge.net/htmldoc/starting.html#-Z) if you don't trust the other participants. If you do trust them, then you can just give them ssh access and skip most of the trouble.