TweetFollow Us on Twitter

Review: VNC Over SSH: The next best thing to being there

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Review

Review: VNC Over SSH: The next best thing to being there

by Aaron Adams

Securely control a remote Mac with two pieces of free software

The ability to remotely control a machine can come in handy for a variety of reasons, whether the purpose is system administration, or helping a friend. Apple's most recent remote control offering, Remote Desktop 2.0, can be overkill when it comes to a simple one-to-one connection between machines. Most users won't need all the features included in Remote Desktop; it's intended for labs and other environments that require the management of large numbers of machines at once, not the remote control of a single machine. Freeware VNC, on the other hand, fits the one-to-one bill perfectly. VNC stands for Virtual Network Computing, and it allows a user to control a remote machine as if he were sitting at the desk in front of it.

VNC is certainly a useful tool for those who need something simpler than Remote Desktop. However, it's the wild wild web out there, and security is a major consideration. VNC was developed at a time when security wasn't the same priority as it is now, and the data transmitted between a VNC server and client is unencrypted. Passing login names and passwords, or other sensitive data, over the public Internet in the clear isn't a good idea, and neither is advertising the fact that a machine can be controlled via VNC by leaving its corresponding TCP port open. Is there some way to keep VNC traffic from prying eyes?

Yes! The solution comes in the form of another piece of freeware included with every Mac: Secure Shell. SSH is the encrypted replacement for plain-text telnet, a command line utility used frequently on the old text-based Internet, with a few added features thrown in for good measure, including the ability to encrypt traffic generated by other protocols. This process is called tunneling because the data travels inside an encrypted virtual pathway created by the communicating SSH pieces. To force VNC to use the tunnel, it has to be instructed to connect to the local machine at a certain port. SSH intercepts the traffic from the VNC client at that port, encrypts it, sends it to the SSH server at the other end of the connection, where it is decrypted and passed to the VNC server. Besides encryption, one other advantage of using SSH to tunnel other protocols is that a server only needs to expose a single port for SSH instead of an individual port for each service offered, such as additional ports for each possible VNC session. This prevents port scanners, and other miscreants, from discovering VNC on a target machine.

Making this encryption happen requires use of the *gasp!* command line! Most Mac users cringe at the thought of using the command line because it's so "un-Mac-like", but it's a powerful tool that's not very hard to learn, and quickly becomes an excellent exercise in abstract thinking. Don't shy away from encrypting VNC sessions because of Terminal fright.

On the remote machine...

Two things are required on the remote machine to prepare it to accept an encrypted VNC session: An SSH server and a VNC server. Enabling SSH on any Mac is as simple as going in to System Preferences, bringing the Sharing pane, and checking the box next to Remote Login. Make sure the connecting user has a username and password available on the remote box.

As for VNC, a great server is OSXvnc, available at popular download sites, such as Version Tracker or MacUpdate. OSXvnc is a straightforward application, and most of the options it presents are obvious and don't require an explanation. The two important things to point out are that, under the General tab, the port should be set to 5900 for the purposes of this tutorial, and that, under the Sharing tab, the Only allow local connections (SSH) box should be checked. Checking this box is important because it requires that the VNC session be encrypted via SSH and won't allow any unencrypted sessions to be established. It won't even let the VNC server advertise the usual VNC port. VNC remains totally hidden to the outside world.

OSXvnc has the option to require a password before the VNC session can be established. Providing a password is strongly recommended. A Startup item can also be configured that starts the server with the machine, and it includes a keepalive script that restarts the server should it close for some reason.

On the local machine...

Locally, a VNC client is needed to connect to the remote machine. VNC clients are a matter of personal preference, and again, popular download sites such as VersionTracker and MacUpdate have a selection.

And now for the part everyone has been dreading... the *gasp!* command line part! The following command serves to establish the tunnel between machines. Perhaps the best way to explain the command is to write it out and then dissect it piece by piece.

The following line needs to be entered in the Terminal:

    ssh -NfL 5900:127.0.0.1:5900 user@remote.host

    ssh - The command that starts the SSH client to create the tunnel.

    * Start SSH with these options:

    N Do not present the user with a command prompt on the remote machine after login is complete.

    f After the user authenticates, put the SSH process, and hence the tunnel, into the background to free up the local command prompt for other uses.

    L Forward a local port to a remote address, creating the tunnel.

    5900: - The port on the local machine where SSH will listen for traffic. This port can be anything >1025, but for this example 5900 has been chosen because it is the port typically used for VNC traffic.

    127.0.0.1 - The address of the machine that is the ultimate destination for the connection. This particular IP is a loopback address because in this case, the VNC client will be connecting to the same machine the SSH server is running on. Due to an SSH oddity, localhost is not valid here, you must use the loopback IP.

    :5900 - The port where the VNC server is listening on the remote machine. Again, 5900 is typically the port VNC uses.

    user - The username allowed SSH access on the remote machine.

    @ "at".

    remote.host - The hostname or IP address of the remote machine running the SSH server.

Fill in the variables with the correct values to establish an SSH tunnel for VNC. After pressing enter, a prompt requesting a password will appear. This is the SSH password for the user on the remote machine.

On the local machine, start the VNC client. Where it asks for a server, enter localhost. (Previous instructions said localhost could not be used at the command line because of an SSH weirdness, but it can be used with the VNC client. Just know that localhost is the same thing as 127.0.0.1. They are both a designator for the local machine.) Where it asks for a port, enter 5900, or if it asks for a display, enter display 0. Click the connect button, and enter the password for the VNC server. Congratulations, it's a tunnel!

Aaron Adams is a LAN administrator, a self-employed Macintosh consultant in Dayton, Ohio, and a former star of Apple's "Switch" ad campaign. He can be reached via e-mail at adamsa@mac.com.

 
AAPL
$501.11
Apple Inc.
+2.43
MSFT
$34.64
Microsoft Corpora
+0.15
GOOG
$898.03
Google Inc.
+16.02

MacTech Search:
Community Search:

Software Updates via MacUpdate

CrossOver 12.5.1 - Run Windows apps on y...
CrossOver can get your Windows productivity applications and PC games up and running on your Mac quickly and easily. CrossOver runs the Windows software that you need on Mac at home, in the office,... Read more
Paperless 2.3.1 - Digital documents mana...
Paperless is a digital documents manager. Remember when everyone talked about how we would soon be a paperless society? Now it seems like we use paper more than ever. Let's face it - we need and we... Read more
Apple HP Printer Drivers 2.16.1 - For OS...
Apple HP Printer Drivers includes the latest HP printing and scanning software for Mac OS X 10.6, 10.7 and 10.8. For information about supported printer models, see this page.Version 2.16.1: This... Read more
Yep 3.5.1 - Organize and manage all your...
Yep is a document organization and management tool. Like iTunes for music or iPhoto for photos, Yep lets you search and view your documents in a comfortable interface, while offering the ability to... Read more
Apple Canon Laser Printer Drivers 2.11 -...
Apple Canon Laser Printer Drivers is the latest Canon Laser printing and scanning software for Mac OS X 10.6, 10.7 and 10.8. For information about supported printer models, see this page.Version 2.11... Read more
Apple Java for Mac OS X 10.6 Update 17 -...
Apple Java for Mac OS X 10.6 delivers improved security, reliability, and compatibility by updating Java SE 6.Version Update 17: Java for Mac OS X 10.6 Update 17 delivers improved security,... Read more
Arq 3.3 - Online backup (requires Amazon...
Arq is online backup for the Mac using Amazon S3 and Amazon Glacier. It backs-up and faithfully restores all the special metadata of Mac files that other products don't, including resource forks,... Read more
Apple Java 2013-005 - For OS X 10.7 and...
Apple Java for OS X 2013-005 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_65. On systems that have not already installed Java for OS X 2012-006, this... Read more
DEVONthink Pro 2.7 - Knowledge base, inf...
Save 10% with our exclusive coupon code: MACUPDATE10 DEVONthink Pro is your essential assistant for today's world, where almost everything is digital. From shopping receipts to important research... Read more
VirtualBox 4.3.0 - x86 virtualization so...
VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers... Read more
 

See All

Briquid Gets Updated with New Undo Butto...
Briquid Gets Updated with New Undo Button, Achievements, and Leaderboards, on Sale for $0.99 Posted by Andrew Stevens on October 16th, 2013 [ | Read more »
Halloween – iLovecraft Brings Frightenin...
Halloween – iLovecraft Brings Frightening Stories From Author H.P. | Read more »
The Blockheads Creator David Frampton Gi...
The Blockheads Creator David Frampton Gives a Postmortem on the Creation Process of the Game Posted by Andrew Stevens on October 16th, 2013 [ permalink ] Hey, a | Read more »
Sorcery! Enhances the Gameplay in Latest...
Sorcery! | Read more »
It Came From Australia: Tiny Death Star
NimbleBit and Disney have teamed up to make Star Wars: Tiny Death Star, a Star Wars take on Tiny Tower. Right now, the game is in testing in Australia (you will never find a more wretched hive of scum and villainy) but we were able to sneak past... | Read more »
FIST OF AWESOME Review
FIST OF AWESOME Review By Rob Rich on October 16th, 2013 Our Rating: :: TALK TO THE FISTUniversal App - Designed for iPhone and iPad A totalitarian society of bears is only the tip of the iceberg in this throwback brawler.   | Read more »
PROVERBidioms Paints English Sayings in...
PROVERBidioms Paints English Sayings in a Picture for Users to Find Posted by Andrew Stevens on October 16th, 2013 [ permalink ] | Read more »
OmniFocus 2 for iPhone Review
OmniFocus 2 for iPhone Review By Carter Dotson on October 16th, 2013 Our Rating: :: OMNIPOTENTiPhone App - Designed for the iPhone, compatible with the iPad OmniFocus 2 for iPhone is a task management app for people who absolutely... | Read more »
Ingress – Google’s Augmented-Reality Gam...
Ingress – Google’s Augmented-Reality Game to Make its Way to iOS Next Year Posted by Andrew Stevens on October 16th, 2013 [ permalink ] | Read more »
CSR Classics is Full of Ridiculously Pre...
CSR Classics is Full of Ridiculously Pretty Classic Automobiles Posted by Rob Rich on October 16th, 2013 [ permalink ] | Read more »
See All

Price Scanner via MacPrices.net

Apple Store Canada offers refurbished 11-inch...
 The Apple Store Canada has Apple Certified Refurbished 2013 11″ MacBook Airs available starting at CDN$ 849. Save up to $180 off the cost of new models. An Apple one-year warranty is included with... Read more
Updated MacBook Price Trackers
We’ve updated our MacBook Price Trackers with the latest information on prices, bundles, and availability on MacBook Airs, MacBook Pros, and the MacBook Pros with Retina Displays from Apple’s... Read more
13-inch Retina MacBook Pros on sale for up to...
B&H Photo has the 13″ 2.5GHz Retina MacBook Pro on sale for $1399 including free shipping. Their price is $100 off MSRP. They have the 13″ 2.6GHz Retina MacBook Pro on sale for $1580 which is $... Read more
AppleCare Protection Plans on sale for up to...
B&H Photo has 3-Year AppleCare Warranties on sale for up to $105 off MSRP including free shipping plus NY sales tax only: - Mac Laptops 15″ and Above: $244 $105 off MSRP - Mac Laptops 13″ and... Read more
Apple’s 64-bit A7 Processor: One Step Closer...
PC Pro’s Darien Graham-Smith reported that Canonical founder and Ubuntu Linux creator Mark Shuttleworth believes Apple intends to follow Ubuntu’s lead and merge its desktop and mobile operating... Read more
MacBook Pro First, Followed By iPad At The En...
French site Info MacG’s Florian Innocente says he has received availability dates and order of arrival for the next MacBook Pro and the iPad from the same contact who had warned hom of the arrival of... Read more
Chart: iPad Value Decline From NextWorth
With every announcement of a new Apple device, serial upgraders begin selling off their previous models – driving down the resale value. So, with the Oct. 22 Apple announcement date approaching,... Read more
SOASTA Survey: What App Do You Check First in...
SOASTA Inc., the leader in cloud and mobile testing announced the results of its recent survey showing which mobile apps are popular with smartphone owners in major American markets. SOASTA’s survey... Read more
Apple, Samsung Reportedly Both Developing 12-...
Digitimes’ Aaron Lee and Joseph Tsai report that Apple and Samsung Electronics are said to both be planning to release 12-inch tablets, and that Apple is currently cooperating with Quanta Computer on... Read more
Apple’s 2011 MacBook Pro Lineup Suffering Fro...
Appleinsider’s Shane Cole says that owners of early-2011 15-inch and 17-inch MacBook Pros are reporting issues with those models’ discrete AMD graphics processors, which in some cases results in the... Read more
 

Jobs Board

*Apple* Retail - Manager - Apple (United Sta...
Job SummaryKeeping an Apple Store thriving requires a diverse set of leadership skills, and as a Manager, youre a master of them all. In the stores fast-paced, dynamic Read more
*Apple* Support / *Apple* Technician / Mac...
Apple Support / Apple Technician / Mac Support / Mac Set up / Mac TechnicianMac Set up and Apple Support technicianThe person we are looking for will have worked Read more
Senior Mac / *Apple* Systems Engineer - 318...
318 Inc, a top provider of Apple solutions is seeking a new Senior Apple Systems Engineer to be based out of our Santa Monica, California location. We are a Read more
*Apple* Retail - Manager - Apple Inc. (Unite...
Job Summary Keeping an Apple Store thriving requires a diverse set of leadership skills, and as a Manager, you’re a master of them all. In the store’s fast-paced, Read more
*Apple* Solutions Consultant - Apple (United...
**Job Summary** Apple Solutions Consultant (ASC) - Retail Representatives Apple Solutions Consultants are trained by Apple on selling Apple -branded products Read more

  • Generate a short URL for this page:



All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.