TweetFollow Us on Twitter

Review: VNC Over SSH: The next best thing to being there

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Review

Review: VNC Over SSH: The next best thing to being there

by Aaron Adams

Securely control a remote Mac with two pieces of free software

The ability to remotely control a machine can come in handy for a variety of reasons, whether the purpose is system administration, or helping a friend. Apple's most recent remote control offering, Remote Desktop 2.0, can be overkill when it comes to a simple one-to-one connection between machines. Most users won't need all the features included in Remote Desktop; it's intended for labs and other environments that require the management of large numbers of machines at once, not the remote control of a single machine. Freeware VNC, on the other hand, fits the one-to-one bill perfectly. VNC stands for Virtual Network Computing, and it allows a user to control a remote machine as if he were sitting at the desk in front of it.

VNC is certainly a useful tool for those who need something simpler than Remote Desktop. However, it's the wild wild web out there, and security is a major consideration. VNC was developed at a time when security wasn't the same priority as it is now, and the data transmitted between a VNC server and client is unencrypted. Passing login names and passwords, or other sensitive data, over the public Internet in the clear isn't a good idea, and neither is advertising the fact that a machine can be controlled via VNC by leaving its corresponding TCP port open. Is there some way to keep VNC traffic from prying eyes?

Yes! The solution comes in the form of another piece of freeware included with every Mac: Secure Shell. SSH is the encrypted replacement for plain-text telnet, a command line utility used frequently on the old text-based Internet, with a few added features thrown in for good measure, including the ability to encrypt traffic generated by other protocols. This process is called tunneling because the data travels inside an encrypted virtual pathway created by the communicating SSH pieces. To force VNC to use the tunnel, it has to be instructed to connect to the local machine at a certain port. SSH intercepts the traffic from the VNC client at that port, encrypts it, sends it to the SSH server at the other end of the connection, where it is decrypted and passed to the VNC server. Besides encryption, one other advantage of using SSH to tunnel other protocols is that a server only needs to expose a single port for SSH instead of an individual port for each service offered, such as additional ports for each possible VNC session. This prevents port scanners, and other miscreants, from discovering VNC on a target machine.

Making this encryption happen requires use of the *gasp!* command line! Most Mac users cringe at the thought of using the command line because it's so "un-Mac-like", but it's a powerful tool that's not very hard to learn, and quickly becomes an excellent exercise in abstract thinking. Don't shy away from encrypting VNC sessions because of Terminal fright.

On the remote machine...

Two things are required on the remote machine to prepare it to accept an encrypted VNC session: An SSH server and a VNC server. Enabling SSH on any Mac is as simple as going in to System Preferences, bringing the Sharing pane, and checking the box next to Remote Login. Make sure the connecting user has a username and password available on the remote box.

As for VNC, a great server is OSXvnc, available at popular download sites, such as Version Tracker or MacUpdate. OSXvnc is a straightforward application, and most of the options it presents are obvious and don't require an explanation. The two important things to point out are that, under the General tab, the port should be set to 5900 for the purposes of this tutorial, and that, under the Sharing tab, the Only allow local connections (SSH) box should be checked. Checking this box is important because it requires that the VNC session be encrypted via SSH and won't allow any unencrypted sessions to be established. It won't even let the VNC server advertise the usual VNC port. VNC remains totally hidden to the outside world.

OSXvnc has the option to require a password before the VNC session can be established. Providing a password is strongly recommended. A Startup item can also be configured that starts the server with the machine, and it includes a keepalive script that restarts the server should it close for some reason.

On the local machine...

Locally, a VNC client is needed to connect to the remote machine. VNC clients are a matter of personal preference, and again, popular download sites such as VersionTracker and MacUpdate have a selection.

And now for the part everyone has been dreading... the *gasp!* command line part! The following command serves to establish the tunnel between machines. Perhaps the best way to explain the command is to write it out and then dissect it piece by piece.

The following line needs to be entered in the Terminal:

    ssh -NfL 5900:

    ssh - The command that starts the SSH client to create the tunnel.

    * Start SSH with these options:

    N Do not present the user with a command prompt on the remote machine after login is complete.

    f After the user authenticates, put the SSH process, and hence the tunnel, into the background to free up the local command prompt for other uses.

    L Forward a local port to a remote address, creating the tunnel.

    5900: - The port on the local machine where SSH will listen for traffic. This port can be anything >1025, but for this example 5900 has been chosen because it is the port typically used for VNC traffic. - The address of the machine that is the ultimate destination for the connection. This particular IP is a loopback address because in this case, the VNC client will be connecting to the same machine the SSH server is running on. Due to an SSH oddity, localhost is not valid here, you must use the loopback IP.

    :5900 - The port where the VNC server is listening on the remote machine. Again, 5900 is typically the port VNC uses.

    user - The username allowed SSH access on the remote machine.

    @ "at". - The hostname or IP address of the remote machine running the SSH server.

Fill in the variables with the correct values to establish an SSH tunnel for VNC. After pressing enter, a prompt requesting a password will appear. This is the SSH password for the user on the remote machine.

On the local machine, start the VNC client. Where it asks for a server, enter localhost. (Previous instructions said localhost could not be used at the command line because of an SSH weirdness, but it can be used with the VNC client. Just know that localhost is the same thing as They are both a designator for the local machine.) Where it asks for a port, enter 5900, or if it asks for a display, enter display 0. Click the connect button, and enter the password for the VNC server. Congratulations, it's a tunnel!

Aaron Adams is a LAN administrator, a self-employed Macintosh consultant in Dayton, Ohio, and a former star of Apple's "Switch" ad campaign. He can be reached via e-mail at


Community Search:
MacTech Search:

Software Updates via MacUpdate

ForeverSave 2.1.4 - Universal auto-save...
ForeverSave auto-saves all documents you're working on while simultaneously doing backup versioning in the background. Lost data can be quickly restored at any time. Losing data, caused by... Read more
AirPort Utility 6.3.6 - Set up and manag...
Note: Most recent release available only within OS X 10.11 El Capitan update. Use AirPort Utility to set up and manage your Wi-Fi network and AirPort base stations, including AirPort Express, AirPort... Read more
Quicksilver 1.3.1 - Application launcher...
Quicksilver is a light, fast and free Mac application that gives you the power to control your Mac with keystrokes alone. Quicksilver allows you to find what you need quickly and easily, then act... Read more
Tidy Up (Five Users) 4.1.5 - Find duplic...
Tidy Up is a complete duplicate finder and disk-tidiness utility. With Tidy Up you can search for duplicate files and packages by the owner application, content, type, creator, extension, time... Read more
Mellel 3.4.3 - The word processor of cho...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
Skype - Voice-over-internet p...
Skype allows you to talk to friends, family and co-workers across the Internet without the inconvenience of long distance telephone charges. Using peer-to-peer data transmission technology, Skype... Read more
Bookends 12.6.0 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Access the power of Bookends directly from Mellel, Nisus Writer Pro, or MS Word (... Read more
Apple iBooks Author 2.4 - Create and pub...
Apple iBooks Author helps you create and publish amazing Multi-Touch books for iPad. Now anyone can create stunning iBooks textbooks, cookbooks, history books, picture books, and more for iPad. All... Read more
Web Snapper 3.3.9 - Capture entire Web p...
Web Snapper lets you capture Web pages exactly as they appear in your browser. You can send them to a file as images or vector-based, multi-page PDFs. It captures the whole Web page - eliminating the... Read more
Tunnelblick 3.6beta10 - GUI for OpenVPN...
Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X. It provides easy control of OpenVPN client and/or server connections. It comes as a ready-to-use application with all... Read more

Camel Up (Games)
Camel Up 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: | Read more »
The Martian: Bring Him Home (Games)
The Martian: Bring Him Home 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Based on the best selling novel and critically acclaimed film, THE MARTIAN tells the story of Astronaut Mark... | Read more »
This Week at 148Apps: September 21-30, 2...
Leap Into Fall With 148Apps How do you know what apps are worth your time and money? Just look to the review team at 148Apps. We sort through the chaos and find the apps you're looking for. The ones we love become Editor’s Choice, standing out above... | Read more »
Tweetbot 4 for Twitter (Social Networki...
Tweetbot 4 for Twitter 4.0 Device: iOS Universal Category: Social Networking Price: $4.99, Version: 4.0 (iTunes) Description: *** 50% off for a limited time. *** | Read more »
Mori (Games)
Mori 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Stop, rewind and unwind with Mori. Time is always running, take a moment to take control. Mori is an action puzzle game about infinitely... | Read more »
100 Years' War (Games)
100 Years' War 1.0 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0 (iTunes) Description: | Read more »
Tower in the Sky (Games)
Tower in the Sky 0.0.60 Device: iOS Universal Category: Games Price: $1.99, Version: 0.0.60 (iTunes) Description: | Read more »
hocus. (Games)
hocus. 1.0.0 Device: iOS Universal Category: Games Price: $.99, Version: 1.0.0 (iTunes) Description: New, polished, mind-bending, minimal puzzle game with dozens of levels and extra-ordinary design Features:- Beautifully crafted... | Read more »
Mos Speedrun 2 (Games)
Mos Speedrun 2 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: Mos is back, in her biggest and most exciting adventure ever! Wall-jump to victory through 30 mysterious, action packed levels... | Read more »
3D Touch could be a game-changer, but it...
Were you one of the lucky/financially secure enough ones to buy a new iPhone 6s or iPhone 6s Plus over the weekend? Yup, me too (I’m not convinced I was either of those two things, but let’s go with lucky for now), so I thought I’d delve into just... | Read more »

Price Scanner via

Apple offering refurbished 2015 13-inch Retin...
Apple is offering Certified Refurbished 2015 13″ Retina MacBook Pros for up to $270 (15%) off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: -... Read more
Apple refurbished 2015 MacBook Airs available...
Apple has Certified Refurbished 2015 11″ and 13″ MacBook Airs (the latest models), available for up to $180 off the cost of new models. An Apple one-year warranty is included with each MacBook, and... Read more
Adobe Photoshop Elements 14 Gets Haze Removal...
The latest iteration of Adobe’s powerful consumer image editing appliction Photoshop Elements 14 analyzes your photo and removes background haze, so your shot looks sharp all the way to the horizon... Read more
Apple refurbished 15-inch Retina MacBook Pros...
Apple has Certified Refurbished 2015 15″ Retina MacBook Pros available for up to $380 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 15″ 2... Read more
21-inch iMacs on sale for up to $120 off MSRP
B&H Photo has 21″ iMacs on sale for up to $100 off MSRP including free shipping plus NY sales tax only: - 21″ 1.4GHz iMac: $1029.99 $70 off - 21″ 2.7GHz iMac: $1229 $70 off - 21″ 2.9GHz iMac: $... Read more
Bare Bones Software Releases TextWrangler 5.0...
Bare Bones Software has announced the release and immediate availability of TextWrangler 5.0, a major upgrade to its free, high performance, general purpose text editor for Mac OS X. Built on a new,... Read more
Apple refurbished iPad Air 2s available for u...
Apple has Certified Refurbished iPad Air 2s available for up to $140 off the price of new models. Apple’s one-year warranty is included with each model, and shipping is free: - 128GB Wi-Fi iPad Air 2... Read more
Save up to $100 on Mac AppleCare Protection P...
Adorama has 3-Year AppleCare Warranties on sale for up to $100 off MSRP including free shipping plus NY & NJ sales tax only: - Mac Laptops 15″ and Above: $249 $100 off MSRP - Mac Laptops 13″ and... Read more
Updated Mac Price Trackers
We’ve updated our Mac Price Trackers with the latest information on prices, bundles, and availability on systems from Apple’s authorized internet/catalog resellers: - 15″ MacBook Pros - 13″ MacBook... Read more
27-inch 3.5GHz 5K iMac on sale for $81 off MS...
Adorama has the 27″ 3.5GHz 5K iMac on sale for $2218.99, $81 off MSRP, including a free copy of Apple’s 3-Year AppleCare Protection Plan, plus a free external DVD/CD drive, and a copy of Corel... Read more

Jobs Board

*Apple* Retail - Multiple Positions (US) - A...
Job Description:SalesSpecialist - Retail Customer Service and SalesTransform Apple Store visitors into loyal Apple customers. When customers enter the store, you're Read more
Senior Payments Architect - *Apple* Pay - A...
**Job Summary** Apple , Inc. is looking for a highly motivated, innovative and hands-on senior payments architect to join the Apple Pay Engineering team. You will Read more
SW QA Engineer - *Apple* TV - Apple (United...
**Job Summary** The Apple TV team is looking for experienced Quality Assurance Engineers with a passion for delivering first in class home entertainment solutions. **Key Read more
Finance Manager, *Apple* Online Store - App...
…successful global retailer. Innovate and think creatively as a finance partner for the Apple Online Store team. Look ahead and anticipate the needs of your business. Read more
*Apple* Retail for Business Support Supervis...
…is looking for a motivated, outgoing, and creative individual who wants to offer Apple Business Customers an unparalleled customer experience. The Apple Retail for Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.