TweetFollow Us on Twitter

Review: VNC Over SSH: The next best thing to being there

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Review

Review: VNC Over SSH: The next best thing to being there

by Aaron Adams

Securely control a remote Mac with two pieces of free software

The ability to remotely control a machine can come in handy for a variety of reasons, whether the purpose is system administration, or helping a friend. Apple's most recent remote control offering, Remote Desktop 2.0, can be overkill when it comes to a simple one-to-one connection between machines. Most users won't need all the features included in Remote Desktop; it's intended for labs and other environments that require the management of large numbers of machines at once, not the remote control of a single machine. Freeware VNC, on the other hand, fits the one-to-one bill perfectly. VNC stands for Virtual Network Computing, and it allows a user to control a remote machine as if he were sitting at the desk in front of it.

VNC is certainly a useful tool for those who need something simpler than Remote Desktop. However, it's the wild wild web out there, and security is a major consideration. VNC was developed at a time when security wasn't the same priority as it is now, and the data transmitted between a VNC server and client is unencrypted. Passing login names and passwords, or other sensitive data, over the public Internet in the clear isn't a good idea, and neither is advertising the fact that a machine can be controlled via VNC by leaving its corresponding TCP port open. Is there some way to keep VNC traffic from prying eyes?

Yes! The solution comes in the form of another piece of freeware included with every Mac: Secure Shell. SSH is the encrypted replacement for plain-text telnet, a command line utility used frequently on the old text-based Internet, with a few added features thrown in for good measure, including the ability to encrypt traffic generated by other protocols. This process is called tunneling because the data travels inside an encrypted virtual pathway created by the communicating SSH pieces. To force VNC to use the tunnel, it has to be instructed to connect to the local machine at a certain port. SSH intercepts the traffic from the VNC client at that port, encrypts it, sends it to the SSH server at the other end of the connection, where it is decrypted and passed to the VNC server. Besides encryption, one other advantage of using SSH to tunnel other protocols is that a server only needs to expose a single port for SSH instead of an individual port for each service offered, such as additional ports for each possible VNC session. This prevents port scanners, and other miscreants, from discovering VNC on a target machine.

Making this encryption happen requires use of the *gasp!* command line! Most Mac users cringe at the thought of using the command line because it's so "un-Mac-like", but it's a powerful tool that's not very hard to learn, and quickly becomes an excellent exercise in abstract thinking. Don't shy away from encrypting VNC sessions because of Terminal fright.

On the remote machine...

Two things are required on the remote machine to prepare it to accept an encrypted VNC session: An SSH server and a VNC server. Enabling SSH on any Mac is as simple as going in to System Preferences, bringing the Sharing pane, and checking the box next to Remote Login. Make sure the connecting user has a username and password available on the remote box.

As for VNC, a great server is OSXvnc, available at popular download sites, such as Version Tracker or MacUpdate. OSXvnc is a straightforward application, and most of the options it presents are obvious and don't require an explanation. The two important things to point out are that, under the General tab, the port should be set to 5900 for the purposes of this tutorial, and that, under the Sharing tab, the Only allow local connections (SSH) box should be checked. Checking this box is important because it requires that the VNC session be encrypted via SSH and won't allow any unencrypted sessions to be established. It won't even let the VNC server advertise the usual VNC port. VNC remains totally hidden to the outside world.

OSXvnc has the option to require a password before the VNC session can be established. Providing a password is strongly recommended. A Startup item can also be configured that starts the server with the machine, and it includes a keepalive script that restarts the server should it close for some reason.

On the local machine...

Locally, a VNC client is needed to connect to the remote machine. VNC clients are a matter of personal preference, and again, popular download sites such as VersionTracker and MacUpdate have a selection.

And now for the part everyone has been dreading... the *gasp!* command line part! The following command serves to establish the tunnel between machines. Perhaps the best way to explain the command is to write it out and then dissect it piece by piece.

The following line needs to be entered in the Terminal:

    ssh -NfL 5900:127.0.0.1:5900 user@remote.host

    ssh - The command that starts the SSH client to create the tunnel.

    * Start SSH with these options:

    N Do not present the user with a command prompt on the remote machine after login is complete.

    f After the user authenticates, put the SSH process, and hence the tunnel, into the background to free up the local command prompt for other uses.

    L Forward a local port to a remote address, creating the tunnel.

    5900: - The port on the local machine where SSH will listen for traffic. This port can be anything >1025, but for this example 5900 has been chosen because it is the port typically used for VNC traffic.

    127.0.0.1 - The address of the machine that is the ultimate destination for the connection. This particular IP is a loopback address because in this case, the VNC client will be connecting to the same machine the SSH server is running on. Due to an SSH oddity, localhost is not valid here, you must use the loopback IP.

    :5900 - The port where the VNC server is listening on the remote machine. Again, 5900 is typically the port VNC uses.

    user - The username allowed SSH access on the remote machine.

    @ "at".

    remote.host - The hostname or IP address of the remote machine running the SSH server.

Fill in the variables with the correct values to establish an SSH tunnel for VNC. After pressing enter, a prompt requesting a password will appear. This is the SSH password for the user on the remote machine.

On the local machine, start the VNC client. Where it asks for a server, enter localhost. (Previous instructions said localhost could not be used at the command line because of an SSH weirdness, but it can be used with the VNC client. Just know that localhost is the same thing as 127.0.0.1. They are both a designator for the local machine.) Where it asks for a port, enter 5900, or if it asks for a display, enter display 0. Click the connect button, and enter the password for the VNC server. Congratulations, it's a tunnel!

Aaron Adams is a LAN administrator, a self-employed Macintosh consultant in Dayton, Ohio, and a former star of Apple's "Switch" ad campaign. He can be reached via e-mail at adamsa@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Fallout Shelter pulls in ten times its u...
When the Fallout TV series was announced I, like I assume many others, assumed it was going to be an utter pile of garbage. Well, as we now know that couldn't be further from the truth. It was a smash hit, and this success has of course given the... | Read more »
Recruit two powerful-sounding students t...
I am a fan of anime, and I hear about a lot that comes through, but one that escaped my attention until now is A Certain Scientific Railgun T, and that name is very enticing. If it's new to you too, then players of Blue Archive can get a hands-on... | Read more »
Top Hat Studios unveils a new gameplay t...
There are a lot of big games coming that you might be excited about, but one of those I am most interested in is Athenian Rhapsody because it looks delightfully silly. The developers behind this project, the rather fancy-sounding Top Hat Studios,... | Read more »
Bound through time on the hunt for sneak...
Have you ever sat down and wondered what would happen if Dr Who and Sherlock Holmes went on an adventure? Well, besides probably being the best mash-up of English fiction, you'd get the Hidden Through Time series, and now Rogueside has announced... | Read more »
The secrets of Penacony might soon come...
Version 2.2 of Honkai: Star Rail is on the horizon and brings the culmination of the Penacony adventure after quite the escalation in the latest story quests. To help you through this new expansion is the introduction of two powerful new... | Read more »
The Legend of Heroes: Trails of Cold Ste...
I adore game series that have connecting lore and stories, which of course means the Legend of Heroes is very dear to me, Trails lore has been building for two decades. Excitedly, the next stage is upon us as Userjoy has announced the upcoming... | Read more »
Go from lowly lizard to wicked Wyvern in...
Do you like questing, and do you like dragons? If not then boy is this not the announcement for you, as Loongcheer Game has unveiled Quest Dragon: Idle Mobile Game. Yes, it is amazing Square Enix hasn’t sued them for copyright infringement, but... | Read more »
Aether Gazer unveils Chapter 16 of its m...
After a bit of maintenance, Aether Gazer has released Chapter 16 of its main storyline, titled Night Parade of the Beasts. This big update brings a new character, a special outfit, some special limited-time events, and, of course, an engaging... | Read more »
Challenge those pesky wyverns to a dance...
After recently having you do battle against your foes by wildly flailing Hello Kitty and friends at them, GungHo Online has whipped out another surprising collaboration for Puzzle & Dragons. It is now time to beat your opponents by cha-cha... | Read more »
Pack a magnifying glass and practice you...
Somehow it has already been a year since Torchlight: Infinite launched, and XD Games is celebrating by blending in what sounds like a truly fantastic new update. Fans of Cthulhu rejoice, as Whispering Mist brings some horror elements, and tests... | Read more »
See All

Price Scanner via MacPrices.net

Sunday Sale: Take $150 off every 15-inch M3 M...
Amazon is now offering a $150 discount on every configuration and color of Apple’s M3-powered 15″ MacBook Airs. Prices start at $1149 for models with 8GB of RAM and 256GB of storage: – 15″ M3 MacBook... Read more
Apple’s 24-inch M3 iMacs are on sale for $150...
Amazon is offering a $150 discount on Apple’s new M3-powered 24″ iMacs. Prices start at $1149 for models with 8GB of RAM and 256GB of storage: – 24″ M3 iMac/8-core GPU/8GB/256GB: $1149.99, $150 off... Read more
Verizon has Apple AirPods on sale this weeken...
Verizon has Apple AirPods on sale for up to 31% off MSRP on their online store this weekend. Their prices are the lowest price available for AirPods from any Apple retailer. Verizon service is not... Read more
Apple has 15-inch M2 MacBook Airs available s...
Apple has clearance, Certified Refurbished, 15″ M2 MacBook Airs available starting at $1019 and ranging up to $300 off original MSRP. These are the cheapest 15″ MacBook Airs for sale today at Apple.... Read more
May 2024 Apple Education discounts on MacBook...
If you’re a student, teacher, or staff member at any educational institution, you can use your .edu email address when ordering at Apple Education to take up to $300 off the purchase of a new MacBook... Read more
Clearance 16-inch M2 Pro MacBook Pros in stoc...
Apple has clearance 16″ M2 Pro MacBook Pros available in their Certified Refurbished store starting at $2049 and ranging up to $450 off original MSRP. Each model features a new outer case, shipping... Read more
Save $300 at Apple on 14-inch M3 MacBook Pros...
Apple has 14″ M3 MacBook Pros with 16GB of RAM, Certified Refurbished, available for $270-$300 off MSRP. Each model features a new outer case, shipping is free, and an Apple 1-year warranty is... Read more
Apple continues to offer 14-inch M3 MacBook P...
Apple has 14″ M3 MacBook Pros, Certified Refurbished, available starting at only $1359 and ranging up to $270 off MSRP. Each model features a new outer case, shipping is free, and an Apple 1-year... Read more
Apple AirPods Pro with USB-C return to all-ti...
Amazon has Apple’s AirPods Pro with USB-C in stock and on sale for $179.99 including free shipping. Their price is $70 (28%) off MSRP, and it’s currently the lowest price available for new AirPods... Read more
Apple Magic Keyboards for iPads are on sale f...
Amazon has Apple Magic Keyboards for iPads on sale today for up to $70 off MSRP, shipping included: – Magic Keyboard for 10th-generation Apple iPad: $199, save $50 – Magic Keyboard for 11″ iPad Pro/... Read more
 

Jobs Board

Liquor Stock Clerk - S. *Apple* St. - Idaho...
Liquor Stock Clerk - S. Apple St. Boise Posting Begin Date: 2023/10/10 Posting End Date: 2024/10/14 Category: Retail Sub Category: Customer Service Work Type: Part Read more
*Apple* App Developer - Datrose (United Stat...
…year experiencein programming and have computer knowledge with SWIFT. Job Responsibilites: Apple App Developer is expected to support essential tasks for the RxASL Read more
Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Operations Associate - *Apple* Blossom Mall...
Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more

  • Generate a short URL for this page:



All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.