TweetFollow Us on Twitter

Review: VNC Over SSH: The next best thing to being there

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Review

Review: VNC Over SSH: The next best thing to being there

by Aaron Adams

Securely control a remote Mac with two pieces of free software

The ability to remotely control a machine can come in handy for a variety of reasons, whether the purpose is system administration, or helping a friend. Apple's most recent remote control offering, Remote Desktop 2.0, can be overkill when it comes to a simple one-to-one connection between machines. Most users won't need all the features included in Remote Desktop; it's intended for labs and other environments that require the management of large numbers of machines at once, not the remote control of a single machine. Freeware VNC, on the other hand, fits the one-to-one bill perfectly. VNC stands for Virtual Network Computing, and it allows a user to control a remote machine as if he were sitting at the desk in front of it.

VNC is certainly a useful tool for those who need something simpler than Remote Desktop. However, it's the wild wild web out there, and security is a major consideration. VNC was developed at a time when security wasn't the same priority as it is now, and the data transmitted between a VNC server and client is unencrypted. Passing login names and passwords, or other sensitive data, over the public Internet in the clear isn't a good idea, and neither is advertising the fact that a machine can be controlled via VNC by leaving its corresponding TCP port open. Is there some way to keep VNC traffic from prying eyes?

Yes! The solution comes in the form of another piece of freeware included with every Mac: Secure Shell. SSH is the encrypted replacement for plain-text telnet, a command line utility used frequently on the old text-based Internet, with a few added features thrown in for good measure, including the ability to encrypt traffic generated by other protocols. This process is called tunneling because the data travels inside an encrypted virtual pathway created by the communicating SSH pieces. To force VNC to use the tunnel, it has to be instructed to connect to the local machine at a certain port. SSH intercepts the traffic from the VNC client at that port, encrypts it, sends it to the SSH server at the other end of the connection, where it is decrypted and passed to the VNC server. Besides encryption, one other advantage of using SSH to tunnel other protocols is that a server only needs to expose a single port for SSH instead of an individual port for each service offered, such as additional ports for each possible VNC session. This prevents port scanners, and other miscreants, from discovering VNC on a target machine.

Making this encryption happen requires use of the *gasp!* command line! Most Mac users cringe at the thought of using the command line because it's so "un-Mac-like", but it's a powerful tool that's not very hard to learn, and quickly becomes an excellent exercise in abstract thinking. Don't shy away from encrypting VNC sessions because of Terminal fright.

On the remote machine...

Two things are required on the remote machine to prepare it to accept an encrypted VNC session: An SSH server and a VNC server. Enabling SSH on any Mac is as simple as going in to System Preferences, bringing the Sharing pane, and checking the box next to Remote Login. Make sure the connecting user has a username and password available on the remote box.

As for VNC, a great server is OSXvnc, available at popular download sites, such as Version Tracker or MacUpdate. OSXvnc is a straightforward application, and most of the options it presents are obvious and don't require an explanation. The two important things to point out are that, under the General tab, the port should be set to 5900 for the purposes of this tutorial, and that, under the Sharing tab, the Only allow local connections (SSH) box should be checked. Checking this box is important because it requires that the VNC session be encrypted via SSH and won't allow any unencrypted sessions to be established. It won't even let the VNC server advertise the usual VNC port. VNC remains totally hidden to the outside world.

OSXvnc has the option to require a password before the VNC session can be established. Providing a password is strongly recommended. A Startup item can also be configured that starts the server with the machine, and it includes a keepalive script that restarts the server should it close for some reason.

On the local machine...

Locally, a VNC client is needed to connect to the remote machine. VNC clients are a matter of personal preference, and again, popular download sites such as VersionTracker and MacUpdate have a selection.

And now for the part everyone has been dreading... the *gasp!* command line part! The following command serves to establish the tunnel between machines. Perhaps the best way to explain the command is to write it out and then dissect it piece by piece.

The following line needs to be entered in the Terminal:

    ssh -NfL 5900:127.0.0.1:5900 user@remote.host

    ssh - The command that starts the SSH client to create the tunnel.

    * Start SSH with these options:

    N Do not present the user with a command prompt on the remote machine after login is complete.

    f After the user authenticates, put the SSH process, and hence the tunnel, into the background to free up the local command prompt for other uses.

    L Forward a local port to a remote address, creating the tunnel.

    5900: - The port on the local machine where SSH will listen for traffic. This port can be anything >1025, but for this example 5900 has been chosen because it is the port typically used for VNC traffic.

    127.0.0.1 - The address of the machine that is the ultimate destination for the connection. This particular IP is a loopback address because in this case, the VNC client will be connecting to the same machine the SSH server is running on. Due to an SSH oddity, localhost is not valid here, you must use the loopback IP.

    :5900 - The port where the VNC server is listening on the remote machine. Again, 5900 is typically the port VNC uses.

    user - The username allowed SSH access on the remote machine.

    @ "at".

    remote.host - The hostname or IP address of the remote machine running the SSH server.

Fill in the variables with the correct values to establish an SSH tunnel for VNC. After pressing enter, a prompt requesting a password will appear. This is the SSH password for the user on the remote machine.

On the local machine, start the VNC client. Where it asks for a server, enter localhost. (Previous instructions said localhost could not be used at the command line because of an SSH weirdness, but it can be used with the VNC client. Just know that localhost is the same thing as 127.0.0.1. They are both a designator for the local machine.) Where it asks for a port, enter 5900, or if it asks for a display, enter display 0. Click the connect button, and enter the password for the VNC server. Congratulations, it's a tunnel!


Aaron Adams is a LAN administrator, a self-employed Macintosh consultant in Dayton, Ohio, and a former star of Apple's "Switch" ad campaign. He can be reached via e-mail at adamsa@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Tokkun Studio unveils alpha trailer for...
We are back on the MMORPG news train, and this time it comes from the sort of international developers Tokkun Studio. They are based in France and Japan, so it counts. Anyway, semantics aside, they have released an alpha trailer for the upcoming... | Read more »
Win a host of exclusive in-game Honor of...
To celebrate its latest Jujutsu Kaisen crossover event, Honor of Kings is offering a bounty of login and achievement rewards kicking off the holiday season early. [Read more] | Read more »
Miraibo GO comes out swinging hard as it...
Having just launched what feels like yesterday, Dreamcube Studio is wasting no time adding events to their open-world survival Miraibo GO. Abyssal Souls arrives relatively in time for the spooky season and brings with it horrifying new partners to... | Read more »
Ditch the heavy binders and high price t...
As fun as the real-world equivalent and the very old Game Boy version are, the Pokemon Trading Card games have historically been received poorly on mobile. It is a very strange and confusing trend, but one that The Pokemon Company is determined to... | Read more »
Peace amongst mobile gamers is now shatt...
Some of the crazy folk tales from gaming have undoubtedly come from the EVE universe. Stories of spying, betrayal, and epic battles have entered history, and now the franchise expands as CCP Games launches EVE Galaxy Conquest, a free-to-play 4x... | Read more »
Lord of Nazarick, the turn-based RPG bas...
Crunchyroll and A PLUS JAPAN have just confirmed that Lord of Nazarick, their turn-based RPG based on the popular OVERLORD anime, is now available for iOS and Android. Starting today at 2PM CET, fans can download the game from Google Play and the... | Read more »
Digital Extremes' recent Devstream...
If you are anything like me you are impatiently waiting for Warframe: 1999 whilst simultaneously cursing the fact Excalibur Prime is permanently Vault locked. To keep us fed during our wait, Digital Extremes hosted a Double Devstream to dish out a... | Read more »
The Frozen Canvas adds a splash of colou...
It is time to grab your gloves and layer up, as Torchlight: Infinite is diving into the frozen tundra in its sixth season. The Frozen Canvas is a colourful new update that brings a stylish flair to the Netherrealm and puts creativity in the... | Read more »
Back When AOL WAS the Internet – The Tou...
In Episode 606 of The TouchArcade Show we kick things off talking about my plans for this weekend, which has resulted in this week’s show being a bit shorter than normal. We also go over some more updates on our Patreon situation, which has been... | Read more »
Creative Assembly's latest mobile p...
The Total War series has been slowly trickling onto mobile, which is a fantastic thing because most, if not all, of them are incredibly great fun. Creative Assembly's latest to get the Feral Interactive treatment into portable form is Total War:... | Read more »

Price Scanner via MacPrices.net

Early Black Friday Deal: Apple’s newly upgrad...
Amazon has Apple 13″ MacBook Airs with M2 CPUs and 16GB of RAM on early Black Friday sale for $200 off MSRP, only $799. Their prices are the lowest currently available for these newly upgraded 13″ M2... Read more
13-inch 8GB M2 MacBook Airs for $749, $250 of...
Best Buy has Apple 13″ MacBook Airs with M2 CPUs and 8GB of RAM in stock and on sale on their online store for $250 off MSRP. Prices start at $749. Their prices are the lowest currently available for... Read more
Amazon is offering an early Black Friday $100...
Amazon is offering early Black Friday discounts on Apple’s new 2024 WiFi iPad minis ranging up to $100 off MSRP, each with free shipping. These are the lowest prices available for new minis anywhere... Read more
Price Drop! Clearance 14-inch M3 MacBook Pros...
Best Buy is offering a $500 discount on clearance 14″ M3 MacBook Pros on their online store this week with prices available starting at only $1099. Prices valid for online orders only, in-store... Read more
Apple AirPods Pro with USB-C on early Black F...
A couple of Apple retailers are offering $70 (28%) discounts on Apple’s AirPods Pro with USB-C (and hearing aid capabilities) this weekend. These are early AirPods Black Friday discounts if you’re... Read more
Price drop! 13-inch M3 MacBook Airs now avail...
With yesterday’s across-the-board MacBook Air upgrade to 16GB of RAM standard, Apple has dropped prices on clearance 13″ 8GB M3 MacBook Airs, Certified Refurbished, to a new low starting at only $829... Read more
Price drop! Apple 15-inch M3 MacBook Airs now...
With yesterday’s release of 15-inch M3 MacBook Airs with 16GB of RAM standard, Apple has dropped prices on clearance Certified Refurbished 15″ 8GB M3 MacBook Airs to a new low starting at only $999.... Read more
Apple has clearance 15-inch M2 MacBook Airs a...
Apple has clearance, Certified Refurbished, 15″ M2 MacBook Airs now available starting at $929 and ranging up to $410 off original MSRP. These are the cheapest 15″ MacBook Airs for sale today at... Read more
Apple drops prices on 13-inch M2 MacBook Airs...
Apple has dropped prices on 13″ M2 MacBook Airs to a new low of only $749 in their Certified Refurbished store. These are the cheapest M2-powered MacBooks for sale at Apple. Apple’s one-year warranty... Read more
Clearance 13-inch M1 MacBook Airs available a...
Apple has clearance 13″ M1 MacBook Airs, Certified Refurbished, now available for $679 for 8-Core CPU/7-Core GPU/256GB models. Apple’s one-year warranty is included, shipping is free, and each... Read more

Jobs Board

Seasonal Cashier - *Apple* Blossom Mall - J...
Seasonal Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Seasonal Fine Jewelry Commission Associate -...
…Fine Jewelry Commission Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) Read more
Seasonal Operations Associate - *Apple* Blo...
Seasonal Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Read more
Hair Stylist - *Apple* Blossom Mall - JCPen...
Hair Stylist - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.