TweetFollow Us on Twitter

Review: VNC Over SSH: The next best thing to being there

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Review

Review: VNC Over SSH: The next best thing to being there

by Aaron Adams

Securely control a remote Mac with two pieces of free software

The ability to remotely control a machine can come in handy for a variety of reasons, whether the purpose is system administration, or helping a friend. Apple's most recent remote control offering, Remote Desktop 2.0, can be overkill when it comes to a simple one-to-one connection between machines. Most users won't need all the features included in Remote Desktop; it's intended for labs and other environments that require the management of large numbers of machines at once, not the remote control of a single machine. Freeware VNC, on the other hand, fits the one-to-one bill perfectly. VNC stands for Virtual Network Computing, and it allows a user to control a remote machine as if he were sitting at the desk in front of it.

VNC is certainly a useful tool for those who need something simpler than Remote Desktop. However, it's the wild wild web out there, and security is a major consideration. VNC was developed at a time when security wasn't the same priority as it is now, and the data transmitted between a VNC server and client is unencrypted. Passing login names and passwords, or other sensitive data, over the public Internet in the clear isn't a good idea, and neither is advertising the fact that a machine can be controlled via VNC by leaving its corresponding TCP port open. Is there some way to keep VNC traffic from prying eyes?

Yes! The solution comes in the form of another piece of freeware included with every Mac: Secure Shell. SSH is the encrypted replacement for plain-text telnet, a command line utility used frequently on the old text-based Internet, with a few added features thrown in for good measure, including the ability to encrypt traffic generated by other protocols. This process is called tunneling because the data travels inside an encrypted virtual pathway created by the communicating SSH pieces. To force VNC to use the tunnel, it has to be instructed to connect to the local machine at a certain port. SSH intercepts the traffic from the VNC client at that port, encrypts it, sends it to the SSH server at the other end of the connection, where it is decrypted and passed to the VNC server. Besides encryption, one other advantage of using SSH to tunnel other protocols is that a server only needs to expose a single port for SSH instead of an individual port for each service offered, such as additional ports for each possible VNC session. This prevents port scanners, and other miscreants, from discovering VNC on a target machine.

Making this encryption happen requires use of the *gasp!* command line! Most Mac users cringe at the thought of using the command line because it's so "un-Mac-like", but it's a powerful tool that's not very hard to learn, and quickly becomes an excellent exercise in abstract thinking. Don't shy away from encrypting VNC sessions because of Terminal fright.

On the remote machine...

Two things are required on the remote machine to prepare it to accept an encrypted VNC session: An SSH server and a VNC server. Enabling SSH on any Mac is as simple as going in to System Preferences, bringing the Sharing pane, and checking the box next to Remote Login. Make sure the connecting user has a username and password available on the remote box.

As for VNC, a great server is OSXvnc, available at popular download sites, such as Version Tracker or MacUpdate. OSXvnc is a straightforward application, and most of the options it presents are obvious and don't require an explanation. The two important things to point out are that, under the General tab, the port should be set to 5900 for the purposes of this tutorial, and that, under the Sharing tab, the Only allow local connections (SSH) box should be checked. Checking this box is important because it requires that the VNC session be encrypted via SSH and won't allow any unencrypted sessions to be established. It won't even let the VNC server advertise the usual VNC port. VNC remains totally hidden to the outside world.

OSXvnc has the option to require a password before the VNC session can be established. Providing a password is strongly recommended. A Startup item can also be configured that starts the server with the machine, and it includes a keepalive script that restarts the server should it close for some reason.

On the local machine...

Locally, a VNC client is needed to connect to the remote machine. VNC clients are a matter of personal preference, and again, popular download sites such as VersionTracker and MacUpdate have a selection.

And now for the part everyone has been dreading... the *gasp!* command line part! The following command serves to establish the tunnel between machines. Perhaps the best way to explain the command is to write it out and then dissect it piece by piece.

The following line needs to be entered in the Terminal:

    ssh -NfL 5900:127.0.0.1:5900 user@remote.host

    ssh - The command that starts the SSH client to create the tunnel.

    * Start SSH with these options:

    N Do not present the user with a command prompt on the remote machine after login is complete.

    f After the user authenticates, put the SSH process, and hence the tunnel, into the background to free up the local command prompt for other uses.

    L Forward a local port to a remote address, creating the tunnel.

    5900: - The port on the local machine where SSH will listen for traffic. This port can be anything >1025, but for this example 5900 has been chosen because it is the port typically used for VNC traffic.

    127.0.0.1 - The address of the machine that is the ultimate destination for the connection. This particular IP is a loopback address because in this case, the VNC client will be connecting to the same machine the SSH server is running on. Due to an SSH oddity, localhost is not valid here, you must use the loopback IP.

    :5900 - The port where the VNC server is listening on the remote machine. Again, 5900 is typically the port VNC uses.

    user - The username allowed SSH access on the remote machine.

    @ "at".

    remote.host - The hostname or IP address of the remote machine running the SSH server.

Fill in the variables with the correct values to establish an SSH tunnel for VNC. After pressing enter, a prompt requesting a password will appear. This is the SSH password for the user on the remote machine.

On the local machine, start the VNC client. Where it asks for a server, enter localhost. (Previous instructions said localhost could not be used at the command line because of an SSH weirdness, but it can be used with the VNC client. Just know that localhost is the same thing as 127.0.0.1. They are both a designator for the local machine.) Where it asks for a port, enter 5900, or if it asks for a display, enter display 0. Click the connect button, and enter the password for the VNC server. Congratulations, it's a tunnel!


Aaron Adams is a LAN administrator, a self-employed Macintosh consultant in Dayton, Ohio, and a former star of Apple's "Switch" ad campaign. He can be reached via e-mail at adamsa@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Microsoft Office 365, 2019 16.39 - Popul...
Microsoft Office 365. The essentials to get it all done. Unmistakably Office, designed for Mac Get started quickly with new, modern versions of Word, Excel, PowerPoint, Outlook and OneNote-... Read more
Microsoft Office 2016 16.16.24 - Popular...
Microsoft Office 2016 - Unmistakably Office, designed for Mac. The new versions of Word, Excel, PowerPoint, Outlook, and OneNote provide the best of both worlds for Mac users - the familiar Office... Read more
PDFpenPro 12.1.1 - Advanced PDF toolkit...
PDFpenPro allows users to edit PDF's easily. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Create fillable forms and tables of content... Read more
Microsoft OneNote 16.39 - Free digital n...
OneNote is your very own digital notebook. With OneNote, you can capture that flash of genius, that moment of inspiration, or that list of errands that's too important to forget. Whether you're at... Read more
PDFpen 12.1.1 - Edit and annotate PDFs w...
PDFpen allows users to easily edit PDF's. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Even correct text and edit graphics! Features... Read more
iTubeDownloader 6.5.20 - Easily download...
iTubeDownloader is a powerful-yet-simple YouTube downloader for the masses. Because it contains a proprietary browser, you can browse YouTube like you normally would. When you see something you want... Read more
Unite 3 3.1 - Turn websites into full-fe...
Unite 3 lets you turn websites into apps on your Mac and change the way you use your computer forever Creating your app It all starts with the new Unite creation tool. Simply enter a name for your... Read more
App Tamer 2.5.2 - Efficiently manage you...
App Tamer tames your processor-monopolizing apps and keeps them from chewing up excessive CPU time and battery life. Powered by a unique AutoStop feature, App Tamer stops each application when you... Read more
Sid Meier's Civilization IV 1.74 -...
Note: Sid Meier's Civilization IV is no longer under development and the developer provides no support for it. With Civilization IV, history as you know it, is history. Rule throughout time and... Read more
Day One 4.15.3 - Maintain a daily journa...
Day One is an easy, great-looking way to use a journal / diary / text-logging application. Day One is well designed and extremely focused to encourage you to write more through quick Menu Bar entry,... Read more

Latest Forum Discussions

See All

Clash Royale: The Road to Legendary Aren...
Supercell recently celebrated its 10th anniversary and their best title, Clash Royale, is as good as it's ever been. Even for lapsed players, returning to the game is as easy as can be. If you want to join us in picking the game back up, we've put... | Read more »
Puzzle & Dragons welcomes the cast o...
Puzzle & Dragons has a history of wild crossovers, and its latest is no exception. The gates of hell are now open, and the cast of Devil May Cry have made their grand entrance into the world Puzzle & Dragons. The collaboration is set to... | Read more »
Meteorfall: Krumit's Tale is launch...
Meteorfall: Krumit's Tale is getting an iOS & Android beta test this Thursday, and you can sign up now to get involved. [Read more] | Read more »
Marvel Duel, NetEase's promising ca...
Marvel Duel, NetEase's collectable card battler, has now opened for pre-registration in Thailand, Indonesia, Malaysia, and the Philippines. [Read more] | Read more »
PUBG Mobile teams up with Yamaha for a l...
PUBG Mobile has had various collaborations with various companies since it first burst onto the scene. The latest sees the popular battle royale title teaming up with vehicle and marine products company Yamaha, meaning players can take one of... | Read more »
Apple Arcade: Ranked - Top 25 [Updated 7...
In case you missed it, I am on a quest to rank every Apple Arcade game there is. [Read more] | Read more »
Marvel Super War launches its third seas...
Marvel Super War, NetEase's popular MOBA, has kicked off its third season today, introducing its Zone Invasion beta and an all-new playable superhero. [Read more] | Read more »
Brave Dungeon, Unlock Games' idle-R...
Brave Dungeon, Unlock Games' idle-RPG and auto chess title, has been downloaded over 1 million times since it launched last week. To commemorate reaching this milestone the developers have decided to host a series of in-game events. [Read more] | Read more »
Clash Royale: The Road to Legendary Aren...
Supercell recently celebrated its 10th anniversary and their best title, Clash Royale, is as good as it's ever been. Even for lapsed players, returning to the game is as easy as can be. If you want to join us in picking the game back up, we've put... | Read more »
Steam Link Spotlight - Disco Elysium
Steam Link Spotlight is a feature where we look at PC games that play exceptionally well using the Steam Link app. Our last entry was Signs of the Sojourner Read about how it plays using Steam Link over here. | Read more »

Price Scanner via MacPrices.net

New Verizon Deal: Get $350 off Apple iPhone...
Verizon is offering a $350 discount on the purchase of an Apple iPhone 11 Pro or 11 Pro Max for new lines of service. Discount is applied over a 24 month period. Verizon will also take 50% off... Read more
July 15th only: $100 off Apple iPhone 11, 11...
Boost Mobile is offering Apple iPhone 11, 11 Pro, and iPhone 11 Pro Max models for $100 off MSRP with service. Their discount reduces the cost of an iPhone 11/64GB to $599, iPhone 11 Pro to $899 for... Read more
Woot offers clearance, refurbished Apple iPad...
Amazon-owned Woot has clearance, previous-generation, refurbished 11″ and 12.9″ Apple iPad Pros available starting at $599. Shipping is free for Prime members. Multiple configurations and colors are... Read more
Get the base 21″ Apple iMac for under $1000 t...
B&H Photo has Apple’s base 21″ 2.3GHz iMac in stock today and on sale for $100 off MSRP, only $999. This the same iMac sold by Apple in their retail and online stores, and B&H’s price is the... Read more
New Verizon offer: $150 off on Apple Watch 5...
Verizon is offering a $150 discount on Apple Watch Series 5 models for a limited time. Use code SMARTWATCH150 at checkout to take advantage of this offer. The fine print: “New line of service and... Read more
Xfinity Mobile offers $200 off any new Apple...
New and existing customers can take $200 off the purchase of any new Apple iPhone model at Xfinity Mobile through 8/17/20. Service plan required: The fine print: “New customers and new line... Read more
Clearance 2019 13″ 1.4GHz/256GB MacBook Pro a...
Other World Computing has clearance, refurbished, 2019 13″ 1.4GHz/256GB MacBook Pros available for $1099 in both Space Gray and Silver colors. Their price is $400 off Apple’s original MSRP for these... Read more
Apple has 2020 13″ 4-Core MacBook Airs availa...
Apple has a full line of Certified Refurbished 2020 13″ 4-Core MacBook Airs available for $200 off the cost of new models. Each MacBook features a new outer case, comes with a standard Apple one-year... Read more
Apple restocks clearance 2019 13″ MacBook Pro...
Apple has restocked Certified Refurbished 2019 13″ 1.4GHz 4-Core Touch Bar MacBook Pros starting at $979 and up to $440 off original MSRP. Apple’s one-year warranty is included, shipping is free, and... Read more
US Cellular offers $300 off any new Cellular...
US Cellular is offering a $300 discount on any new Cellular Apple iPad, iPad Air, iPad Pro, or iPad mini with a new line of service. According to US Cellular, “Promotional pricing requires purchase... Read more

Jobs Board

Blue *Apple* Cafe Student Worker - Pennsylv...
…enhance your work experience. Student positions are available at the Blue Apple Cafe. Employee meal discount during working hours. Duties include food preparation, Read more
Perioperative RN - ( *Apple* Hill Surgical C...
Perioperative RN - ( Apple Hill Surgical Center) Tracking Code 62018 Job Description Monday - Friday - Full Time Days Possible Saturdays General Summary: Under the Read more
Surgical Coord/Scheduler-MG - *Apple* Hill...
Surgical Coord/Scheduler-MG - Apple Hill Medical Center - (full-time) - Days Tracking Code 62537 Job Description General Summary: Under general supervision, provides Read more
Office Assistant - *Apple* Hill Medical Cent...
Office Assistant - Apple Hill Medical Center- (part-time) - Days Tracking Code 62649 Job Description General Summary: Under general supervision, performs diversified Read more
Blue *Apple* Cafe Student Worker - Fall - P...
…to enhance your work experience. Student positions are available at the Blue Apple Cafe. Employee meal discount during working hours is provided. Duties include food Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.