User profile for user: RT11 guru
RT11 guru Author
User level: Level 2
190 points

How to restrict screen sharing to remote login

I wanted to use the built in VNC server in Leopard but I am concerned about security. My work computer is not behind a firewall (at least not one I can configure) and has a fixed IP so I can connect remotely. I would like to limit the VNC server so it only accepts connections initiated via a remote SSH login (port 22) rather than the default port at 5900. I have SSH configured with certificates so it is pretty secure, I think. Otherwise, it seems to me that enabling screen sharing and opening port 5900 is an invitation for hackers and is almost like they have physical access to my keyboard. Perhaps I could block traffic on port 5900 (and what ever other ports the server uses) with the ipfw firewall (but I don't know how to do that) but I am wondering if there is some hidden preference setting that would do what I want. I am not so much concerned with encrypting the traffic (my understanding is that the Screen Sharing client can do that) as I am with securing the login process.
Experts?

Intel iMac (early 2008), iMac iSight, 12" PB G4, iPhone 3G, MBA SSD rev.B, Mac OS X (10.5.6), Windows XP, Linux, AIX, Newton MP, Palm TX

Posted on Jun 23, 2009 10:42 AM

Reply
4 replies
User profile for user: Tim Haigh
Tim Haigh
User level: Level 7
24,198 points

Jun 23, 2009 10:49 AM in response to RT11 guru

use this command in the terminal

ssh -L 5901/localhost/5900 ipaddressofthemac

repalce ipaddressofthemac with the actual mac's ip

then open screen sharing from /System/Library/CoreServices/Screen Sharing.app

enter as the host address

localhost:5901

but to make that work you need to have screen sharing turned on so unless you configure an IPFW rule then that port is still open.

The alternative is to run another vnc server such as vine server, google for it you will find it. This has an option to limit connection only via SSH.

but if you are on a work computer are you on a network? If you are on a network then you are behind a router which is also a firewall, unless your work assigns you a public IP address.
Reply
User profile for user: RT11 guru
RT11 guru Author
User level: Level 2
190 points

Jun 23, 2009 11:17 AM in response to Tim Haigh

Tim, thanks for the reply.
I know how to tunnel the connection through SSH (I so just what you describe to initiate the connection) but I wanted to make that the only option for the OSX VNC server. I have been using the Vine Server which has such an option ("Require Remote Login (SSH)", although I don't know what it does actually, i.e. I don't know if the app even opens port 5900) but it has been giving me some minor problems and I like to use the built in OSX stuff as much as possible.
Yes, I am certainly behind a router at work and my IP is public but I can't configure the routers. The IT people seem to get exercised just connecting a computer to "their" network, if you know what I mean.
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,945 points

Jun 23, 2009 3:16 PM in response to RT11 guru

I have been using the Vine Server which has such an option ("Require Remote Login (SSH)", although I don't know what it does actually, i.e. I don't know if the app even opens port 5900)

This is speculation, but it makes sense.

Yes, I think the Vine Server listens on port 5900, however, when a connect request comes along it can check to see where the other end of the connection comes from. If it is NOT originating from your Mac, then it can reject the connection request.

The ssh tunnel will appear as if it is orginating from your computer as it is coming from the sshd daemon on your Mac which is anchoring its end of the ssh tunnel.

Would it work to have the Mac OS X Firewall block VNC on the assumption that it would only block requests from outside your system? I'm guessing.

I would guess that ipfw can reject requests from the outside world, I just do not have a clue how to set that up (Google maybe?).
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to restrict screen sharing to remote login

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up