User profile for user: Adam S.
Adam S. Author
User level: Level 1
88 points

VNC - localhost-only?

Hi,
I'd like to use VNC for remote administration. However, I don't trust VNC (does it even do useful encryption/etc.?). I'd like to have VNC only work from 'localhost' (127.0.0.1), and use SSH port forwarding to connect via VNC. I do this frequently on Linux systems that I run, so I know it's a plausible option.

Is there an easy way to do this with a Mac?

Adam

MacBook Pro, Mac OS X (10.4.8), Core 2 Duo 2.33ghz, 160gb HD, 2gb RAM

Posted on Mar 12, 2007 9:02 AM

Reply
2 replies
User profile for user: TK Tran
TK Tran
User level: Level 2
420 points

Mar 12, 2007 9:34 PM in response to Adam S.

Not sure what VNC server and client you are using but I've successfully used Chicken of the VNC to connect to a Mac OS X server with Apple Remote Desktop (ARD) client enabled. What I do is fire up /Applications/Terminal and type something like:

ssh -v -L 5901:127.0.0.1:5900 remote.server.ip -l adminname

5901 is an unused port on the localhost
127.0.0.1 is the localhost
5900 is the VNC port used on the remote server (via ARD client)
remote.server.ip is the remote server's IP address
adminname is the remote server's administrator account short name

Hope that helps,

TK
Reply
User profile for user: Adam S.
Adam S. Author
User level: Level 1
88 points

Mar 12, 2007 9:44 PM in response to TK Tran

Thanks for the reply. Yep, I have no problem establishing a connection (I use command-line SSH). That's not actually what I'm trying to do, though...

My goal is to explicitly block any attempts to establish a VNC connection directly over the Internet, but to be able to establish a connection by tunneling VNC through ssh.

The traditional way of doing this is to block incoming TCP traffic on port 5900, coming to all IP addresses that are not 127.0.0.1/lo. The common alternative is to tell the VNC server program to only listen on 127.0.0.1/lo in the first place. I could just cave in and use ipfw directly (and do the former solution), but it'd be nice to have a cleaner solution, since this is a Mac and all.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

VNC - localhost-only?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up