Can't Connect to Remote Mac Using SSH and Chicken of the VNC

You should check your port forwarding and firewall or better yet, temporarily remove them/work around them to eliminate as a source of the problem.

If that fails, try this:

- As root, edit the file sshd_config, located in /private/etc/ on the server machine. Note: sshd_config, not ssh_config.
- add the following line:
AllowTcpForwarding yes
- restart the server

http://www.macosxhints.com/article.php?story=20041107001207738

I hope this was helpful.

What am I doing wrong?

You haven't described what exactly you're doing, so it's hard to tell. What does your ssh command line look like? It should be something like:

homemac$ ssh -L 5901:localhost:5900 workmac

Then, in CotVNC on your homemac, select localhost as the host to connect to and 1 as the display number.

Is that what you're doing?

Cheers
Steffen.

AllowTcpForwarding is on by default. Did you (or someone) change that on your workmac?

Cheers
Steffen.

I am successfully VNCing through an ssh tunnel. Here is what I did:

"Server" computer:
1. System Preferences > Services > Apple Remote Desktop: checkbox is checked
(a) ARD is required to be enabled in order to support VNC
2. System Preferences > Services > Apple Remote Desktop highlighted: click on "Access Privileges"
(a) upper half of Access Privileges configuration window: configure as desired
(b) lower half of Access Privileges configuration window: "VNC viewers may control screen with password" checkbox is checked and password is set
3. System Preferences > Firewall: VNC checkbox is checked
(a) If you don't have a "VNC" entry in the list, click on "New" and make one. It is a "pre-canned" option in "New" that already defines the ports that will be opened in your computer's firewall.
(b) FWIW, the pre-defined ports are 5900 UDP and 5900-5902 TCP.

DSL/cable modem and/or router on server end:
4. You do NOT need to open/forward any additional ports in your modem because you will be tunneling the connection over your already opened/forwarded ssh port.

"Client" computer:
5. In Terminal.app, your ssh command should include the following port tunneling directive:
-L 5901:127.0.0.1:5900, as in
ssh -l shortUserNameOnServer -L 5901:127.0.0.1:5900 serverHostName.whatever
(a) Note that the client port is 5901 and the server port is 5900. What I found is that specifying the same port number made the client loop back on itself and so what would happen with the VNC display was like looking into a mirror with a mirror on the wall behind you, with the local desktop being "reflected" ad infinitum.
(b) I don't know if it was a CotVNC issue or an OS X VNC/ARD issue, but in any event, on my computer, when setting up the port tunnel, one and/or the other did not like the "localhost" IPv6 designation. In my case, it only works with a numeric IPv4 "127.0.0.1" designation.
6. In CotVNC, connect to 127.0.0.1:5901, using the password you set on the "server computer" in step 2b above.
(a) The restriction on "localhost" vs "127.0.0.1" discussed in step 5b applies here as well.

Like I said, this configuration as I have described works for me.


(If you find that my post solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider clicking on either the "helpful" or "solved" buttons in the header of my post. Thank you.)

Have you installed a VNC server on the machine?

You can't connect via VNC unless there's some process on the server listening for the client connection and able to respond. Opening SSH is not sufficient.

Hey Camelot:

You don't need to install a 3rd-party VNC server on the machine. If you do what I said to do with System Preferences (enabling ARD, enabling VNC access privileges) in steps 1-3 of my post, you'll have a VNC server. It just works.

j.v.

Gregory:

The file is at /etc/sshd_config. It is already default "AllowTcpForwarding yes". In Terminal, do a grep AllowTcpForwarding /etc/sshd_config"

Unless you've been screwin' around with stuff (and since you didn't know where it was, that means you haven't), you'll get back a response to your grep that says "#AllowTcpForwarding yes". The comment marker (#) is there because they comment out the default settings. So you really don't need to do anything.

Nor do you need to port forward anything at work on their firewall. They are letting your ssh in already, right? Your VNC will be tunneled inside the ssh so no extra ports required. You do need to open ports inside your iMac in System Preferences (ARD, VNC, and you already have remote login open or you wouldn't be able to ssh into your work's iMac), as I described in my earlier post to you, so your 127.0.0.1 connection can deliver the tunneled stuff to the right place.

Try doing what I suggested in my earlier post to you. If your work is letting you ssh in through their firewall to your imac in the first place, and you do what I said in my post for configuring your iMac as your "VNC server", and on your home(?) computer, do what I said for the local and remote ports and 127.0.0.1 in ssh, and the connection address in CotVNC, I'm tellin' ya', it just works. If something I said there is not clear, ask me. But give it a try. The configuration I describe earlier is complete, works for me, and works great.

By the way, the password that you set in your home computer's VNC for the 127.0.0.1:5901 connection (that is the password that you specified in the iMac "server" in System Prefs Apple Remote desktop VNC access privileges), make it simple, like "chicken," and save it to the keychain because you're running through ssh anyways, and no ssh session, then no VNC anyhow. Makes life a little easier.

(If you find that my post solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider clicking on either the "helpful" or "solved" buttons in the header of my post. Thank you.)

I apologize: I, too, get:
#AllowTcpForwarding yes
# AllowTcpForwarding no
when I grep AllowTcpForwarding /etc/sshd_config
Must have been bleary-eyed last night and missed the second one.

Nevertheless, you are identical to me, and I work going from work to home and home to work (I'm set up both ways).

What is your exact ssh command that you execute (you can substitute shortUserNameOnImac and imacHostNameOrIPaddress or put in some bogus stuff since you probably don't want to post all that publicly)?

In CotVNC, what exactly is your Host address, and what are you using for the password?

More questions later...

Is this a typo error in your post? You have

ssh -L 5901:127.0.01:5900 myShortName@IPofRemoteMac

and in CotVNC you have 127.0.01:5900 and 127.0.01:5901 as the host addresses that you have tried.

The ssh port tunneling directive should be

ssh -L 5901:127.0.0.1:5900 myShortName@IPofRemoteMac

and

in CotVNC, the specified host address should be 127.0.0.1:5901

i.e., one twenty seven dot zero dot zero dot one,
NOT one twenty seven dot zero dot zero one

With any luck, this is indeed what you actually entered because putting in the missing decimal point should fix you up.

I'll be awaiting your reply to verify what you actually typed for the ssh port tunnel directive and CotVNC host, and then we'll try to figure out what to check next, since a simple typo would be way too easy.


(If you find that my post solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider clicking on either the "helpful" or "solved" buttons in the header of my post. Thank you.)

Is this a typo error in your post? You have

ssh -L 5901:127.0.01:5900 myShortName@IPofRemoteMac

and in CotVNC you have 127.0.01:5900 and
127.0.01:5901 as the host addresses that you have
tried.

In fact 127.0.01 (being the same as 127.0.1) will work too, as will 127.1. They're all valid forms of the same IP address.

However, the host you specify in CotVNC should be 127.0.0.1 (or localhost), the port is derived automatically from the display number (display 0 -> port 5900, display 1 -> port 5901, etc). Not sure whether or not specifying a port number with the host name/address is permissible in CotVNC. It certainly is either redundant or conflicting.

Cheers
Steffen.