OS X (Leopard) Secure screen sharing, tunneling VNC over SSH and restricting to local ip
Recently I've purchased a Mac Mini for my home network. The mini is connected directly to the internet (no external firewall connected), since it's a media hub I wanted to:
Be able to reach files on the computer from anywhere
Be able to view the screen from anywhere
First one was easy: SCP. Second was more though, while OS X Leopard has the built in screen sharing (vnc) I didn't feel like opening up the screen sharing to the world. Therefore I started looking for resources how to tunnel VNC over SSH and at the same time restrict screen sharing to local IP (without using external firewall to block)
I found what I needed on http://fotinakis.com/blog/blog/2008/secure-mac-screen-sharing/
Basically what I did was:
1. Changed port on the sshd and then starting the remote login (ssh from system preferences) - I followed http://www.macosxhints.com/article.php?story=20050707140439980 I used 22222
2. Deny all incomming connections to port 5900 and 88 from everyone but me using ipfw
Then when I want to connect to the shared screen, I open up my SSH tunnel:
ssh username@ip_address_or_hostname -L 5901:localhost:5900
And connects (Finder -> Go -> Connect to server) to vnc://localhost:5901
Note though, you must tunnel it from a port that is not 5900 otherwise you will get a "You can not connect to your own computer"
Be able to reach files on the computer from anywhere
Be able to view the screen from anywhere
First one was easy: SCP. Second was more though, while OS X Leopard has the built in screen sharing (vnc) I didn't feel like opening up the screen sharing to the world. Therefore I started looking for resources how to tunnel VNC over SSH and at the same time restrict screen sharing to local IP (without using external firewall to block)
I found what I needed on http://fotinakis.com/blog/blog/2008/secure-mac-screen-sharing/
Basically what I did was:
1. Changed port on the sshd and then starting the remote login (ssh from system preferences) - I followed http://www.macosxhints.com/article.php?story=20050707140439980 I used 22222
2. Deny all incomming connections to port 5900 and 88 from everyone but me using ipfw
Then when I want to connect to the shared screen, I open up my SSH tunnel:
ssh username@ip_address_or_hostname -L 5901:localhost:5900
And connects (Finder -> Go -> Connect to server) to vnc://localhost:5901
Note though, you must tunnel it from a port that is not 5900 otherwise you will get a "You can not connect to your own computer"
Leave a comment