Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to securely control another Mac over the internet Internet
I decided to put together his how-to after setting this up for my dad, and figuring there are probably a number of others out there who serve as the de facto tech support person for friends and family in remote locations. The idea is to be able to remotely view and, if needed, control another Mac to help teach a new Mac user how to do something or fix their problem.

This isn't the fastest thing in the world mind you -- anything they do with much in the way of graphics, like iPhoto, takes a long time to paint on my end -- but it definitely works well enough for what I need. My method certainly isn't the only way of doing it, but it meets my criteria, which are:
  • secure - didn't want to pass anything in the clear over the internet.
  • free - I'm sure that Timbuktu and Apple Remote Desktop (ARD) Server are great products, but what can I say, I'm cheap.
  • built-in - I always prefer to use as many standard built-in tools as possible to keep things simple.
  • simple - wanted point-and-click simplicity on my dad's end. Didn't want him typing in IP addresses and such.
  • zero or at least minimal network changes on Dad's end - I didn't want to have him mucking around with his router and end up hosing himself so that he can't get online anymore since I can't fix that sort of thing remotely.
For the purposes of this how-to, the Mini is my dad's computer, and the PowerBook is my computer. This should help keep things straight as far as which computer needs to do what. I had Apple ship the Mini to me directly so I could set this up in advance, but the same could probably be done remotely without too much pain.

So, the first thing I did was upgrade his Mac to the latest ARD client software. This is free on the Apple site. It's called the ARD client, but in truth, it's really a VNC server under the sheets. I had the luxury of being able to do this myself since I had his Mini at the time, but it's really pretty easy and I'm confident I could have talked my dad through the install over the phone.

Once that was installed I went into the Sharing prefrences pane on the Mini and started the ARD service. I also went into the Access Privileges for ARD and enabled "VNC viewers may control screen with Password." Just put any old password in -- it doesn't matter and will be ignored since we'll be tunneling over ssh. I also put a check next to his user account and checked "Observe" and "Control" (not actually sure if this is necessary, but whatever). Note that I did not need to open up the ARD ports on the Mini's software firewall, since this will be tunneled over ssh. In fact, I didn't even need to open up the ssh ports on the Mini, since the Mini is sending the ssh request outbound (it's a reverse tunnel), not receiving ssh requests inbound. It's very secure this way -- his Mini is completely stealthed.

Next I enabled Remote Login (i.e. ssh server) on my PowerBook. I created a dummy, non-priveleged account (called "dummy") to receive the tunnel. I generated a DSA public-private key pair on the Mini under my dad's account (in Terminal, type ssh-keygen -t dsa and accept the defaults). I copied my dad's public key to the ~/.ssh/authorized_keys2 file under the dummy account. This step isn't really necessary if you don't mind your switcher having to remember and type in the dummy user's password, but that didn't meet my "simple" criterion above. Again, I had the luxury of doing this work directly on the Mini. With iChat and a little cutting and pasting, it could be done remotely as well. Note that there's no real security risk having your switcher email or IM you their public key -- that's why it's "public."

Next I installed Chicken of the VNC on my Powerbook. I assume any decent Mac VNC client would do, but CotVNC was lightweight, free, and worked out of the box with no changes. I also set up a dynamic DNS name for my PowerBook using DynDNS.org (again, free). This allows me to hard-code a name instead of an IP on the Mini, since my ISP uses DHCP and the IP might change over time. There are various Dynamic DNS clients for Mac -- I have no experience with them, since my Linksys WRT54G router has DDNS support built-in.

I then created a saved Terminal file on the Mini to launch the reverse tunnel. In Terminal, just do a File -> Save As then give the file a name. Click on "Execute this command" and enter the following:
ssh dummy@mypowerbook.ddnsname.whatever -R 5900:127.0.0.1:5900
Check "Execute command in shell" and click Save. This creates a reverse (hence the -R) tunnel mapping the VNC client port (5900) on my PowerBook to the VNC server port (also 5900) on his Mini. It's a reverse tunnel meaning that, although he established the connection from the Mini to the PowerBook, the "flow" or the port mapping actually goes in the opposite direction: from the PowerBook to the Mini. Why all the trouble? This means that my dad didn't have to screw around with opening up any ports on his Mac firewall, or do any port re-mapping on his router to allow inbound ssh connections. The tunnel eminates from his box, but allows me to go back into his. Now all my dad has to do when he wants to establish the tunnel is double-click on the saved terminal file. Magic!

Now since I too am behind a NAT router and run the Mac firewall, I did have to map the ssh port (22) on my router to my PowerBook, and I did have to open up the ssh port on the Mac firewall. But I can turn all this off when the tunnel isn't in use for better security (which is easy since it's on my end, not my dad's). And for the truly paranoid, you can turn off the ability for password-based ssh authentication (assuming you setup the public-private key pair), so that there's little chance you could be hacked via a password attack.

Almost there! Now all my dad has to do is double-click on that Terminal file to startup the tunnel. Once that is established, I fire up CotVNC, type in localhost under the Host: field, leave the display/port set to 0, leave the password field empty, and click Connect. Voila! The Mini's screen appears, and I can use my mouse and keyboard to control it. Note that I do not need to be logged in as the dummy user. The whole point of the dummy user is to be the end point for the tunnel. Once the tunnel is up, the ports are mapped for the whole machine -- any user on the PowerBook can take advantage of the tunnel. Also note that with this method, I never need to know the IP address of the Mini -- again, for the sake of simplicity, I didn't want my dad trying to figure out his router's IP address everytime we start the tunnel.

That's about it. Hope others find this useful. Nothing here is really anything new - just cobbled together a bunch of different pieces into a single solution, and I'm sure I'm not the first to do so.
    •    
  • Currently 2.82 / 5
  You rated: 2 / 5 (17 votes cast)
 
[193,818 views]  

How to securely control another Mac over the internet | 61 comments | Create New Account
Click here to return to the 'How to securely control another Mac over the internet' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to securely control another Mac over the internet
Authored by: JazzDude on May 09, '05 04:50:15PM

Awesome. I will try it out with my ex-girlfriend, who's completely computer-illiterate.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: laurion on May 09, '05 07:05:42PM
Ex-girlfriend?

Either you're still on very good terms with her, or you're planning something very sneaky...

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: kd4ttc on Oct 21, '05 03:28:05PM

Yeah. Keep us updated on this compelling use of the Mac platform.

---
Steve Holland



[ Reply to This | # ]
Controlling an ex-girlfriend over the internet - Sweet!
Authored by: kd4ttc on Oct 22, '05 08:04:05AM

Ah, were it only so simple!

---
Steve Holland



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: brycesutherland on May 09, '05 05:07:57PM

I agree, this is really interesting and helpful. One question, though. Would you mind explaining the syntax of this part of the file:
dummy@mypowerbook.ddnsname.whatever

Without giving away your personal info, what do the three parts after the "@" correspond to? Is "mypowerbook" the name of your PB as listed... where? In other words, I'd appreciate knowing more about what I should put in my own file.

Thanks again!



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: matx666 on May 09, '05 05:29:04PM

user@server

if you've registered your dynamic ip with a domain name use that.

i.e. user = test, server = totally-cool.org

user@totally-cool.org



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: rjbailey on May 09, '05 05:30:17PM
I agree, an excellent hint. I think what he means by "dummy@mypowerbook.ddnsname.whatever" is that "dummy" is the account name specified on his powerbook, and "mypowerbook.ddnsname.whatever" is the static IP name assigned to him by DynDNS.org or whoever. That name will vary depending on who you get the name from and what options you choose, but it will look something like "mypowerbook.dyndns.org", where the domain "dyndns.org" you can't choose but "mypowerbook" you can. I set one up like this myself and it's very handy.

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: jmontana on May 09, '05 05:35:12PM

Exactly. Go to dyndns.org and register. Then you can set up dynamic host names for yourself. So you might end up with brycesutherland.dyndns.org.

Then download DNSUpdate and set your machine up so it automatically updates brycesutherland.dyndns.org with whatever your current IP address is:

http://www.dnsupdate.org

That way, when your IP address changes, DNS Update will notify dyndns.org. The double-clicked terminal command on the other end hits brycesutherland.dyndns.org, and automagically gets the new IP address.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: brycesutherland on May 09, '05 06:00:48PM

Thanks for the clarification folks. I really appreciate it!



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: cpaulu on May 09, '05 09:00:10PM

I configured my router (AEBS) to map a nonstandard public port to the standard ssh port (22). In other words, in my case, my Dad's computer would need to use a nonstandard port for the ssh connection. Can this tip procedure be rigged to use a nonstandard port?



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: chepner on May 09, '05 09:14:51PM

I think you just need to add the -p option to the ssh command given, to tell the remote Mac to connect to the nonstandard port on your router.

ssh -p <nonstandard port #> dummy@....



[ Reply to This | # ]
ARD client now part of Tiger
Authored by: victory on May 09, '05 09:26:10PM

A really nice howto. What makes this description a bit different from the usual 'VNC-thru-SSH' tutorials is the use of remote/reverse-tunneling for enhanced security.

It's also particularly appropriate since the ARD-client now comes installed as a standard part of Tiger.



[ Reply to This | # ]
ARD client now part of Tiger
Authored by: ewelch on May 09, '05 10:20:07PM

I took the lazy way out and use Timbuktu Pro 8. It has all sorts of cool features that VNC doesn't have, is very fast, very reliable and works every time. I've used it for years to support my parents' PC and now their Mac.

Sometimes proprietary software is worth it!

(I am not connected to Netopia in any way whatsoever other than I send them money for upgrades.)

---
Eric

Ernest Hemingway's writing reminds me of the farting of an old horse. - E.B. White



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: cynikal on May 09, '05 11:05:17PM

simply awesome.. i love a good combination of tricks to come up with a good solution like this.. i will have to try this w/ my switcher friends



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: MiStch on May 10, '05 09:12:07AM

Hm, good hint. But I don't really get the idea of using a reverse tunnel instead of a simple SSH login on you dad's computer.
The only difference is that the SSH port has to be open on your dad's end (potential security risk - is now on your side), but you have less configuration work.
You also get more flexibilty - as you can log in from any computer/router you want (your solution is permanently linked to your router ddnsname).

By the way: You normaly can set up the router configuration remotely - so your dad has not to worry about this (see router setup).



[ Reply to This | # ]
remote router control
Authored by: j-beda on May 10, '05 11:00:45AM

A lot of routers come pre-configured to NOT be remotely administatable for security purposes. Most routers have known default account/passowrd combos and thus would be open to nefarious tricks if anyone "out there" could mess about with their settings.



[ Reply to This | # ]
remote router control
Authored by: MiStch on May 10, '05 02:05:02PM

I totally agree. I just say it's technically possible if you really want to do it.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: beaster on May 11, '05 07:17:57PM
Fair question - the main reason is, as you stated, I don't have to muck around with my dad's router over the internet to open up port 22. But beyond that, I also don't have to setup a ddns name for his computer and install and configure the requisite software on his box to keep ddns up to date when his IP changes (or worse, try to explain to him how to find his router's IP and AIM it to me or something).

Furthermore, if one of us is going to take the (relatively small) risk of opening up port 22, I want it to be me. I know that all the accounts on my powerbook have strong passwords, but I can't guarantee the same for my dad's computer.

Finally, I don't have to have my dad ask me why there's an account called "dummy" on his login screen. ;)

Minor quibble - I don't agree with your flexibility argument. If I'm travelling somewhere else with my Powerbook (but without my router), I can just reset my ddns name to point to my new IP by going straight to ddns.org.

Regards, Sean

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: dtungsten on Oct 25, '05 12:30:27AM

Minor quibble - I don't agree with your flexibility argument. If I'm travelling somewhere else with my Powerbook (but without my router), I can just reset my ddns name to point to my new IP by going straight to ddns.org.

But you do have the (probably minor) inconvenience of waiting for the DNS to propagate.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: SeanKaneFLA on Oct 30, '05 12:52:49PM

dyndns.org updates almost, if not, instantaneously.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: rjraimo on May 10, '05 12:10:13PM

"I copied my dad's public key to the ~/.ssh/authorized_keys2 file under the dummy account."

Where is this file under my dummy account that I created on my computer? I understand the other steps in the process but I don't understand wher the public key is supposed to go.

Also, how do I map an ssh port (22) on my router to my iBook?

Thanks for any help provided!



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: MattHaffner on May 10, '05 03:38:00PM

If the file doesn't exist already, create it. From the dummy account for this tip,

cp ~dad/.ssh/id_dsa.pub ~/.ssh/authorized_keys

(I think the '2' is a vestige of an older version of OpenSSH when the v1 and v2 protocols were more separated).

More generally, you can use 'scp' to copy a remote id_dsa.pub from an account you have access to into an authorized_keys file "locally". You can also use any other file transfer to grab the id_dsa.pub--there's nothing magic about the scp transfer.

You should also do this, if the file doesn't exist:

chmod 600 ~/.ssh/authorized_keys

Since ssh might not use the file if it's not secured well enough.

For future reference, the ~/.ssh/authorized_keys file can have multiple keys in it to allow (non-password) remote logins from multiple users. If you ever want that functionality, get used to using this syntax instead:

cat ~dad/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

which appends the first file to the end of the second.

As for mapping your ssh traffic to a specific machine, you have to check the details on your router, but this is easiest if you assign a static LAN IP to the machine first. Then you should have an option in the router to "map ports" or "port translation" that should allow you to fill in (at least) three numbers: the port the remote machine is requesting to access, the port you want it to go to on your local machine, and the LAN IP of the local machine. With a standard setup, the first two numbers are both 22 for ssh. Don't forget to open up the service on your Mac as well in the Sharing pref pane.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: bryan3605 on May 13, '05 12:51:41AM

I've got the "dads" public key in my "powerbook" in the corect position and I've turned on port forwarding for port 22 on my router to my "powerbook's" IP, but I'm not sure where the Private key needs to go on the "dads" system. It is currently in the top level of the "dads" user account. Do I need to create a /.ssh directory to place this file in?

When I double click on the teminal icon on the "dad" computer, I get a message saying "connection refused."



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: beaster on May 14, '05 11:36:26AM

Yes, the "dad's" private key should go in /Users/dads_username/.ssh/ on "dad's" computer. Permissions should be 600 on the directory.

Regards,
Sean



[ Reply to This | # ]
How to move the public key?
Authored by: sharkbite86 on Oct 21, '05 11:43:09AM

I dont understand the process of moving the key file. Now im pretty sure I am supposed to use Terminal but how do I move the public key from "Dads" computer to mine over a ethernet connection (or any connection for that matter)? I dont use Termial that much so i would be really happy if someone could fill me in. Thanks.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: sdewidt on May 10, '05 05:11:23PM

I tried setting this up yesterday, but I couldn't get it to work. I think I did it all correctly; has anyone else gotten it to work, besides the author? I did have one question about the line that is in the saved terminal file. Does the IP address at the end refer to the IP address of the machine launching the file (ie his Dad's machine)? So, this is going to vary from person to person depending on how the router is set up, if I'm not mistaken.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: steffi on May 11, '05 12:16:02AM

Why is it when I try to point Chicken at a 10.4 machine I get

"Incompatible Version"

??



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: SeanKaneFLA on Nov 01, '05 02:49:24PM

Anyone ever find out what the "incompatible version" error appears? I can't seem to get arouind it. I'm using CotVNC.

Thanks,
Sean



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: whitehat101 on May 11, '05 01:11:44AM
127.0.0.1 is the loopback address, so you won't have to change it no matter what the setup.

I first tried this with 10.3.9, CotVNC, and ARD 2.2 and I got errors when connecting (I was just connecting to myself) but then I saw that the link to 'the latest' was 2.1. I went back to 2.1 and I connected to myself fine. Now I just have to try it from my laptop, but I don't predict any problems. Other than it's Win2000, but putty and MetaVNC should work nicely.

If someone has gotten ARD2.2 to connect let me know, I'm not sure why they weould prevent VNC unless just to prenent what we're doing and make us pay $200...

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: sdewidt on May 11, '05 02:00:42PM

Maybe that's my problem; I've been trying to do this on two 10.4 machines, which have the newest version of ARD. When I get home from work tonight, I'm going to try it with another VNC server, OSXvnc, and we'll see what happens.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: beaster on May 11, '05 07:38:26PM

Yes, sorry - when I sent in my original hint, ARD 2.1 was the latest release. I have however tried this with ARD 2.2 and got it to work. The only change I needed to make was actually setting and supplying a real password in the ARD config and the COTVNC client. For some reason ARD 2.1 didn't need a password, but ARD 2.2 does.

Regards,
Sean



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: jbgoode on Jun 15, '05 02:54:41PM
In 10.4 (Tiger), when I start the ARD service, it automatically opens several corresponding ports on the builtin firewall, and it doesn't appear that there's any way to get around that without manually changing the firewall rules.

OSXVnc has an option to force SSH by only accepting connections from localhost. This violates your builtin requirement, but better fills the secure requirement by only letting one port open on the builtin firewall.

Or maybe I'm missing something in the ARD preferences...

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: phatmatt on Jun 15, '05 07:05:41PM

If the "Dad" computer is behind a physical firewall (router) it doesn't really matter if the VNC software is opening up ports in the software since they won't propagate to the router.

That said, I like OSXvnc because I seem to crash the apple version fairly regularly. It can be restarted through ssh (if the ports are open) but that's annoying.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: ssamani on Jun 23, '05 04:39:50AM

OK, got this working, once I realised that I was also running OSXvnc on my dad's machine and that and ARD were conflicting. However I have one issue. On Tiger 10.4.1, if I enable the ARD service, the firewall port 5900 is opened automatically and I cannot disable it in the Firewall tab of the Sharing preference panel. (It says I have to disable the ARD service in the services tab). How do I disable that to make it as secure as mentioned in the article?



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: normanya on Jul 27, '05 12:35:00PM

Very interresting!
which IP is 127.0.0.1 in this line?

ssh dummy@mypowerbook.ddnsname.whatever -R 5900:127.0.0.1:5900



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: nwfrg on Oct 18, '05 03:48:15AM

127.0.0.1 refers to the localhost or is it the loop back.

Whatever. It means the network port of the local machine. It's like running an extension cord out your front door and then back in through your own kitchen window and plugging it into the outlet by the sink. Well sorta. Perhaps that's a bad analogy.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: rackerby on Dec 14, '05 03:45:20PM

You say: "I did not need to open up the ARD ports on the Mini's software firewall"

How does one do that with the ARD service on? Third party firewall GUI?



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: dcoyle on Jan 28, '06 06:48:57PM

I'm guessing this is the difference between ARD 2.1 and 2.1. Since you can't separate the firewall config from ARD 2.2's config, they now require you to have a password to control ARD. Just a guess, as I said.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: sharkbite86 on Dec 19, '05 04:11:48PM

Ok so I have finally figured everything out (yay! 'bout time!). what confused me was moving the public key. A REALLY easy way to move the public key for the people out there who are squeamish about Terminal is to use the application "TinkerTool" (http://www.bresink.de/osx/TinkerTool.html).

All that you need to do is start up tinkertool and click on the show hidden and system files. Then just copy the "id_dsa.pub" from the "mini" to the "powerbook's" .ssh folder and rename it to "authorized_keys" (you will need to create the ~.ssh/ directory using the same ssh-keygen thing). thats it!

when you create a key in the first place (using ssh-keygen), make sure you do not put a pass when it asks. There is no reason really why not, but with a pass you will be prompted to type in the pass every time you try to connected with ssh. Not fun.

anyway hope this helps with any confusion :)



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: leturner on Jan 10, '06 07:54:25PM

I know this post has gotten stale but it's a great hint ... that unfortunately I can't get to work.

I've got exactly the situation described in the hint: Mom with Mini, me with G4 laptop, both behind routers. I've followed instructions to the letter (triple checked) including the changed password requirement with the 2.2 ARD update. But I'm getting stuck at the reverse tunnel stage.

When she clicks on the .term file, terminal launches runs the ssh script, then sits there a bit and times out.

I have:

- updated ARD on mini to latest (2.2)
- gotten the virtual static IP address
- Created the terminal script file
- Turned on ARD in the mini
- forwarded port 22 on my airport express to the 192 IP address of my laptop (public port 22, 192.168.1.x, private port 22)
- opened port 22 on my software firewall

I've run a copy of the .term file from my own laptop, and it appears to work - asking for my dummy account password - and I get into myself. But is that really a test since I'm connecting to myself? It's not clear to me if when i do it whether or not I actually go out and back through the router and the port forwarding works.

Any suggestions would be greatly appreciated.

Thanks



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: dcoyle on Jan 28, '06 06:46:01PM

I've been playing around with SSH a little, including this hint which I ultimately got to work. I'm no expert (far from it), but what I found really useful was using Console to see what gets logged - look on both machines. In my case, I had to delete, then re-create keys in /etc. I don't believe they are used at all, but sshd won't work without them.

Not saying I think that's your problem, but there appear to be a lot of things that can go wrong. The copious logging is one of the things I really like about OS X and will get you pointed in the right direction. I hope that someone who actually knows what he is doing reads your post and can help you.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: martinw on Sep 11, '06 01:39:07PM

Sean,

This is a great tutorial, thanks. I am having trouble getting it to work - I am soooo close. I think I followed your direction to the letter.

The SSH Reverse tunnel appears to set up correctly from the "client" computer (the one which is to be controlled).

When I run Chicken of the VNC on the "administrator" computer (computer intended to do the controlling), connecting to localhost, I get the error: Authentication Failed. That sounds like it would be a simple password issue. But in your tutorial, you say not to even enter a password when connecting to localhost.

I have also tried connecting to localhost, AND using the password which the Client computer entered under "VNC viewers may control screen with Password." This still results in the same error message: Authentication Failed.

The SSH tunnel appears to be open and working.

Here is the setup if it helps:
"Administrator" computer (PowerBook):
- connected to internet directly via cable modem
- no router, no NAT
- running chicken of VNC
- Remote Access is enabled in SYS PREFS
- "Dummy" account established

"Client" Computer
- Connected to internet as follows: Internet -> ADSL Modem -> Airport Express -> Client Computer (MacBookPro)
- Successfully stablished reverse ssh tunnel to "dummy" account on "administrator" computer.

If you are still monitoring this thread.... any suggestions? Would it be anything to do with the fact that the "client" computer is behind 2 routers (ADSL Modem and Airport Extreme)?

Thanks so much in advance! :)

Martin



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: martinw on Sep 12, '06 11:06:33PM

Actually, cancel that. We did get it working in the end. I dont know what the problem was, but now its going great. Sorry for the false alarm.



[ Reply to This | # ]
Authentication Failed
Authored by: WinUser on Sep 22, '06 12:50:11PM

I had the same problem but found out there was already a vnc client that was using port 5900.
When I changed the port in the tunnel and in the client to 5800 it worked again. Even easier: I restarted the vnc client, and all was well. You probably did the same.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: The Cardinal on Sep 20, '06 03:31:45AM

This would be a perfect hint for me if I could get it to work. I'm off to Sydney at Christmas and I'm giving my Mum my iMac so that she can video chat with the kids. Thing is she is completely computer illiterate so I need something like this to assist her if she has any trouble.

Here's what I have done:

Admin computer (MBP):
Enabled remote login
Created dummy account
Downloaded COTVNC
Got a static IP address and DNSUpdate

Client (iMac):
Downloaded and enabled ARD
Created terminal script
Generated a public-private key

I tried to initiate the tunnel at home, but it was refused because port 22 was not opened. Both machines were accessing the internet through the router at the same time so I think that may be the problem there.

Now I am trying to do the same thing, but I am at work and so I am probably behind a firewall and a router, etc. I cannot open any ports on the firewall. I presume that this would be a problem. However, the original hint says " did have to map the ssh port (22) on my router to my PowerBook, and I did have to open up the ssh port on the Mac firewall." Can somebody tell me how to do this please.

Thanks for your help.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: The Cardinal on Sep 20, '06 03:48:21AM

Rereading that post it seems a bit wishy-washy. What I am actually asking is this:

1. Should I be able to control the client even if the admin and client computers are accessing the internet through the same router?

2. Do I need to open port 22 on my admin computer for any reason, and if so how?

3. Assuming that I did have access to the router/firewall at work, would I have to do anything in addition to the hint (this is pretty much the same as Q2 I suppose)?

4. Currently when I try to connect from work, my wife is at the iMac and clicks the terminal script. It sits there for about 10/20 seconds then times out. Is it waiting for a connection? Is there somewhere where I can increase the time-out period?

You can probably tell that I am not very knowledgeable in this area, so any help would be greatly appreciated.

Cheers



[ Reply to This | # ]
Open and redirect ports...
Authored by: WinUser on Sep 22, '06 01:06:13PM

For your mum to open the tunnel, she starts the terminal script. This will make her side easy, since she initiates the tunnel, so she doesn't have to open any ports for the outside world. But... you will be contacted by her tunnel, so your side needs a couple of things:
- your router has to know to which local address it should forward an incoming port 22 request, and not block it
- your machine (PC, laptop, notebook) needs to not block incoming connections on port 22
- you need to have a ssh deamon (ssh server) running on your laptop, but you probably have that.

When opening port 22 and forwarding port 22 you can sometimes tell the router to only allow this for a certain range of external ip addresses (depending on router type) .This could be your mom's ip, restricting port 22 forwarding in a way to let only your mom through.

I just set this up today, and gave my mom a Mac. It works like a charm, if port forwarding is setup correctly.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: cnsayre on Dec 24, '06 01:33:35PM
I know this topic is ancient by this point in time, but I'm trying to rig it so that I can help my father-in-law cross state lines with his mac.

I've got most of it setup (I can control his mac w/Chicken of the VNC within his "LAN."), but the setting up of the ssh is giving me fits.

The command:

ssh dummy@mypowerbook.ddnsname.whatever -R 5900:127.0.0.1:5900

Is returning a request for a password...

Um, what password?

Thanks,

cnsayre

[ Reply to This | # ]

Might be DSA key password
Authored by: waboom on Dec 27, '06 11:01:55PM
It sounds like it could possibly be asking for the password used when you generated the DSA key. When generating the public/private DSA keys, you can assign a password to the key set. If this is the case, the best way to fix it is todelete the ~/.ssh folder on your Dad's (the client) Mac (in Terminal, type cd ~/.ssh; rm *; cd ~; rmdir .ssh), recreate a new DSA key using ssh-keygen -t dsa and just keep hitting return at all the prompts. Then, take the ~/.ssh/id_dsa.pub file from the client Mac, and copy the contents into ~/.ssh/authorized_keys on the host Mac (the one that is doing the controlling). You should first remove the old key associated with the client Mac from the authorized_keys file; if this was the only public key you've installed on the host Mac, you can just delete the file and create a new authorized_keys file with the new key. Hopefully that will take care of the errant password prompt.

You might call this hint ancient, but I call it timeless. It works as well today as when the submitter first posted it. I use it to help out my father, brother, mother-in-law AND father-in-law, each of whom seems to find new and inventive problems on their Macs monthly. Being able to quickly access their Macs and fix the problem in 5 minutes, instead of talking them through a half hour of dialog manipulation over the phone, is a real time and sanity saver.

I'll add another "gotcha" that I discovered in the process of setting this up myself: before the remote user connects to the host Mac, make sure that you don't have Apple Remote Desktop enabled in the sharing prefpane on the host Mac; if you do, Chicken of the VNC will simply display your own desktop!

Finally, I wrote this AppleScript to be run on the client Mac, because I might have to remotely control the other Mac from someplace other than my home. This script allows the client Mac to enter in a domain name or IP address to connect to, validates it, then runs the 'ssh' terminal command. Copy & paste into Script Editor, save as application, then place it on the client Mac. Whenever they need to connect to the host Mac, double-click the AppleScript.

set dummyAcct to "dummy" --Whatever the account name is on the host Mac you're connecting to
set defaultHostIP to "126.18.31.12" --Either the DNS address or IP address of the host Mac
set myHero to "Steve" --Your name (it just appears in the first dialog presented when the script is run)

set isValidIP to false
repeat while isValidIP is false
set remoteIP to text returned of (display dialog "what is " & myHero & "'s IP address or DNS Address?" default answer defaultHostIP) set savedTextItemDelimiters to AppleScript's text item delimiters try set isValidIP to true set AppleScript's text item delimiters to {"."} set IPList to every text item in remoteIP set countOfIP to count of IPList if countOfIP is not equal to 4 then set isValidIP to false repeat with index from 1 to countOfIP set currentValue to text item index of IPList as integer if currentValue > 255 then set isValidIP to false end repeat set AppleScript's text item delimiters to savedTextItemDelimiters on error -- In case something bogus happens, make sure the delimiter is set back set AppleScript's text item delimiters to savedTextItemDelimiters set isValidIP to false end try -- Check if they entered a domain name try last character of remoteIP as integer on error --if the last character isn't a number, it's a domain name set isValidIP to true end try if isValidIP is false then display dialog ("This is not a valid IP address:" & return & remoteIP) buttons "Try Again" default button "Try Again" else set x to button returned of (display dialog ("Is this the correct address?" & return & remoteIP) buttons {"No", "Yes"} default button "Yes") if x is "No" then set isValidIP to false end if end repeat tell application "Terminal" activate do script ("ssh " & dummyAcct & "@" & remoteIP & " -R 5900:127.0.0.1:5900") end tell


[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: superg on Dec 25, '06 09:21:04PM

umm... their os x password?



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: cnsayre on Dec 26, '06 06:36:11AM

Nope. Tried it. Tried my iBook's password too.

What's happening is after the execution of that command in Terminal, I see:

Password:

And after three attempts (using my password, his password, just leaving it blank), it asks for my Powerbook's password. Typing in that, I get the result along the lines of:

"Incorrect password. Connection refused by cnsayre's ibook."

I'm wondering if this has something to do with the public/privatge keys maybe...

cnsayre



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: dcoyle on Jan 21, '07 08:31:41AM
From the original post:
Next I enabled Remote Login (i.e. ssh server) on my PowerBook. I created a dummy, non-priveleged account (called "dummy") to receive the tunnel. I generated a DSA public-private key pair on the Mini under my dad's account (in Terminal, type ssh-keygen -t dsa and accept the defaults). I copied my dad's public key to the ~/.ssh/authorized_keys2 file under the dummy account. This step isn't really necessary if you don't mind your switcher having to remember and type in the dummy user's password, but that didn't meet my "simple" criterion above. Again, I had the luxury of doing this work directly on the Mini. With iChat and a little cutting and pasting, it could be done remotely as well. Note that there's no real security risk having your switcher email or IM you their public key -- that's why it's "public."
I'm pretty sure the required password is for the dummy account. If it's a non-privileged account, and setting up the keys as described is a hassle (most likely because you don't have both machines in front of you), you could just give the dummy account a simple password.

[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: joshturse on Jan 17, '07 01:50:15PM

The problem I have with these solutions, and the Mac, is that a VNC session is visible at both ends. In my case, I want to use this with a computer at work, which requires a certain level of information control. Unlike Windows Remote Desktop Connections, a VNC session with a Mac is visible to everyone standing in the room with my work Mac - which would normally either have me sitting in front of it or be secured with it's screensaver (and OF passwords, etc).

Has anyone found a solution where the remote keyboard is locked and the remote screen is not viewable?



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: dcoyle on Jan 21, '07 08:45:41AM

That's a very good question. Leopard is supposed to have virtual desktops. Seems like the next logical step would be to make individual desktop(s) non-shared among connections just like terminal or X11 sessions. This more-unixy behavior would be preferable to Windows Remote Desktop which locks the console screen when you connect, which in turn is preferable to VNC's behavior of sharing the local and remote screens.

The one advantage of a shared screen is when you are explaining something over a distance and they can follow along with what you are telling them. Perhaps Apple will reserve that capability for ARD server since that is more like something a Help Desk would use and pay for.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: joshfree on Feb 16, '07 09:55:31AM

I'm trying to set up two VNC servers on one network, both hooked up to the same DSL connection via Airport Extreme. Both machines have permanent IP addresses.

One is a Powerbook G4 that has been working fine as a server for a while now. Other people can successfully access that computer from remote locations via the Internet.

The second is an iMac, which is always on here at my office. I want to be able to access that iMac from home (using the same Powerbook).

Both computers can successfully connect to each other over our office LAN, using Chicken of the VNC and VineServer. I've also tried the built-in VNC server in OS 10.4. All fine.

But I can't get my Powerbook to connect to the iMac over the Internet. Just within the LAN.

I thought it must have something to do with port mapping on the Airport Extreme router. But I'm not sure how to set up port mapping when I want two different computers to work as servers on the same DSL connection.

I hope somebody knows the answer, or can direct me to a good resource.

Thanks!



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: bitwise on Mar 13, '07 11:37:44AM

Perhaps, in the router, map a non standard port to port 22 on one of the machines (probably the imac in your case). Then when connecting to it, use the port flag (-p) in the ssh command to use the non standard port you chose.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: hoogie69 on Mar 19, '07 12:00:57PM

Excellent Thread.

I don't know ('cause a search of the forum couldn't find it) if this has been addressed. I am the "Help Desk" for my mom. We both run OS X 10.4.8. I connect over broadband (Comcast) and she connects via a dial-up/PPP ISP. How/can the techniques described in this thread be used under these circumstances? Would Timbuktu work also? TIA for any responses.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: RobK on Apr 18, '07 09:11:06AM

Yes you can use this approach. But I think you will find it very slow since she is on dial up.

I understand that OSXVNC server (or vine server) is faster. So you may want to experiment and turn off ARD and install OSXVNC server (or vine server) on your Mom's computer.



[ Reply to This | # ]
How to securely control another Mac over the internet
Authored by: RobK on Apr 18, '07 09:08:07AM

A great article. Using a reverse SSH tunnel is a great idea. No need to open up ports on the computer that you need to support.

But I don't understand the advantages of creating a "Dummy" account on the PowerBook.

According to the article, once the SSH tunnel is created, ANY user on the Powerbook can use the tunnel.

What am I missing? Are there advantages from a security point of view of initially creating an reverse SSH tunnel between the regular user on the mini and the Dummy user on the Powerbook?

Rob



[ Reply to This | # ]
The password is required
Authored by: Uniquark on Sep 29, '07 06:05:39PM

It seems that this is still a useful hint dispite its age. In trying to duplicate the oringinal hint's setup, I found that the password entered in the Apple Remote Desktop setup on the target system is required when logging in with Chicken of the VNC. Without the password, I consistently got authentication errors. With the password, I got right in. I'm using Tiger 10.4.10 on both machines and CotVNC 2.0b4 for remote access.



[ Reply to This | # ]
The password is required
Authored by: Oddball57 on Dec 04, '11 09:21:36AM

I would like to remotely access my Mum's computer however, I don't want to embark on this solution if there are any compatibility issues. I have an Intel Core 2 iMac running 10.6.8 and Mum has a 2005 G5 PowerPC running OS X Tiger. Will this solution work for this combo?

Whilst I'm fairly 'good with computers' I'm not really at 'geek' level and the solutions here look a bit scary! Would I be better looking for a piece of off-the-shelf software to do this? Many thanks.



[ Reply to This | # ]