Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: How to use screen sharing remotely and securely Network
OS X 10.5's screen sharing feature works nicely on local networks. But to control your computer over an internet connection is easy, too.
  1. Use SSH to establish a tunnel to the computer you want to control. Be sure to use a local port other than 5900 -- otherwise the screen sharing app will complain about controlling the local screen is not possible. A good example is:
    ssh -L 1202/192.168.10.10/5900
    ...where 1202 is the local port, and 192.168.10.10:5900 the remote destination.
  2. Go into Safari and type in the URL vnc://localhost:1202, if you're using the local port 1202 as in the above example.
  3. Now drag the URL to your desktop to create a link to this URL
  4. Rename and/or change the icon for the URL link with the Get Info window.
If the tunnel is established and you click the generated link, the screen sharing app will start and show your remote computer.

[robg adds: A comment on the queue site notes "To ensure this is secure, you should ssh to the target host and forward to localhost. e.g: ssh -L 1202:localhost:5900."]
    •    
  • Currently 2.50 / 5
  You rated: 1 / 5 (10 votes cast)
 
[128,739 views]  

10.5: How to use screen sharing remotely and securely | 30 comments | Create New Account
Click here to return to the '10.5: How to use screen sharing remotely and securely' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: How to use screen sharing remotely and securely
Authored by: macavenger on Nov 19, '07 01:57:17PM

Why not just go to Screen Sharing->Preferences and choose encrypt all data? Wouldn't that enable you to be able to just enter vnc://remoteaddress in the connect to server dialog and get a secure connection without having to go through all the rigamarole of setting up an SSH tunnel? Or am I missing something here?

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD



[ Reply to This | # ]
Use Preference window
Authored by: Beorn on Nov 19, '07 02:05:16PM

I was wondering the same thing…

---
~ Beorn



[ Reply to This | # ]
Use Preference window
Authored by: osxpounder on Nov 19, '07 08:42:00PM

Well, does anyone have an answer? I certainly don't know.



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: bazzoola on Nov 19, '07 04:06:12PM

Where is Screen Sharing -> Preferences?

I cannot find that anywhere?

If you go to System Preferences -> Sharing -> Screen Sharing -> Computer Settings. There is no encrypt all option?




[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: bazzoola on Nov 19, '07 04:32:07PM

run /System/Library/CoreServices/Screen Sharing.app
then go to preferences and encrypt all.

Thanks



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: bugmenot on Nov 25, '07 12:50:18AM

What your missing is that not all (often corporate) firewalls are enabled to allow port 5900 to pass through. I have this situation -- I can only get through port 22 to my machine at the office, not port 5900. The tunnel allows me to do remote screen sharing with this machine (which, if anyone is concerned, is just fine with my workplaces IT people).

The extra encryption isn't the only reason for using tunnelling. Getting around firewalls in a secure manner is just as (and probably more) important.

[ Reply to This | # ]

10.5: How to use screen sharing remotely and securely
Authored by: RCCollins on Nov 19, '07 02:28:40PM

I would love to use this hint, however this command does not seem to be complete:
ssh -L 1202/192.168.10.10/5900

Where 192.168.10.10 is the internet IP. I have port 22 forwarded to the host that I would like to tunnel to, the command does not work, also shouldent the /'s be :'s?





[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: dewab on Nov 19, '07 03:03:51PM

The command given isn't correct.

In order to create an SSH tunnel, you'd use a command similar to the following:

ssh -L 1202:localhost:5900 remote-host

This would listen locally on port 1202, tunnel to "remote-host" and then have "remote-host" redirect that traffic to localhost on port 5900. (i.e. localhost = remote-host) You can also replace localhost with a different box that remote-host has access to, perhaps if you wanted to tunnel through that box to another box on it's network.



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: felix-fi on Nov 19, '07 11:42:51PM

My 2 cents:

I am always confused too by ssh tunnel... so I keep reading the man page each time :-). In any case the original proposed method (not using localhost) create a secure tunnel:

From man ssh:

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocat-
ing a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.

Local (client) host means the machine executing the ssh. However, the :host: (i.e. the vnc server then) and the ssh server (the machine name at the end of the ssh command) should be the same otherwise the data between them will be in clear...

Is it clearer? ( I am not even sure it is for me ;-) )




[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: felix-fi on Nov 20, '07 03:21:36AM

Just to clarify a bit my previous post...

when host-X executes
ssh -L port:host-Y:hostport host-Z

then local packet sent to port are tunneled to host-Z which then decrypt them and pass them to host-Y in clear. Moreover, host-Y is "resolved" from host-Z point of view (so if it is localhost or 127.0.0.1, it means host-Z itself)

(I hope I did not add to much confusion again)




[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: andya on Nov 20, '07 01:42:56AM
its already secured with ipsec/kerberos: http://docs.info.apple.com/article.html?artnum=307024

[ Reply to This | # ]
I do not understand this hint
Authored by: faq3242 on Nov 20, '07 02:24:41AM

If you initiate screen sharing via iChat, is this not automatically secure by default?

why go thru the command line shenanigans if this functionality is built into iChat already? *confused*





[ Reply to This | # ]
I do not understand this hint
Authored by: rameeti on Jan 22, '08 07:01:12AM

Perhaps there is no one on the other end to accept the request for screen sharing?



[ Reply to This | # ]
I do not understand this hint
Authored by: chinarut on Sep 03, '08 02:00:29PM

this is an easy one - I have yet to get this feature to work! *grin*

in all honesty, iChat AV has been pretty disappointing overall - dad got video conferencing up in a jiffy on Skype and we still haven't gotten it to work on iChat - there is some irony to be had here. I think iChat is one of the weakest components of Mac OS X but I digress...

thanks for the ssh over VNC tips btw - another reason for me is I'm clear ssh is secure!



[ Reply to This | # ]
Necessary and sufficient ssh port forwarding
Authored by: cobbe on Nov 20, '07 04:09:03AM

If you execute the first ssh command (fixed as described in the other posts) on the client machine (i.e., the one that you want to use to control the other), then that will encrypt all communication between client and server. Additional ssh port forwarding is unnecessary.

Indeed, the ssh command in Rob's edit doesn't really accomplish anything here. It takes all packets destined for port 1202 on the server machine and forwards them to port 5900. With this setup, though, you won't be sending any packets to port 1202 on the server side -- they're going to port 1202 on the client side, and the first ssh command takes care of the necessary forwarding.

Finally, if the server machine has a globally-visible hostname, you can use that instead of the IP address in the ssh command.



[ Reply to This | # ]
Necessary and sufficient ssh port forwarding
Authored by: Bigc on Nov 20, '07 08:53:05AM

...and I thought this was a simple Hint...



[ Reply to This | # ]
Necessary and sufficient ssh port forwarding
Authored by: osxpounder on Nov 26, '07 09:17:09PM

So what's the proper command to create a secure tunnel for using a VNC connection to remotely control my Mac?



[ Reply to This | # ]
Necessary and sufficient ssh port forwarding
Authored by: wallybear on Jan 11, '08 05:44:16PM
I had successful connections using the following command:

ssh -N -f -L 5999:127.0.0.1:5900 user@remoteMac

after authentication, launch Chicken of the VNC (or your preferred VNC viewer) and use localhost:5999 as destination server.

[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: billpenn on Aug 30, '08 12:39:59AM
I use this handy shell script to secure my vnc through a tunnel:

#!/bin/sh

## script to make ssh tunnel connect to vnc host specified in
## first argument
##
## Jan 02, 2004 - W Penn - creation
## May 15 2005 - W Penn - command arguments added converted for vnc
## Jun 10 2005 - some dude named ward - process management added
##

LOCAL_PORT=5902;

TARGET_HOST=127.0.0.1;
TARGET_PORT=5900;

TUNNEL_HOST="$1";

echo "opening tunnel";
ssh -L $LOCAL_PORT:$TARGET_HOST:$TARGET_PORT -f -N $TUNNEL_HOST;
echo "Local port $LOCAL_PORT used";
echo "opening vnc client";
open -a /Applications/JollyFastVNC.app/;

clear;
TUN=`lsof -i:$LOCAL_PORT -Fp | head -1| sed s/p//`;
echo IMPORTANT: Leave this Terminal window open during your VNC session.;
echo When you finish your VNC session, press the ENTER key in this window.;
echo This will manually close down your SSH tunnel to the remote computer.;
read answer;
clear;
kill $TUN;
echo SSH tunnel closed. You now can close this Terminal window.;

save with your favorite text editor (I call mine svnc) and chmod u+x to make it executable then, if the file is in your path, you can fire up your secure tunnel by typing:

svnc username@somehost.com

if you have JollyFastVNC.app in your Applications folder, it will open and you connect to localhost (127.0.0.1) and port 5902

the terminal window will wait for you to hit return when you are done with your secure vnc, hitting return kills the tunnel so you do not have it sitting around un-noticed.

Someone clever and less lazy than me could surely wrap this up in AppleScript for click and go fun; if that is you, share and enjoy.

I first posted a version of this script years ago with an incorrect variable in response to a question from felix-fi (who commented above) on another site about securing afp (just change the ports and the open command). The version here is secure and done up properly.

To felix-fi, I also have to pull up the man page to ssh ever time I start thinking about tunnels sorry for any aggravation from mixed up variables four years ago.



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: greenwing on Oct 01, '08 01:46:12PM

On 10.5 (and probably earlier revisions as well) this whole script can be replaced with a much simpler alias:

If you use tcsh add the following line to your .cshrc file:
alias vnc 'ssh -f -L 1200:localhost:5900 \!:1 sleep 10 ; open vnc://localhost:1200'

Similar things can be done using a shell function in bash.

The key is that the 'sleep 10' will cause the shell channel of the ssh connection to drop after 10 seconds, giving the local side 10 seconds to open the vnc connection. This prevents all the 'process control' from being required. The SSH connection will automatically drop when you close the VNC connection.




[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: wmeleis on Dec 05, '08 05:17:42AM

Hi,

I am also trying to get screen sharing to work from Mac #1 to Mac #2. Mac #2 is on a home network behind a Westell router, and Mac #1 is on the internet.

I am using DynDNS to get the router's ip address, and I have enabled screen sharing on both Macs.

I understand that I need to forward port 5900 from the router to Mac #2 -- but the router apparently needs to know the ip address of Mac #2. This address is assigned by DHCP and presumably will change.

Is there a way to forward the port *without* assigning Mac #2 a static ip address? I believe that assigning Mac #2 a static ip address will cause it to not work if it moves to a different network that uses different ip ranges, right?

Thanks



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: robogobo on Dec 28, '08 02:22:26PM

I'm pretty sure the NAT will update with any change in DHCP. My old router kept track of NAT by MAC address, which make much more sense. I have a new router that does it by IP address, and I was wondering the same thing as you. I just went with it and decided to find out if and when the IP changed. So far it hasn't.

In other news, I'll agree with other posters here who poopoo iChat. And for that matter any bonjour service. There are way too many ports used, and if you have to forward them in a range, you may as well just drop your trousers and default host the whole network. Of course if you have more than one machine than you're screwed. Not saying it's impossible, but just a real pain for something that's supposed to "just work".



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: Radek03 on Jan 03, '09 10:47:46AM

Did you try to set up a dedicated IP assignment based on MAC address on your DHCP server (I assume this is being run n your router as this is the most common option for household routers)?
This way the DHCP server will always give the same local IP to your client (Mac#2) whenever it connects and then you can set up port forwarding on your router without worrying that the local IP might change for Mac#2.
Alternatively a client can request a certain IP by using what's called DHCP Client ID and that will basically do the same thing but without the need of setting up a MAC address based IP assignment. However this again needs to be supported by the DHCP server (router) and is less common than the 1st option.
Either way your client (Mac#2) will be set to 'acquire IP from DHCP' and will work perfectly normal when connected to other networks.
Hope this helps.



[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: nwfrg on Jan 21, '09 05:16:08PM
There is a handy app called Lighthouse [link:]http://www.codelaide.com/ which works with many (not all) routers. Lighthouse handles the port mapping. Run it on your #2 mac so you can reach it from the internet.

Your router has to support NAT/PMP or UPnP for Lighthouse to work.

[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: clith on Mar 02, '09 06:06:30PM
If you are going to do this kind of thing often, you should edit the file ~/.ssh/config and put something like this in it:
Host ext
HostName 12.34.56.78
Port 22
User username
LocalForward 5999 127.0.0.1:5900
Now all you have to do is "ssh ext" and all the forwarding will be done automatically every time. The host "ext" can be anything you want. The HostName should be either the IP address or the domain name of the machine you are ssh'ing into. Of course, replace username with the valid user id. If you use ssh-keygen to generate a public/pricate key pair, you won't even have to type in a password. *Boom*. it's that easy.

[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: bam0027 on Feb 02, '11 03:11:08PM

I successfully ran Remote Screen Sharing, after reviewing this thread, with the following two commands:

1) In Terminal: "ssh -N -f -L 5999:localhost:5900 user@remotehost"
2) In Finder: Choose the "Go > Connect to Server..." menu item (Cmd-K), then enter: "vnc://remotehost:5999"

Done.



[ Reply to This | # ]
10.6 Shell Script and AppleScript (SSH tunnel for VNC)
Authored by: Rainy Day on Apr 05, '11 02:02:58PM
This works from the Bash shell:
ssh username@example.com -fL6900:127.0.0.1:5900 -o ExitOnForwardFailure=yes sleep 45 && killall ssh-agent; open -W vnc://screen.example.com:6900
Where "username" should be replaced by a username on the remote machine, and "example.com" is the remote’s domain name or IP address. "screen.example.com" can be either 127.0.0.1, or a pseudo domain name you've defined in your /etc/hosts file (which makes it easier for humans to read).

The choice of internal port 6900 was arbitrary; any unused internal port may be used.

The optional "killall ssh-agent;" is used to remove an ssh keychain helper (which is sometimes launched when the tunnel is established).

This ssh tunnel collapses when you close the Screen Sharing app (provided the tunnel has been open longer than the number of seconds specified in the sleep parameter).

This all can be easily wrapped inside an AppleScript and made conveniently available via the AppleScript Menulet:

do shell script "/usr/bin/ssh username@example.com -fL6900:127.0.0.1:5900 -o ExitOnForwardFailure=yes sleep 45 && killall ssh-agent; open -W vnc://screen.example.com:6900"
This was tested under Snow Leopard.

Use it in good health!

Edited on Apr 06, '11 03:03:11PM by Rainy Day


[ Reply to This | # ]
Deleted comment
Authored by: Rainy Day on Apr 06, '11 01:55:45PM

Deleted.

Edited on Apr 06, '11 03:04:48PM by Rainy Day



[ Reply to This | # ]
Targeting a third machine
Authored by: Rainy Day on Feb 17, '13 12:11:15AM
Note: If you wish to establish the tunnel to one machine on a remote LAN, but target another machine on that same LAN for screen sharing, then replace 127.0.0.1 in the ssh command with the third (target) machine's IP address. For example, if the third machine's s IP address is 192.168.0.32, the command would look something like this:
do shell script "/usr/bin/ssh username@example.com -fL6900:192.168.0.32:5900 -o ExitOnForwardFailure=yes sleep 45 && killall ssh-agent; open -W vnc://screen.example.com:6900"
This was tested under Mountain Lion.

[ Reply to This | # ]
10.5: How to use screen sharing remotely and securely
Authored by: michaeli on Mar 29, '13 02:35:36AM

Ok, maybe i'm just not getting this here. Can someone explain this after reading MY situation.

I am trying to access a mac that is REMOTE and behind an Apple Airport eXtreme, 2000 miles away. I am on a mac behind a Time Capsule, basically an APX also (with a hard drive).

So, they are both on private LANs, separated by the internet. I want to be able to see the REMOTE mac in finder on the left hand side, if possible.

How do I "bridge the gap" using the internet. I am not dumb, I am just not sure how I create this tunnel on the remote machine, when I am 2000 miles away from it. is there a way that I can just keep an active connection between the two remote networks somehow? I can access it now using iChat screen sharing, but I would like to do it using the screen sharing.app and maybe if possible be able to transfer files using explorer like we were on the same LAN.

Is this possible? please tell me it is. Apple must have made this doable, right? how please help.

michael.i@me.com

Cheers, Michael



[ Reply to This | # ]