Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Security? | 31 comments | Create New Account
Click here to return to the 'Security?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Security?
Authored by: osxpounder on Oct 21, '04 05:29:48PM

Until this release, I would wait to start the VNC server until I had used SSH to connect to the Mac, then start OSXVNC from the command line. When finished with VNC, I'd quit the server before logging out of the SSH connection.

What are your feelings about the security of leaving this ARD VNC server up when you're not using it? I'm no security expert, but the precautions I take seem reasonable. Trouble is, I use two monitors and would really like to see both over a VNC connection.

---
--
osxpounder



[ Reply to This | # ]
Security?
Authored by: osxpounder on Oct 21, '04 05:58:10PM

I tried editing com.apple.sharing.firewall.plist, which has a clearly labeled entry for the ports used by ARD. I tried changing the default port 5900 to a non-standard one, and saved the file. I reloaded the file to ensure that my change was saved. Nevertheless, VNC is still being served on port 5900, and not on my specified port. I confirmed this by connecting via a VNC client from another machine. It worked for their port #, but not mine. After trying, I looked again -- yep, the port I specified is still in the .plist file.

And, btw, I did have the firewall open on that port.

---
--
osxpounder



[ Reply to This | # ]
Security?
Authored by: osxpounder on Oct 24, '04 01:52:28AM

OK, I'm carrying on this conversation by myself, but someday, someone will care to know this: the AppleVNC server, found in:

/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/

... only takes an 8-character password. More characters are a waste; it only looks at the first 8.

Also, I can't find a way to get AppleVNCServer to tell me if it has any command line switches. /? and /help did nothing.

---
--
osxpounder



[ Reply to This | # ]
re: Security?
Authored by: nicksay on Oct 24, '04 04:51:23AM

in reply to editing the com.apple.sharing.firewall.plist file...

As far as I can tell, that is a file that is generated/updated by the Sharing Preference Pane when you make changes. Then, I think, the Pane calls the "firewalltool" program, located in "/System/Library/PrivateFrameworks/NetworkConfig.framework/Versions/A/Resources/". This tool, I think, flushes the ipfw rules, adds a default restrictive set of rules, then adds "allow" rules for each port listed in the com.apple.sharing.firewall.plist file.

I deduced this from the "NetworkExtensions" StartupItem, located in "/System/Library/StartupItems/NetworkExtensions/".

So, to summarize, changing the port in that plist file will only change the firewall entry, not the VPN server.



[ Reply to This | # ]
How to make it secure
Authored by: mace on Dec 25, '04 01:57:54PM

The secure way to do this is to forward VNC through SSH.

I don't know exactly how the VNC protocol works, but I'll bet that it transmits everything in the clear, including your login password. Any observer could catch things you type or things that the screen shows.

How do you do this? You run the VNC server continuously, but block VNC at the firewall. Then, to use VNC, you add the option -L 5900:remote.ip.address:5900 to the ssh command. You can also use ~C during an established SSH connection to create the tunnel. Then, you tell the client to connect to localhost instead of the remote computer's IP address.

This way, only someone who can log in via SSH can use the VNC server, and all of the traffic is encrypted.

Also, I think OSXVnc has an option to only accept connections that have been forwarded through SSH.



[ Reply to This | # ]