Wednesday, August 31, 2011

Using Screen Sharing (VNC) Over SSH on OSX

SkyHi @ Wednesday, August 31, 2011
Tunneling VNC over SSH has several benefits. For one, if you are using a non-Mac version of VNC, your traffic is probably going over the network unencrypted. By default, the Mac VNC client encrypts keystrokes, including the login.
vnc
Another benefit of using VNC over SSH is that your client Mac may be behind a firewall, which you cannot reach directly. If there is some other host, like maybe the firewall itself, which you can SSH to, then you can use SSH port forwarding to “bounce” your VNC session off of that host and connect from there to your client Mac.


This procedure assumes that the remote Mac has SSH (“Remote Login” in Sharing Preferences) enabled, and you can login with it. Suppose that you want to connect to remote.host.com with VNC and your user account on that machine is remoteuser. Open Terminal, and issue the command:

$ ssh -L 5901:remote.host.com:5900 remoteuser@remote.host.com 
Login at the prompt. Once you’ve logged in, your SSH tunnel is set up. Now simply connect to vnc://localhost:5901 (via Finder -> Go -> Connect to Server), and your VNC traffic will be automagically transported over a secure SSH tunnel to the remote host, and you should get a VNC login prompt.
Connect with VNC
VNC Login Screen
If remote.host.com is behind a firewall that is preventing access via SSH, but you can access another host via SSH, and that host can access remote.host.com via SSH, then you can forward your traffic through the accessible host. Suppose that host is called dmz.host.com. Run:

$ ssh -L 5901:remote.host.com:5900 remoteuser@dmz.host.com 
Login to dmz.host.com, and now when you connect to vnc://localhost:5901, your network traffic will go through an SSH tunnel to dmz.host.com, and will be forwarded from there to remote.host.com. Isn’t SSH wonderful?