Here’s a quick tutorial on how to secure the Screen Sharing application in Leopard by tunneling your connection through an encrypted SSH channel.
The new Screen Sharing application is basically just glorified VNC, but it does come with some nice features (dual-screen view, for example). However, just turning on the service will open up a couple of ports that may expose your system to exploitation.
First, we’ll want to lock down your firewall. Leopard comes with two firewalls: ipfw (ipfirewall—the underlying Unix firewall) and an application layer firewall (the one that pops up sometimes and asks if you want to allow an application to accept incoming connections). You can manage the application layer firewall through System Preferences > Security > Firewall, but in order to block some ports we’ll need to set up some rules through ipfw. In order to do this, you can either learn the shell syntax (which isn’t terribly complicated) or use a GUI app to interface with it. I chose to use WaterRoof—a frontend open-source GUI for ipfw.
Once you have downloaded WaterRoof, run the application and click on Static Rules. Click the + icon to add a new rule, and use the following information:
Protocol: IP
Rule Action: Deny
Source: not me
Port or range: (leave blank)
Destination address, subnet, or network: me
Port or range: 5900
In, Out, or In/Out: Select the In radio button
This will block port 5900, the default VNC listening port that is opened when you start Screen Sharing. Also, you’ll want to block port 88 unless you are using Kerberos for authentication (I believe this is also opened by Screen Sharing and a couple of other apps). Add a new rule and use the same above parameters, but use incoming port 88 instead of 5900.
You should now have two new rules in your table:
deny ip from not me to me dst-port 5900 in deny ip from not me to me dst-port 88 in
Click Tools > Rules Configuration > Save to startup configuration. Then, click Tools > Startup Script > Install Startup Script. This will make these new rules persist when you restart (otherwise, the system will reset to defaults on the next restart).
Open System Preferences > Sharing and enable the Screen Sharing and Remote Login services.
On your other Mac…
Now, from your client computer, open up Terminal and run the following (for reasoning, see the LifeHacker article Add More Functionality to Leopard’s Screen Sharing):
defaults write com.apple.ScreenSharing ShowBonjourBrowser_Debug 1
and (to enable quality control settings)…
defaults write com.apple.ScreenSharing \ 'NSToolbar Configuration ControlToolbar' -dict-add 'TB Item Identifiers' \ '(Scale,Control,Share,Curtain,Capture,FullScreen,GetClipboard,SendClipboard,Quality)'
Finally…
Now, any time you want to securely connect to your Mac, all you have to do is type the following in Terminal:
ssh username@ip_address_or_hostname -L 5900:localhost:5900
The -L flag is the key to all this—it enables local port forwarding and specifies that anything that happens on the specified local port will be forwarded to the given remote host and port (see the man page for more info). The format of the -L option is port:host:hostport so the first 5900 is your local client port, the next option is the host to which to forward, and the third is the remote port. It’s slightly confusing at first, but this localhost isn’t the client you’re connecting from, it is the remote computer to which you are connecting—it means that when the remote host gets forwarded data, it won’t pass it on to some other host.
Now, leave that terminal window open and open up /System/Library/CoreServices/Screen Sharing.app (you can drag it to your dock).
In the connect field, type localhost:0 (don’t forget the :0). The last part is important because it means to connect to display zero, which translates to port 5900 in VNC land and, for some reason, Leopard will tell you that “You cannot share your own computer” if you type in just localhost (though, you actually can by enabling Screen Sharing and typing that same host, it just creates an pseudo-infinite loop of VNC windows).
Once you type in your username and password, you’re done! You can now control your computer remotely through Leopard’s Screen Sharing app over a tunneled SSH connection. Here’s an example of the Screen Sharing interface (notice the nice dual-monitor support):
Also, because Screen Sharing uses VNC as its base protocol you can interface with your Mac from any Linux, Mac, or Windows VNC client by port forwarding in the same way (on Windows, you’ll have to use an SSH client like PuTTY) and connecting to localhost port 5900 with any standard VNC client.
Tags: Apple, leopard, mac, OS X, remote desktop, screen sharing, Security, ssh, vnc
Great article
just would like to get little more insight on getting dual screen to work on windows. What would be the command for putty and vnc. can you kindly be little more precise! keep up the good work 
My scenario is such that my Leopard(10.5.2) machine is in another room and only cables that go to cabinet are power cord and lan cord. I would like to know how can I vnc into leopard from windows and get dual screen functionality!! any idea? thnkx
Hi Ruth, thanks for the comments. To use PuTTY for SSH tunneling on Windows you’ll need to go into the Connection > SSH > Tunnels section and add a new forwarded port. Use a source port of 5900, a destination of localhost:5900, and select Local in the radio buttons. As for seeing dual screens, I believe some standard Windows VNC clients have this functionality built in, but I’m not sure and don’t have a Windows box around to test this on. Give the Googles a shake and see what turns up.
I got this to work without changing sshd_config, which I didn’t really want to change because the GatewayPorts is off by default, for security reasons. That said, I don’t really understand that well what it does.
In any case, very helpful, thanks!
Another comment, and a question…
First, I happened to look in WaterRoof again and it looked like the rules hadn’t taken effect, but then I looked in the documentation and saw that you have to click the heart button to show the startup configuration.
Here’s my question:
For added security, I tried to create a VNC password that was different from my SSH password. I kept entering it in the screen sharing preferences but no matter what I tried it didn’t seem to take effect, and in order to log in remotely I had to use my SSH password for VNC login as well. Oddly, the same thing happened when I was running Tiger and using Vine Server as my SSH server. Any ideas? Thanks.
Excellent article, thanks.
Matt, could the blocking of port 88 have to do with that strange observation that I’ve seen as well? I’m ignorant on the subject.
[...] There’s a phenomenal article on this topic at Fotinakis.com. [...]
Is there a way to not have the screen wake up when using the remote mac? Not very secure if a remote user could just watch you do whatever you are doing, or take over the keyboard after you have logged in.
Shawn, if you click the lock icon on the toolbar it should display a lock on the remote end and a message of your choice. Although, this feature has been pretty unstable for me the in past and I’m not sure if they’ve made it better recently.
So wait, let me get this straight- you disable Kerberos, the screen sharing app’s encryption, and then set up an ssh tunnel? What’s the point? I mean, unless you’re blocking all connections other than the ssh connection, you’re not any more or less vulnerable after this. 5900 and 88 are perfectly fine as long as you’ve got everything encrypted. All you’re gaining here is speed, not more security.
The connection to the remote machine is working, but every time I hit connect button the pop-up window tells me that VNC server does not support encryption. Disregards of how I set up Screen Sharing preferences I still have this window. I connect from mac to mac. Is it possible to block it somehow?
Best regards
Leonid
I can’t figure out what username and password to put in when screen sharing prompts me… any help?
@Justin - the username and password that work for me are the user login for an account on the host (remote) machine.
It appears that the VNC password setting is somehow non-active in this configuration for me — that is, no matter what the setting in System Prefs, it will never be honored.
many thanks for this description.
i am finding an error occasionally occurs on in which in the terminal window. basically it returns ad infinitum
“accept: Too many open files”
Anyone know what causes this problem? Any ways to handle it?
Thanks
Is there a way to compress the data sent via Apple’s screen sharing app? I know VNC servers can compress the data, and I’m interested in anything that makes the interface snappier.
How do you deal with a situation where you have more than one remote machine to which you wish to connect? At this point it looks like localhost will always go to the same remote machine.
allenm: you can change the ssh command to
ssh username@ip_address_or_hostname -L 5901:localhost:5900in which case you would connect using :1 instead of :0. If the command line scares you, or if you just have trouble remembering the syntax, SSH Tunnel Manager for the Mac will generate the SSH command for you. It’s what I use. Adding a -C to the command line will also compress the SSH tunnel.xioni: it sounds like you’ve got too many files open. This is something that can be overridden in the terminal, but it can be somewhat dangerous. If you want to know more, try searching for ulimit.