VNC Over SSH From Mac To Windows The premise for this tutorial was the need to assist my father (by way of a secure connection) with 'care and feeding' of his home computer... a Windows machine (running XP Home SP1)... from my own Mac (running OS X 10.4.11).
It is very specific in that regard, but I hope that others may derive some use from it... applying similar methods to their own needs. Much of it is written from memory, and may be incomplete or 'imperfect'. Again, it's hoped the procedures outlined may be of nominal use. Comments and corrections are welcome. (In time, I hope to post a web page which actually includes the screenshots I allude to in the text below.) Note that certain steps listed here are optional... but (variously) can improve security or allow greater ease of use. For instance, the use of a non-standard SSH port on the Server (Windows) computer is not necessary, but may help obscure (from casual hackers) the actual port in use. (Complete documentation for using a non-standard port is not yet available.) For instance, on the Viewer (Mac) computer, the use of SSH Agent is optional... but obviates need for the Terminal and simplifies generation of key pairs and creation of the SSH tunnel. (Also note that other VNC and SSH software is available for both Mac and Windows computers, but is not covered here.) ----- For clarity and convenience, I will use these conventions in the following: When I refer to the 'Viewer' computer, in all cases I am referring to the client Mac machine. When I refer to the 'Server' computer, in all cases I am referring to the target Windows machine. ----- In shorthand, the steps required are listed immediately below... and outlined in greater detail further below. Viewer (Mac) setup: 1) Download, install and configure RealVNC viewer. 2) Download, install and configure SSH Agent. 3) Generate public/private key pair. 4) 'Find' and transfer public key to Server computer. Server (Windows) setup: 1) Download, install and configure RealVNC server (as service). 2) Download and install CopSSH (as service) and activate user. 3) Place public key pair (from Viewer computer) in Server computer user .ssh folder. 4) Configure firewall and/or router of Server computer. 5) (Optional) Modify sshd_config file. 6) Restart Server computer. Viewer (Mac) operation: 1) Create SSH tunnel. 2) Initiate VNC session. ----- Viewer Computer Setup 1) Download and install the RealVNC 'Enterprise' standalone viewer for Mac, available here: (http://www.realvnc.com/products/enterprise/macosx.html). Some screenshots of the viewer interface and options are shown below. The default options are reasonably likely to work. 2) Download and install the 'SSH Agent' utility available here: (http://www.phil.uu.nl/~xges/ssh/). Some screenshots of the viewer interface and options are shown below. Values for typical connection entries are shown, but must be modified to suit your situation. Save the connection dialog as a file to preserve your settings. 3) Using SSH Agent... add and name a New Identity. This will generate a public/private key pair in separate files. When prompted "Enter passphrase (Cancel for no passphrase)", enter a strong passphrase (password) using upper and lower case and numerals. Make a record of the passphrase. (Or) 3) Using the OSX Terminal... open a Terminal window. Enter the following command: ssh-keygen -b 2048 -t rsa This command generates a public/private key pair in separate files. When prompted "Enter file in which to save the key", press the enter or return key. When prompted "Enter passphrase (empty for no passphrase)", enter a strong passphrase (password) using upper and lower case and numerals. Press the enter or return key. Make a record of the passphrase. 4) The key pairs created (using either method above) are placed in a hidden (invisible) folder (named '.ssh' in the current user's home folder. The following AppleScript will open the hidden .ssh folder for access to its contents: set ssh_folder to (path to home folder as text) & ".ssh:" as alias tell application "Finder" activate open ssh_folder end tell Make a copy of the file with the '.pub' suffix (or extension) in the .ssh folder and place it on the desktop. Rename it 'authorized_keys' and zip it (or 'archive it'). The zipped public key should be transferred (by one means or another) to the Server (Windows) computer. ----- Server Computer Setup 1) Download and install the free version of RealVNC for Windows, available here: (http://www.realvnc.com/products/free/4.1/download.html). The options suggested by the installation wizard are likely to work, but be sure to install the VNC server as Service Mode. Initially, the only configuration change necessary is to enter and confirm a password in the 'Authentication' tab. Make a record of the password. 2) Download and install CopSSH, available here: (http://www.itefix.no/i2/node/27). The options suggested by the installation wizard are likely to work. Click 'OK' in the following dialog when informed that a user must be activated. Click Start > Programs > CopSSH > 1. Activate A User. In the following dialog, select 'Administrator'. Click 'Activate User'. When prompted, enter the same passphrase used when generarating the public/private key pair on the Viewer (Mac) computer. Click 'OK'. 3) Unzip the public key ('authorized_keys') you transferred from the Mac and place it in the folder '.ssh' of the user's ('Administrator') folder of the 'home' folder in the 'copSSH' folder of the 'Program Files' folder of the 'C' drive. C:\Program Files\copSSH\home\Administrator\.ssh\authorized_keys 4) Firewall/router configuration: (For XP Home SP1 (with router) or XP SP2 or SP3 (with or without router) you will have to find other documentation for firewall and router configuration if you need it.) For XP Home SP1 (with no router), right click on the Broadband or WAN connection in 'Network Connections' in Control Panel. Select Properties. (Some relevant screenshots of typical connection Properties are shown below.) Click on the 'Advanced' tab. In the dialog window that appears next, be sure that the firewall is enabled... enable it if it's not. Click on the 'Settings' tab. Click the 'ICMP' tab in the dialog window that appears next. Put a checkmark in the box beside 'Allow incoming echo request'. Click on the 'Services' tab. In the dialog window that appears next, if there is no service shown for an SSH connection, create one by clicking 'Add'... In the dialog window that appears next, enter a descriptive name for the SSH service, enter the computer name or IP address, and enter 22 (or - optionally - a non-standard port number) in both port Internal and External Port entry boxes. Be sure the 'TCP' radio button is selected. Click 'OK' to exit each dialog window. If the connection was open, a dialog will appear saying that changes won't take effect until the next connection is made. --> 5) If a non-standard port number is used, the CopSSH sshd_config file must be modified. (Details coming soon.) 6) Restart the Server computer and be sure both the RealVNC server and CopSSH are running as services. ----- Tunnel Creation & Viewer Operation (Mac) 1) Create the SSH tunnel. Open the SSH Agent connection file you saved in Viewer Setup Step 2 above. A window will apear with the settings you entered previously. Click 'Open'. If all your settings so far are correct, you should now have an SSH tunnel to the Server computer. Hide SSH Agent if you wish. Do not quit it, as this will end the SSH session. (Or) 1) Using the OSX Terminal... open a Terminal window. Enter the following command: ssh -v -L 5900:localhost:5900 [EMAIL PROTECTED] (The -v provides additional detail in the Terminal window when attempting a connection and may be omitted if desired.) Hide Terminal if you wish. Do not quit it, as this will end the SSH session. 2) Initiate the VNC connection. Open the VNCViewer. Enter 'localhost' and click 'Connect'. If all goes well, a small dialog should appear asking for your password. Enter the password for the VNC Server you entered on the Server computer (not the SSH passphrase). In a moment, the desktop of the Server computer should appear, and mouse and keyboard inputs will be received by the Server machine. At this point, you have successfully created a more secure connection between Viewer and Server computers than VNC alone. ----- Hope this has been helpful... Peter Bunn ----- Final Note My effort was greatly aided by help from Lincoln A. Baxter (a member of this mailing list), to whom I offer many thanks. -------------------- ----------------------------------- _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list