Remotely Controlling another Mac

From Mac Guides

Jump to: navigation, search
This article needs to be cleaned up to conform to a higher standard of quality.
See Help:How to Edit a Page and Help:Style Guide for help, or this article's talk page.
This article contains out of date information that doesn't reflect recent events or releases.
You can help by updating it.


This article or section is based on a forum post written by beaster.


Contents

Introduction

There are a number of ways to control another computer remotely. This guide, while complicated, walks you through a method that will create an easy to use and secure method of remotely controlling another Mac. The idea is to be able to remotely view and, if needed, control another Mac in order to help teach a new Mac user how to do something or fix their problem.

This method isn't the only way of doing it, but it meets the following criteria:

  • Secure - Doesn't pass anything in the clear over the internet.
  • Free - Timbuktu and Apple Remote Desktop (ARD) Server are great products, but not free.
  • Built-in - Using as many standard built-in tools as possible keeps things simple.
  • Simple - Point-and-click simplicity on the client's end.
  • Zero or at least minimal network changes on client's end - No need for client to configure his/her router.

[For the purposes of this guide, the client will be the computer being controlled, and the administrator is the computer controlling the client.]

Preparation

Things you will need:

A VNC server. This guide recommends Apple Remote Desktop Client, but other VNC servers could be used, e.g. OSXVNC

A VNC client. This guide will use Chicken of the VNC, but other VNC clients could be used.

A Dynamic DNS name for the administrator computer. Unless the administrator computer already has a static IP address or DNS name, obtaining a Dynamic DNS name for the administrator computer will greatly simplify the process. This can be done free of charge at DynDNS among other places.

Setting up the Administrator

First, enable Remote Login (i.e. ssh server) on the administrator computer. (System Preferences > Sharing > Services)

Second, create a dummy, non-privileged account (called "dummy") to receive the tunnel. (System Preferences > Accounts > +)

Next install Chicken of the VNC on the administrator. COTVNC is lightweight, free, and works out of the box with no changes.

Also setup a Dynamic DNS (DDNS) name for the administrator using DynDNS (again, free). This will allow you to hard-code a DNS name instead of an IP address on the client since the administrator probably doesn't have a fixed public IP address.

Now, since the administrator computer is likely behind a NAT router and is running the Mac firewall, you will have to map the ssh port (port 22) on your router to your adminsitrator computer, and you will have to open up the ssh port on the Mac Firewall. For increased security, this can all be turned off when the tunnel isn't in use (which is easy since it's on the administrator's end, not the client's).

Setting up the Client

Prior to Lion

The first thing to do on the client is upgrade to the latest ARD client software. This is available as a free download on the Apple site: Apple Remote Desktop Client. It's called the ARD client, but it's a VNC server under the sheets.

Once ARD is installed, go into the Sharing preferences pane on the client and start the ARD service. Also go into the Access Privileges for ARD and enable "VNC viewers may control screen with Password". Just put any old password in - it doesn't matter and will be ignored since we're tunneling over ssh. Also put a check next to the client's user account and check "Observe" and "Control" (not actually sure if this is necessary, but whatever).

Note that you do NOT need to open up the ARD ports on the client's software firewall since this will be tunneled over ssh. In fact, you don't even need to open up the ssh ports on the client since the client is sending the ssh request outbound (it's a reverse tunnel), not receiving ssh requests inbound. This way is VERY secure - the client is completely stealthed.

Next, Create a saved Terminal file on the client to launch the reverse tunnel. In Terminal choose File > Save As then give the file a name. Click on "Execute this command" and enter the following:

   ssh dummy@mypowerbook.ddnsname.whatever -R 5900:127.0.0.1:5900

Then check "Execute command in shell" and click Save.

This creates a reverse (hence the -R) tunnel mapping the VNC client port (5900) on the administrator computer to the VNC server port (also 5900) on the client. It's a reverse tunnel meaning that although you establish the connection from the client to the administrator, the "flow" or the port mapping actually goes in the opposite direction - from the admin to the client.

Why all the trouble? This configuration does not require the client to open up any ports on their Mac's firewall or do any port re-mapping on their router to allow for inbound ssh connections. The tunnel originates from the client's computer but allows the administrator to connect back to the VNC server on the client's computer. Now all the client has to do is double-click on the saved terminal file when they want to establish the tunnel and allow the administrator to observe or control their computer.


With Lion

The first thing to do on the client is upgrade to the latest ARD client software. This is available as a free download on the Apple site: Apple Remote Desktop Client. It's called the ARD client, but it's a VNC server under the sheets.

Once ARD is installed, do the following:

  1. If not already running, start System Preferences;
  2. Sharing;
  3. Check "Remote Management";
  4. A pull-down menu will appear with certain controls, set the ones needed in your case;
  5. Click OK;
  6. By now, the dot before "Remote Management" should have turned green and the text passed to the "On" status;
  7. Click on "Computer settings";
  8. Check "VNC viewers may control screen with password:";
  9. Insert a password (maximum 8 characters);
  10. Click on "Ok";


Note that you do NOT need to open up the ARD ports on the client's software firewall since this will be tunneled over ssh. In fact, you don't even need to open up the ssh ports on the client since the client is sending the ssh request outbound (it's a reverse tunnel), not receiving ssh requests inbound. This way is VERY secure - the client is completely stealthy.


Next, create a "New Command" in Terminal:

  1. If not already running, start Terminal;
  2. In the menu, click on "Shell";
  3. Select "New Command...";
  4. In the "Command:" field, type:
    • ssh dummy@the_address_of_the_administrator_computer -R 5900:127.0.0.1:5900
    • Beware, in the administrator computer, System Preferences, Sharing, Remote Login, check that user dummy is allowed for access.
  5. Check "Run command inside a shell";
  6. Click on the "Run" button.


This creates a reverse (hence the -R) tunnel mapping the VNC client port (5900) on the administrator computer to the VNC server port (also 5900) on the client. It's a reverse tunnel meaning that although you establish the connection from the client to the administrator, the "flow" or the port mapping actually goes in the opposite direction - from the admin to the client.


Why all the trouble? This configuration does not require the client to open up any ports on their Mac's firewall or do any port re-mapping on their router to allow for inbound ssh connections. The tunnel originates from the client's computer but allows the administrator to connect back to the VNC server on the client's computer.

Increased Security With Public Key Authentication

Any need for exchanging or remembering the password for the dummy account can be eliminated by using public key authentication to establish the ssh tunnel. This step isn't really necessary if you don't mind the client having to remember and type in the dummy user's password, but that doesn't seem to meet the "simple" criterion above. Using password-based authentication also increases the possibility that someone could use the open ssh port as a means of a brute-force attack on the administrator computer.

Generate a DSA public-private key pair on the client under the client's user account (in Terminal, type "ssh-keygen -t dsa" and accept the defaults). The client's public key will be saved to the specified location (e.g. ~/.ssh/id_dsa.pub).

The client's public key should be copied to the ~/.ssh/authorized_keys2 file under the dummy account on the administrator computer. If this file already exists (i.e. the administrator is supporting more than one client computer) the public key should be appended to those already in ~dummy/.ssh/authorized_keys2. Note there's no real security risk in having the client send their public key to the administrator by email or IM - that's why it's called a "public" key. Once the client's public key has been installed, password-based ssh authentication can be disabled on the adminstrator computer, if so desired.

Connecting

All the client has to do is double-click on that Terminal file to start-up the tunnel.

Once the tunnel is established, start COTVNC on the administrator computer, type in "localhost" under the Host: field, leave the display/port set to 0, leave the password field empty, and click Connect. The client's screen appears and the administrator can use their mouse and keyboard to control the client computer.

Note that the administrator does NOT need to be logged in as the dummy user. The whole point of the dummy user is to be the end point for the tunnel. Once the tunnel is up, the ports are mapped for all users logged on the administrator computer. Any user on the administrator computer can take advantage of the tunnel.

Also note that with this method you never need to know the IP address of the client. This simplifies the process so the client does not have to try to figure out the public IP address of their router every time they want to start the tunnel.

Links

Wikipedia article on VNC

Wikipedia article on SSH

Wikipedia article on DDNS

Apple - Remote Desktop (Server)