VNC Over SSH From Mac To Windows - A Tutorial

[Peter Bunn]

VNC Over SSH From Mac To Windows

The premise for this tutorial was the need to assist my father (by way of 
a secure connection) with 'care and feeding' of his home computer... a 
Windows machine (running XP Home SP1)... from my own Mac (running OS X 
10.4.11).

It is very specific in that regard, but I hope that others may derive 
some use from it... applying similar methods to their own needs.  Much of 
it is written from memory, and may be incomplete or 'imperfect'.  Again, 
it's hoped the procedures outlined may be of nominal use.  Comments and 
corrections are welcome.

(In time, I hope to post a web page which actually includes the 
screenshots I allude to in the text below.)

Note that certain steps listed here are optional... but (variously) can 
improve security or allow greater ease of use.

For instance, the use of a non-standard SSH port on the Server (Windows) 
computer is not necessary, but may help obscure (from casual hackers) the 
actual port in use.  (Complete documentation for using a non-standard 
port is not yet available.)

For instance, on the Viewer (Mac) computer, the use of SSH Agent is 
optional... but obviates need for the Terminal and simplifies generation 
of key pairs and creation of the SSH tunnel.

(Also note that other VNC and SSH software is available for both Mac and 
Windows computers, but is not covered here.)

-----

For clarity and convenience, I will use these conventions in the 
following:  

When I refer to the 'Viewer' computer, in all cases I am referring to the 
client Mac machine.

When I refer to the 'Server' computer, in all cases I am referring to the 
target Windows machine.

-----

In shorthand, the steps required are listed immediately below... and 
outlined in greater detail further below.

Viewer (Mac) setup: 1) Download, install and configure RealVNC viewer.  
2) Download, install and configure SSH Agent.  3) Generate public/private 
key pair.  4) 'Find' and transfer public key to Server computer.

Server (Windows) setup: 1) Download, install and configure RealVNC server 
(as service).  2) Download and install CopSSH (as service) and activate 
user.  3) Place public key pair (from Viewer computer) in Server computer 
user .ssh folder.  4) Configure firewall and/or router of Server 
computer.  5) (Optional) Modify sshd_config file.  6) Restart Server 
computer.

Viewer (Mac) operation: 1) Create SSH tunnel.  2) Initiate VNC session.

-----

Viewer Computer Setup

1) Download and install the RealVNC 'Enterprise' standalone viewer for 
Mac, available here: 
(http://www.realvnc.com/products/enterprise/macosx.html).  Some 
screenshots of the viewer interface and options are shown below.  The 
default options are reasonably likely to work.

2) Download and install the 'SSH Agent' utility available here: 
(http://www.phil.uu.nl/~xges/ssh/).  Some screenshots of the viewer 
interface and options are shown below.  Values for typical connection 
entries are shown, but must be modified to suit your situation.  Save the 
connection dialog as a file to preserve your settings.

3) Using SSH Agent... add and name a New Identity.  This will generate a 
public/private key pair in separate files.  When prompted "Enter 
passphrase (Cancel for no passphrase)", enter a strong passphrase 
(password) using upper and lower case and numerals.  Make a record of the 
passphrase.

(Or) 

3) Using the OSX Terminal... open a Terminal window.  Enter the following 
command:

ssh-keygen -b 2048 -t rsa

This command generates a public/private key pair in separate files.  When 
prompted "Enter file in which to save the key", press the enter or return 
key.  When prompted "Enter passphrase (empty for no passphrase)", enter a 
strong passphrase (password) using upper and lower case and numerals.  
Press the enter or return key.  Make a record of the passphrase.

4) The key pairs created (using either method above) are placed in a 
hidden (invisible) folder (named '.ssh' in the current user's home 
folder.  The following AppleScript will open the hidden .ssh folder for 
access to its contents:

set ssh_folder to (path to home folder as text) & ".ssh:" as alias

tell application "Finder"
	activate
	open ssh_folder
end tell

Make a copy of the file with the '.pub' suffix (or extension) in the .ssh 
folder and place it on the desktop.  Rename it 'authorized_keys' and zip 
it (or 'archive it').  The zipped public key should be transferred (by 
one means or another) to the Server (Windows) computer.

-----

Server Computer Setup

1) Download and install the free version of RealVNC for Windows, 
available here: (http://www.realvnc.com/products/free/4.1/download.html). 
 The options suggested by the installation wizard are likely to work, but 
be sure to install the VNC server as Service Mode.  Initially, the only 
configuration change necessary is to enter and confirm a password in the 
'Authentication' tab.  Make a record of the password.

2) Download and install CopSSH, available here: 
(http://www.itefix.no/i2/node/27).  The options suggested by the 
installation wizard are likely to work.  Click 'OK' in the following 
dialog when informed that a user must be activated.

Click Start > Programs > CopSSH > 1. Activate A User.  In the following 
dialog, select 'Administrator'.  Click 'Activate User'.  When prompted, 
enter the same passphrase used when generarating the public/private key 
pair on the Viewer (Mac) computer.  Click 'OK'.

3) Unzip the public key ('authorized_keys') you transferred from the Mac 
and place it in the folder '.ssh' of the user's ('Administrator') folder 
of the 'home' folder in the 'copSSH' folder of the 'Program Files' folder 
of the 'C' drive.

C:\Program Files\copSSH\home\Administrator\.ssh\authorized_keys

4) Firewall/router configuration:

(For XP Home SP1 (with router) or XP SP2 or SP3 (with or without router) 
you will have to find other documentation for firewall and router 
configuration if you need it.) 

For XP Home SP1 (with no router), right click on the Broadband or WAN 
connection in 'Network Connections' in Control Panel.  Select Properties.

(Some relevant screenshots of typical connection Properties are shown 
below.)  

Click on the 'Advanced' tab.  In the dialog window that appears next, be 
sure that the firewall is enabled...  enable it if it's not.

Click on the 'Settings' tab.

Click the 'ICMP' tab in the dialog window that appears next.   Put a 
checkmark in the box beside 'Allow incoming echo request'.

Click on the 'Services' tab.

In the dialog window that appears next, if there is no service shown for 
an SSH connection, create one by clicking 'Add'...

In the dialog window that appears next, enter a descriptive name for the 
SSH service, enter the computer name or IP address, and enter 22 (or - 
optionally - a non-standard port number) in both port Internal and 
External Port entry boxes.  Be sure the 'TCP' radio button is selected.

Click 'OK' to exit each dialog window.  If the connection was open, a 
dialog will appear saying that changes won't take effect until the next 
connection is made.

--> 5) If a non-standard port number is used, the CopSSH sshd_config file 
must be modified.  (Details coming soon.)

6) Restart the Server computer and be sure both the RealVNC server and 
CopSSH are running as services.

-----

Tunnel Creation & Viewer Operation (Mac)

1) Create the SSH tunnel.  Open  the SSH Agent connection file you saved 
in Viewer Setup Step 2 above.  A window will apear with the settings you 
entered previously.  Click 'Open'.  If all your settings so far are 
correct, you should now have an SSH tunnel to the Server computer.  Hide 
SSH Agent if you wish.  Do not quit it, as this will end the SSH session.

(Or)

1) Using the OSX Terminal... open a Terminal window.  Enter the following 
command:

ssh -v -L 5900:localhost:5900 Administrator "at" target_IP_address

(The -v provides additional detail in the Terminal window when attempting 
a connection and may be omitted if desired.)

Hide Terminal if you wish.  Do not quit it, as this will end the SSH 
session.

2) Initiate the VNC connection.  Open the VNCViewer.  Enter 'localhost' 
and click 'Connect'.  If all goes well, a small dialog should appear 
asking for your password.  Enter the password for the VNC Server you 
entered on the Server computer (not the SSH passphrase).  In a moment, 
the desktop of the Server computer should appear, and mouse and keyboard 
inputs will be received by the Server machine.

At this point, you have successfully created a more secure connection 
between Viewer and Server computers than VNC alone.

-----

Hope this has been helpful...

Peter Bunn

-----

Final Note

My effort was greatly aided by help from Lincoln A. Baxter (a member of 
this mailing list), to whom I offer many thanks.

--------------------
-----------------------------------