When you’re at the office or on the road, it can be handy to have remote access to your home Mac—so you can retrieve a forgotten file, start a large download, or perform some other task. The same applies if you’re at home and need access to your work computer. OS X provides a number of ways to connect to a remote machine, including remote login, personal file sharing, and FTP.
But while those are all good tools, they don’t let you use that remote Mac’s graphical user interface. Fortunately, you can do that, too, using the Apple Remote Desktop server built into every copy of OS X since version 10.4.
We’ve covered the basics of using Remote Desktop before (see No Files Left Behind ); this month, we’ll show you how to set up a fully secure remote connection, in which all the exchanges between the machines will be encrypted. Anyone who might be “listening in” (if you’re at a coffee shop, for instance) won’t be able to capture anything other than a stream of useless encrypted characters.
First, obviously, you need two computers—the remote Mac (for the purposes of this article, we’ll call it HomeMac) and the Mac you’ll be using to access it (we’ll call this one OfficeMac). We’ll assume that you’re using two Macs running OS X 10.4.8 or later (though the instructions should work on OS X versions as old as 10.4, or 10.3 if you’ve manually installed Remote Desktop).
Second, HomeMac needs to have an always-on Internet connection, preferably a fast one. In this case, upload speed is more important than download speed; to find out what yours is, go to www.speakeasy.net/speedtest. An upload speed of at least 1 Mbps is best.
If HomeMac is connected to the Internet through a router, you may have to configure that router to forward port 22 (used by SSH, which is at the heart of this whole process) and ports 3283 and 5900 (used by Remote Desktop) to the Mac you want to control. (We can’t provide instructions for each of the hundreds of different routers on the market today. You can usually find a port-forwarding section in your router’s Web-based administration interface; check your documentation.)
Third, you’ll need to know the public IP address of HomeMac. (This may not be the same IP address you see in the Network preference pane. If you connect to the Net through a router, that pane will tell you only your local IP address on your home network, not the IP address that’s visible to the outside world.) The easiest way to find your public IP address is to visit DynDNS’s Current IP Check page (checkip .dyndns.org). Alternatively, you could use a dynamic domain service to give HomeMac its own domain name (see Remotely Access Your Mac ). However you do it, record the IP address or domain name somewhere on OfficeMac—a Stickies note is a good spot.
Finally, OfficeMac will need a copy of the open-source program Chicken of the VNC, or COTVNC (free), which you’ll use to display HomeMac’s screen.
Configuring the machines
Once you have everything you need, it’s time to prepare HomeMac for the remote connection.
In HomeMac’s Sharing prefer-ence pane, select the Remote Login option. This enables the SSH server, which allows for secure (encrypted) command-line access to HomeMac from another machine.
Next, still in the Sharing preference pane, select Apple Remote Desktop. If an Access Privileges screen doesn’t open when you do that, click on the Access Privileges button to open it. In the Access Privileges screen, select VNC Viewers May Control Screen With Password. Then enter a password and click on OK; you can ignore everything else in this window.
The final configuration step is optional: set HomeMac’s display resolution to 1,024 x 768—remote display of the GUI goes much faster if you use a low resolution.
HomeMac is now ready to be controlled by OfficeMac. Just be sure that HomeMac is on before you leave, or that you’ve used the Energy Saver preference pane to set daily wake and sleep times. That said, it’s a very good idea to test the rest of this tip out before you really need it—maybe by setting up HomeMac and then trying to access it from a nearby Internet café—just in case you need to make some adjustments.
Accessing your Mac remotely
Once you reach your destination, establish OfficeMac’s Internet connection. Now for the magic—open Terminal (/Applications/Utilities) and enter the following command:
ssh -L 5900:127.0.0.1:5900 email@example.com
Replace username with your short user name on HomeMac, and 126.96.36.199 with HomeMac’s public IP address or domain name.
This is what you’ve just done: The
sshcommand initiates a secure connection to a remote host. The
-Lswitch binds port 5900 on the current machine (in network addressing,
127.0.0.1means “this machine”) to port 5900 on that remote host. The last section of the command specifies who that remote host is: your user account on HomeMac. Why port 5900? Because that’s the one VNC uses. In other words, the command initiates a secure connection between OfficeMac and HomeMac, forwarding anything happening on port 5900 on OfficeMac to port 5900 on HomeMac.
The first time you connect using SSH in Terminal, you’ll see a warning about the authenticity of the host and be asked to confirm that you want to continue (see “Host Authenticity”). Don’t worry; this is completely normal. It’s just the system’s way of telling you that it doesn’t know anything about the host you’re connecting to. Type
yesat the prompt, and you shouldn’t see that warning again.
Then you should see a password dialog box. Enter the login password for your user account on HomeMac, and press return. That should produce a welcome message from HomeMac.
You’ve established a secure connection between the two machines. Now it’s time to use it. Fire up COTVNC on OfficeMac and choose Connection: New Connection. In the dialog box that appears, enter
localhostas the host (if that isn’t already there), and then enter the password you set in the Access Privileges window on HomeMac. Leave the rest of the settings as they are, and click on Connect.
If everything is set up correctly, you should soon (depending on HomeMac’s display resolution and the speed of your connection) see HomeMac’s screen displayed in a window on OfficeMac’s screen (see “Remote GUI Access”).
When you’ve done what you need to do on HomeMac, quit COTVNC. Switch back to Terminal and type
exitto terminate the secure connection between HomeMac and OfficeMac.
Now you no longer have to worry about compromising your data when you make a remote connection. Thanks to tools built into OS X and some free VNC software, you can have full GUI control of your remote Mac over a secure encrypted connection. Just keep in mind that whatever you’re doing on the remote Mac will be visible on its screen if you’ve left it turned on.
Forget the passwords
You can also make a secure GUI connection between two Macs without entering a password. The trick is to use key-based authentication. To set this up, you create public and private keys on OfficeMac and then transfer the public key to a special file on HomeMac. Thereafter, whenever you initiate a connection, HomeMac will encrypt a random number using the stored public key and send it to OfficeMac. OfficeMac will then decrypt the number using its private key—the only key that can unscramble the number—and send the decoded number back to HomeMac. HomeMac will compare the two numbers and, if they match, let you connect. See our hint for more on how to do all that.
[ Senior Editor Rob Griffiths runs the MacOSXHints.com Web site. ]Host Authenticity: When you connect to another machine using SSH, you’ll see a series of warnings and questions. Don’t be concerned; just say yes.Remote GUI Access: Here’s how things look when you connect remotely to another Mac’s GUI. In the background is the master Mac. The smaller window belongs to COTVNC, which is running Safari on the remote machine.