Apple Remote Desktop

On Mac OS 1.4, there is the option to turn on ‘Apple Remote Desktop’ under the
Sharing system preference. Does this allow me to connect and remote control my
mac from another mac? What do I use for the client – Apple Remote Desktop
Client? Does this use the same ARD security so the user information
(username/password) is encrypted? Is all the session information encrypted as well?

I guess I am basically asking if Apple provides, for free, a one user license
for ARD. I know Apple sells ARD licenses for 10 users or unlimited users, but
this seems like Apple is throwing us a freebie here. Am I right?

Answers

ARD is essentially an apple-branded version of VNC (with a different hash
algo so that vnc clients don’t interwork). the ARD management
application also has some features for remote control and probing that make it
a slight value add, but if you are thinking of a small installation maybe
VNC would be better for you.

But yes, in short, ARD lets you remote control your mac. or observe
someone else’s session. There is some encryption but I believe it is
limited to user/pass info and not the entire session. with VNC common
practice is to tunnel it through an SSH session to achieve the
latter…

you’ll have to ask tim/skip about licensing

Alan Wood
--
Good questions!

The ARD client is included with every copy of Mac OS X, but the Remote Desktop Application is NOT included, that is a separate purchase. Obviously, without the ARD application, having the client doesn’t buy you much, but in the ‘old days’ when the client was not included it was a nightmare to install the client on EVERY system you wanted to manage. So, this new method is more for convenience. The Remote Desktop application comes in two flavors, based on licensing. You can purchase a 10 user version which allows you to manage up to 10 remote computers at a time, or unlimited clients which is the all you can eat version.

Insofar as encryption of remote services, I’ll quote from the documentation:

‘Security and encryption
Apple Remote Desktop 3 users 128-bit AES encryption to ensure that all remote communications are secure, even over the internet, with client computers running Mac OS X v10.3 or later. For screen control and file copy tasks, where encrypting large amounts of data may significantly degrade performance, administrators can choose encryption for improved security or leave encryption off for better performance.’

So, there ya go. There is a good technology overview of ARD @ <http://www.apple.com/remotedesktop/> and also you can find the admin guide there as well.

Tim Parker
Systems Engineer
Higher Education Division, Apple
--
You can also use “Chicken of VNC” as a client, instead of the ARD
manager, after enabling the VNC option in Access Privileges of ARD. Here is a
link to the download:

http://www.apple.com/downloads/macosx/networking_security/chickenofthevnc.html

Chicken of VNC does not offer encryption though.

Babak Samii
--
However, you can get encryption via ssh tunneling. For example, say you have VNC set up to work over 5901. To set up an encrypted network “tunnel” for processes using this port, the following command should work:

$ ssh -L 5901:localhost:5901 -N -f -l rocky sshserver.mydomain.com

For macs though, the localhost hostname can be problematic in some cases. So this might be more robust:

$ ssh -L 5901:127.0.0.1:5901 -N -f -l userfoo sshserver.mydomain.com

The specific option descriptions can be found in the ssh man page, but basically this will forward all traffic occuring on port 5901 to the sshserver over an encrypted channel. The -N says no commands are to be executed (just simple port forwarding). The -f puts the operation into the background.

You can find the process id via:

$ ps aux | grep ssh

So you may kill it when done. There are no limits to how many ports you can forward. The only “gotcha” for this method is that it’s only as secure as user forgetfulness. For personal use, I recommend aliasing your vnc client command in your shell profile. For bash, if the client command is ‘vncbar’ this would look like:

.bash_profile:

alias vncbar=‘ssh -L 5901:127.0.0.1:5901 -N -f -l userfoo sshserver.mydomain.com; vncbar’

If in a multi-user environment, a more creative solution might be needed. Such as writing a wrapper script and placing it in a high order path such as /usr/local/bin.

James Kyle

_Taken from http://lists.stat.ucla.edu/mailman/listinfo/osxforum _