# Apple Remote Desktop

On Mac OS 1.4, there is the option to turn on ‘Apple Remote Desktop’ under the   
Sharing system preference. Does this allow me to connect and remote control my   
mac from another mac? What do I use for the client – Apple Remote Desktop   
Client? Does this use the same <span class="caps">ARD</span> security so the user information   
(username/password) is encrypted? Is all the session information encrypted as well?

I guess I am basically asking if Apple provides, for free, a one user license   
for <span class="caps">ARD</span>. I know Apple sells <span class="caps">ARD</span> licenses for 10 users or unlimited users, but   
this seems like Apple is throwing us a freebie here. Am I right?

**Answers**

<span class="caps">ARD</span> is essentially an apple-branded version of <span class="caps">VNC</span> (with a different hash  
algo so that vnc clients don’t interwork). the <span class="caps">ARD</span> management  
application also has some features for remote control and probing that make it  
a slight value add, but if you are thinking of a small installation maybe  
<span class="caps">VNC</span> would be better for you.

But yes, in short, <span class="caps">ARD</span> lets you remote control your mac. or observe  
someone else’s session. There is some encryption but I believe it is  
limited to user/pass info and not the entire session. with <span class="caps">VNC</span> common  
practice is to tunnel it through an <span class="caps">SSH</span> session to achieve the  
latter…

you’ll have to ask tim/skip about licensing

Alan Wood  
<del>-</del>-  
Good questions!

The <span class="caps">ARD</span> client is included with every copy of Mac OS X, but the Remote Desktop Application is <span class="caps">NOT</span> included, that is a separate purchase. Obviously, without the <span class="caps">ARD</span> application, having the client doesn’t buy you much, but in the ‘old days’ when the client was not included it was a nightmare to install the client on <span class="caps">EVERY</span> system you wanted to manage. So, this new method is more for convenience. The Remote Desktop application comes in two flavors, based on licensing. You can purchase a 10 user version which allows you to manage up to 10 remote computers at a time, or unlimited clients which is the all you can eat version.

Insofar as encryption of remote services, I’ll quote from the documentation:

‘Security and encryption  
Apple Remote Desktop 3 users 128-bit <span class="caps">AES</span> encryption to ensure that all remote communications are secure, even over the internet, with client computers running Mac OS X v10.3 or later. For screen control and file copy tasks, where encrypting large amounts of data may significantly degrade performance, administrators can choose encryption for improved security or leave encryption off for better performance.’

So, there ya go. There is a good technology overview of <span class="caps">ARD</span> @ &lt;[http://www.apple.com/remotedesktop/&gt;](http://www.apple.com/remotedesktop/>) and also you can find the admin guide there as well.

Tim Parker   
Systems Engineer  
Higher Education Division, Apple   
<del>-</del>-  
You can also use “Chicken of <span class="caps">VNC</span>” as a client, instead of the <span class="caps">ARD</span>  
manager, after enabling the <span class="caps">VNC</span> option in Access Privileges of <span class="caps">ARD</span>. Here is a  
link to the download:

[http://www.apple.com/downloads/macosx/networking\_security/chickenofthevnc.html](http://www.apple.com/downloads/macosx/networking_security/chickenofthevnc.html)

Chicken of <span class="caps">VNC</span> does not offer encryption though.

Babak Samii  
<del>-</del>-  
However, you can get encryption via ssh tunneling. For example, say you have <span class="caps">VNC</span> set up to work over 5901. To set up an encrypted network “tunnel” for processes using this port, the following command should work:

$ ssh -L 5901:localhost:5901 -N -f -l rocky sshserver.mydomain.com

For macs though, the localhost hostname can be problematic in some cases. So this might be more robust:

$ ssh -L 5901:127.0.0.1:5901 -N -f -l userfoo sshserver.mydomain.com

The specific option descriptions can be found in the ssh man page, but basically this will forward all traffic occuring on port 5901 to the sshserver over an encrypted channel. The -N says no commands are to be executed (just simple port forwarding). The -f puts the operation into the background.

You can find the process id via:

$ ps aux | grep ssh

So you may kill it when done. There are no limits to how many ports you can forward. The only “gotcha” for this method is that it’s only as secure as user forgetfulness. For personal use, I recommend aliasing your vnc client command in your shell profile. For bash, if the client command is ‘vncbar’ this would look like:

.bash\_profile:

alias vncbar=‘ssh -L 5901:127.0.0.1:5901 -N -f -l userfoo sshserver.mydomain.com; vncbar’

If in a multi-user environment, a more creative solution might be needed. Such as writing a wrapper script and placing it in a high order path such as /usr/local/bin.

James Kyle

\_Taken from [http://lists.stat.ucla.edu/mailman/listinfo/osxforum](http://lists.stat.ucla.edu/mailman/listinfo/osxforum) \_