Conceptric

  1. A remote future for my Mac mini

    • 11th April 2008
    Tagged with:

    I’ve come up with a brilliant idea to reuse my old Mac mini. I’m going to convert it into a server on my local network for development and hosting our personal web projects.

    OK… not very original, but the key point is that I want to be able to use the wireless networking, stick it anywhere, and not have to worry about peripherals. A very mobile server.

    I already work with remote servers over public networks, and rarely use anything but the command line. For this project I wanted to be able to use the Mac desktop. This seemed the perfect excuse to play with VNC. Additionally, I frequently use SSH and PKI for encryption and authentication respectively, but not VNC.

    The Plan.

    It seemed to me that there were several parts to the problem, with only one of which I’m familiar.

    1. Configure a VNC Client on the local machine.
    2. Configure a VNC Server on the remote machine behind a firewall.
    3. Enable SSH communication through the firewall.
    4. Lock it all up using an SSH tunnel through the firewall so the Server and Client could talk.

    Now to work!

    The Client.

    I settled on Chicken of the VNC (COTVNC), a open source project providing a VNC Client for Mac OS-X. Great, that’s just what I want and it gets good reviews, but I guess most other clients out there would work too.

    Once installed COTVNC takes almost no configuration, that all comes later in the SSH and Server.

    Connection set-up dialogue for Chicken of the VNC

    You might be able to see that I set up two connections; one for an unsecured connection, so that I could see if the security measures locked me out later; and this one for the secured connection, that’s why the host is the local machine.

    The Server.

    First I tried Apple Remote Desktop (ARD), but found it a little slow, but more importantly I couldn’t find a way to close the two ports in the firewall that the service automatically opened. While I’m diligently using SSH tunnelling to avoid compromising the security of my machine, these two ports are sitting there waiting for attack!

    Time to try a different approach. I chose to disable the ARD service, closing the firewall again and installed a third party VNC server. The one I selected was Vine Server from Redstone Software. The reason? Nothing better that I’d read good things about it in blogs and on message boards, it’s available for Mac OS-X, and it’s free.

    What is in the box for Vine Server on Mac OS-X

    For Mac OS-X it downloads as a disk image containing the Server and a Viewer. I just wanted the Server as I’m using COTVNC, so a drag toward the Applications folder and a double click later I’m ready to configure things.

    Vine server can be run in two different modes; as a System Server that starts automatically whenever the Mac starts up; or as a Desktop Server that can be run like any other application. Since I want to run my Mac mini as a remote headless — no keyboard, mouse or monitor — server, I only configured the System Server.

    Settings dialogue for Vine System Server

    Not especially difficult, but the eagle‒eyed out there might have spotted that I didn’t enable the “Require Remote Login” option; in fact I did the first time and bang went any connection. I reasoned that I’m using SSH tunnelling, so the Server won’t realise that the connection IS via SSH and block it.

    Set the System Server running, checking that it starts up again after a restart, and that’s the Server done.

    The Secure Protocol.

    Actually, this was pretty easy. Go to System Preferences > Sharing and enable the Remote Login service.

    Settings to enable the Remote Login service on Mac OS-X

    Make sure that the other services are disabled, unless you have a particular use for them; I’ll be enabling the Web Sharing service later. This should ensure that the firewall is closed on all ports except the one used for SSH — port 22.

    The Tunnel.

    The idea of the SSH tunnel was to forward any communications sent between port 5900 — the default VNC port — on the local machine and the remote machine, through an encrypted SSH connection.

    Now there are lots of utilities to help you manage your SSH world, but I tend to use SSH-Agent and the command line. I primarily use SSH-Agent to manage authentication, but it does have the ability to construct tunnels.

    Set-up dialogue for SSH tunnels in SSH-Agent

    If you’ve got PKI set up, you won’t even need to enter any passwords in order to establish the connection.

    The Result.

    Once your tunnel is connected, you can start up COTVNC, or equivalent, and log‒in!

    An image of the desktop on the remote machine

    Everything appears to work and I find Vine Server much more responsive than the Apple free offering.

    By the way, I tried logging in with the unsecured connection and was kicked out.

    There are no comment for this post at the moment. Please feel free to let me know what you think.

    What do you think?

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.