Secure macOS Remote Screen Sharing for Admins with Road Warriors

Wednesday, January 17 2018

You may come across the situation where you have to service a couple of MacBooks for remote workers or frequent travellers. There are commercial offers for remote screen sharing available but I wanted to achieve a good result with freely available tools.

Requirements

A Unix-based server connected to the internet running OpenSSH
A static IP address or dynamic DNS setup

Setup Server

useradd sshtunnel -m -d /home/sshtunnel -s /bin/true
mkdir /home/sshtunnel/.ssh

# /etc/ssh/sshd_config

Match User sshtunnel
	AllowTcpForwarding yes
	X11Forwarding no
	AllowAgentForwarding no
	ForceCommand /bin/true

# /home/sshtunnel/.ssh/authorized_keys

ssh-ed25519 AAAA...

chmod 500 /home/sshtunnel/
chmod 500 /home/sshtunnel/.ssh
chmod 400 /home/sshtunnel/.ssh/authorized_keys
service sshd restart

Setup Clients

Create a script named RemoteAccess.command:

#!/bin/bash

SERVER="server.example.com"
PORT="60000"

echo "==================================="
echo "=== START remote access mode... ==="
echo "==================================="

echo "Set up ARD permissions and start up..."
sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers | tee -a /var/log/sshtunnel.log"

echo "Create SSH tunnel to server... Ctrl-C closes the connection."
ssh -nNT -p 22 -C sshtunnel@$SERVER -R $PORT:localhost:5900

echo "Connection closed."

sleep 2

echo "Stop ARD and clean up permissions..."
sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -access -off | tee -a /var/log/sshtunnel.log"

echo "Everything's shut down again."

sleep 5

chmod 500 RemoteAccess.command

For additional clients just add more SSH keys and increment the port number by one.

Using

Double-click RemoteAccess.command on the client machine and wait for it to connect properly.

On your administration machine, use software like SSH Tunnel Manager or manually create a SSH tunnel to the server:

ssh -nNT -p 22 -C sshtunnel@server.example.com -L 60000:localhost:60000

On your administration machine, open Screen Sharing.

open /System/Library/CoreServices/Applications/"Screen Sharing.app"

In Finder, connect to server vnc://localhost:60000.

Shutting Down

Ctrl-C on the client machine as well as the administration machine and let the terminal window of the client close by itself.

Conclusion

If your users won’t mind running a “text window” (Terminal.app) instead of a full native UI application when the need arises, this can make things easy and secure for all parties. Of course, because it opens up screen sharing ports for all local users, make sure the user passwords are strong. If you know the POSIX user names of all machines, you can restrict this further. Run /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart for all options available. Passwords are usually the biggest concern since users are all too often cavalier about security. I’ve actually had customers with passwords like “whatever”, “1234” and yes: “password”.

To upgrade security even more in one go, nothing beats a properly configured VPN which tunnels all connections including DNS queries through itself.