Child pages
  • How to VNC securely using SSH tunnel and macOS native Screen Sharing client
Skip to end of metadata
Go to start of metadata

In this example we are screen sharing a Red Hat Enterprise Linux 7 server from a macOS client.  VNC is inherently not a secure protocol.  VNC passwords often goes thru clear text or no password at all (think telnet and ftp).  SSH can be used to help secure your VNC connection from end to end.

Initial password setup

SSH to the server to set your VNC password, the view-only password is optional. NOTE this password should be treated as an insecure password and should not be re-used elsewhere.

$ vncpasswd
Would you like to enter a view-only password (y/n)? y

Starting the VNC service

Because the VNC server is terminated upon logout, you may need to start the service first with the following commands.  

  1. Identify the service file with your user name to load.  The file is in the format of vncserver-username@:#.service

    ls /etc/systemd/system
  2. Replace username with yours in the start command

    $ sudo systemctl start vncserver-username@:1.service 
  3. Verify the service has been started

    $ sudo systemctl status vncserver-username@:1.service
    ● vncserver-username@:1.service - Remote desktop service (VNC)
    Loaded: loaded (/etc/systemd/system/vncserver-username@:1.service; disabled; vendor preset: disabled)
    Active: active (running) since Thu 2021-06-03 18:59:30 PDT; 3s ago
    Process: 4205 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
    Main PID: 4209 (vncserver_wrapp)
    CGroup: /system.slice/system-vncserver\x2dusername.slice/vncserver-username@:1.service
    ├─4209 /bin/sh /usr/bin/vncserver_wrapper username -localhost :1
    └─4261 /bin/sh /usr/bin/vncserver_wrapper username -localhost :1

Bug reference


  1. From the server issue the following "lsof" command to determine which port the VNC server is set to use.  In most cases VNC uses port in the 5900 range.  The example below shows it using port 5903.
    $ sudo lsof -i -P | grep -i "listen"
    Xvnc 1793 igpp 9u IPv4 10810 0t0 TCP *:5903 (LISTEN)
    Xvnc 1793 igpp 10u IPv6 10811 0t0 TCP *:5903 (LISTEN)
  2. Creating the tunnel with the port number obtained above to the Linux server with another ssh session.  The -C flag is optional for compression.

    ssh -C -L 5903:localhost:5903
  3. Once the ssh tunnel is established you can launch Screen Sharing via the Terminal or from the Finder

    via Terminal

    $ open vnc://localhost:5903


    via Finder > Go > Connect to Server...

    enter vnc://localhost:5903

  4. When prompted provide your VNC password.  NOTE this password should be treated as an insecure password and should not be re-used elsewhere.
  • No labels