Orwell

This is a Mac OS X wrapper for VNC port forwarding through an SSH tunnel. The wrapper is a minimalistic app written in AppleScript that invokes the appropriate Unix shell commands. The Mac user doubleclicks "Orwell.app" to establish a tunnel to a pre-defined host, and then a remote admin can get access to the user's screen by connecting a VNC client to a port on said host. Since the tunnel connection is initiated from the Mac user, silly firewalls and NAT routers are bypassed as long as the outgoing SSH connection can be established.

The AppleScript code, in some parts almost nauseating in its COBOL-wannabe syntax, looks like this:

do shell script "cat ~/.orwellprefs"
set {hostname, sshport, remoteuser, vncport} to words of the result
set sshopts to "-N -o IdentityFile=%d/.ssh/id_orwell -o ServerAliveInterval=120 -R " & vncport & ":127.0.0.1:5900"
do shell script "ssh " & sshopts & " -p " & sshport & " " & remoteuser & "@" & hostname ¬
	& " >/dev/null 2>&1 & echo $!"
set pid to the result
if (pid > 0) then
	display alert "Remote screen session enabled." & return & ¬
		"Press Quit button to terminate." buttons "Quit"
	do shell script "kill " & pid
else
	display alert "An error occurred." & return & ¬
		"Could not start remote screen session." buttons "Quit"
end if

The corresponding Mac OS X app can be downloaded here.

After the initial install, no administration is required on the client side. Your friendly remote admin will take care of everything. Just doubleclick "Orwell.app" and smile blissfully...

Installation instructions

On the client machine (Macintosh), do the following:

1. Create the client's SSH key for Orwell:

   ssh-keygen -N "" -C "Charlie Client" -t rsa -f ~/.ssh/id_orwell

2. Create the configuration file ~/.orwellprefs with the following contents:

   <hostname> <sshport> <username> <vncport>

   Substitute as follows:
   • <hostname> is the target host, e.g. vnchost.example.com
   • <sshport> is the SSH port, e.g. 22
   • <username> is the target login, e.g. vncuser
   • <vncport> is the remote-forwarded VNC port, e.g. 5942

   Note: don't use hostnames or usernames that contain hyphens (-) or digits(0-9), since this will break the script's simple-minded configuration file parser. Underscore (_) can be used.

3. Download the app from the download link above.

On the target host (the other end of the tunnel), do the following:

1. Create a new user (e.g. vncuser) on the target host. Login shell should be /bin/false.
2. Copy ~/.ssh/id_orwell.pub from the client machine and append its contents to ~/.ssh/authorized_keys in the home directory of the target host user.
3. Optionally change the GatewayPorts setting to yes in /etc/ssh/sshd_config. This allows other machines on the network to access the forwarded VNC port. Don't forget to HUP sshd after modifying the config file.

1. Install the target host's public SSH key in ~/.ssh/known_hosts. The easiest way to do this is by simply connecting with ssh to the host and then answer "yes" to the "Are you sure?" question. If you are paranoid you can then check the RSA fingerprint with ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub on the target host.
2. Verify that it works by double-clicking Orwell.app on the client machine, and then connect a VNC viewer to e.g. vnchost.example.com:42. Note: The client must of course have "Remote Desktop" enabled in its sharing preferences.