 |
 |
Lock down VNC to one account?
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
I am collaborating with some open source developers to get an app working on OS X. They have ssh access to my laptop to a non-admin account but they also need VNC. Is there a way to configure screen-sharing to only one particular account? I don't want to leave my laptop on and logged into to my admin account and for them to get in. Is there a way to have screen sharing/VNC set up that if will switch to the developer account when they try to log in?
Thanks.
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
What version of OS X are you running?
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
|
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2002
Status:
Offline
|
|
It's right in the screen sharing preference pane. You pick the accounts you want to have access and it defaults to everyone in the admin group.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
Originally Posted by ChrisF 
It's right in the screen sharing preference pane. You pick the accounts you want to have access and it defaults to everyone in the admin group.
I see that but it doesn't do what I want. I want it to log out of the admin account and go directly to the login screen when a non-admin account tries to log in. This would be a security feature for the times that I forget to log out.
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2002
Status:
Offline
|
|
Originally Posted by bstone
I see that but it doesn't do what I want. I want it to log out of the admin account and go directly to the login screen when a non-admin account tries to log in. This would be a security feature for the times that I forget to log out.
OS X just doesn't work that way. VNC and the local user accounts aren't related, as you've noticed.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
Originally Posted by ChrisF
OS X just doesn't work that way. VNC and the local user accounts aren't related, as you've noticed.
OK. I guess I will have to be careful about setting my computer to lock the screen. Is there a way to lockdown VNC access to certain hours? Such as midnight until 5pm or so?
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
Oh, it appears I can do the time restriction in the parental controls. Cool.
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
This is a bit of a tangent, but you shouldn't use an admin account for your daily work. I'd recommend you create an admin account specifically for admin purposes, then remove admin abilities on your daily work account. This article explains how: Stop Living In Your Admin Account
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2000
Location: Boston, MA
Status:
Offline
|
|
RD, if I was on windoze where being an admins lets you do anything without authenticating, osx isn't that way. But you do have a good point.
|
|
Emergency Medicine & Urgent Care.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Some years ago Rob Pegoraro (Washington Post) summed up windoze "security," or lack thereof, well:
Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."
But windoze security isn't germane to my comments. The point is there is no need to use an admin account for daily use. Using a standard account is one more layer of security, with only minor inconvenience (from additional admin authentication dialogs), so why not follow best practices in this regard?
At any rate, checking "Require password after… screen saver begins," and using a fairly short idle period to invoke the screensaver should help your situation.
For what it’s worth, it is possible to invoke the fast user switching (FUS) dialog from the command line, which effectively locks the screen. You can set up your firewall to block VNC ports, forcing it to be tunneled through SSH. It should be possible to force the incoming SSH connection through a custom BASH script which forces the FUS dialog. An alternate approach is you might be able write a background AppleScript application to detect an incoming VNC connection, and when it sees one, forces the FUS dialog (e.g. through a DO SHELL SCRIPT command). The only part i'm not sure about is how easy it might be to detect the incoming VNC connection. I suspect a new process would be spawned, and if you know what that process looks like, that should be enough. However both of these approaches may be more trouble than it's worth. Your mileage may vary.
An AppleScript alternative to FUS is to call the Keychain menu extra (assuming you have it enabled) to lock the screen. The Applescript code to lock the screen would look something like this:
Code:
tell application "System Events" to tell menu bar of process "SystemUIServer" to tell (first menu bar item whose value of attributes contains "Keychain menu extra")
click
click menu item "Lock Screen" of menu 1 -- Use Keychain menu extra to lock screen
end tell
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top