Mac Geekery

A complaint I’ve frequently encountered on some Mac OS X Server related forums and mailing lists is that there is no documentation on how to enable VNC access in the Terminal. A good number of former Windows-only businesses have purchased an Xserve G5 without a video card because they needed to use both PCI slots for other components or they naturally assumed that a computer would come with a video card. Some people familar with Mac OS X Server might read this and say, “Hey, just run the server administration tools on your Mac desktop or laptop. Er, you don’t have another Mac?”

So, what’s a diligent Windows or Linux administrator supposed to do? A little basic research would show that Apple claims you can control Mac OS X from VNC, but would find nearly zero documentation on how to enable VNC from the command line. I say “nearly zero” because there is one knowledge base article on how to copy the VNC preferences from another Mac.

It turns out, that you can enable VNC access and set the VNC password via the kickstart command. That’s the good news. The bad news is that the kickstart command does not accept a plain text password, but instead it must be encoded before giving it to kickstart.

When done correctly, encoding sensitive information like passwords is a good practice. However, when used for encoding XOR is extremely weak because it is trivially decoded. Its use for simple “encryption” came from the 70’s and 80’s when computing power was quite limited and XOR was usually implemented in a CPU’s instruction set. If you wish to learn more about XOR encoding and its limitations, I suggest doing a search for the phrases “xor encoding” or “xor encryption” on Google or Yahoo.

This script also useful if you wish to purchase a Mac mini and want to put in some place where you cannot easily place a display. Since I often use a number of different operating systems, VNC is how I choose to administer my headless Mac mini acting as a personal file, music, and web server at home.

Instead of running the kickstart command with the necessary parameters, the script prints the command and parameters to the terminal window. This allows the script to be run on another operating system type and the administrator to simply copy and paste the output into a SSH session to the Mac.

#!/usr/bin/perl
#
	

		
vncpasswd.pl
	
#

	

		
Encode a password to enable access using with Apple Remote
		
Desktop’s VNC service.
	
#

	

		
License: I’m placing this script into the Public Domain. Use as
		
you wish, however you wish. You can even claim it to be your
		
own if you need.
	
#

	

		
Usage: perl vncpasswd.pl [password]
#


	

		
set plain text password to the first argument on the command
		
line. Note: VNC on Mac OS X only uses the first 8 characters.

$plainTextPassword = $ARGV0 || die “You must specify the password on the command line!”;

$plainTextPassword =~ s/^(.{8}).*/$1/;
	

	

		
convert the password to an array

@passwordArray = unpack “C*”, $plainTextPassword;
	

	

		
XOR key

@vncXorKey = unpack “C*”, pack “H*”, “1734516E8BA8C5E2FF1C39567390ADCA”;
	

	

		
print the kickstart command…

print “sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw “;
	

	

		
print the password

foreach $byteValue (vncXorKey) {
	printf("%02X",$byteValue ^ (shift  passwordArray || 0));

}
	

	
print “\n”;

Just save the above script to vncpasswd.pl. Running the script on a UNIX-like platform should look like the following:

origami:~ unixgeek$ perl vncpasswd.pl testpass 
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw 6351221AFBC9B691FF1C39567390ADCA

Finally, a suggestion to the Mac OS X Development Team: use a service account for storing the VNC password. This would provide much stronger security for the VNC password and have a well documented method of setting passwords via the command line.