How to use Apple Screen Sharing (VNC) with 2FA

How to access your Maths office Mac from an "outside" (home or overseas) machine e.g. a Mac laptop, with SSH (with 2FA) and Screen Sharing (really VNC) on MacOSX: work as if you were sitting in front of your office Mac.

You need to (once only):

find out the name of your office Mac,
set up 2FA security on your Maths login account, and
set up Screen Sharing on your office Mac.

Each time you want to connect to your office Mac, you need to:

run ssh and log in to enna, and (while ssh is running)
run the Screen Sharing app and access the office Mac.

When done, close your Screen Sharing app, then you can log out of enna also.

Find name of your office Mac
Prepare for 2FA on your account
Set up Screen Sharing (VNC) service on the office Mac
Run SSH on the laptop
Connect with Screen Sharing app (VNC client)
Blurb, comments
Further reading, random references

Find name of your office Mac

Find out the network name of your office Mac: usually something like pXYZm.pc (with XYZ your room number).

Prepare for 2FA on your account

Prepare for 2FA as per the instructions in the SSH HowTo.
You need Web-OTP or TOTP or skeys; no need for X-windows or other features that SSH offers.
(No need to follow the "messy" recommendations in a nutshell.)

Set up Screen Sharing (VNC) service on the office Mac

The Screen Sharing (VNC) server is built-in to Macs, only needs to be turned on.
Also need to configure the firewall to allow, and ensure the Mac will not go to sleep.

In System Preferences:

Select Sharing.
Allow (select, tick) Screen Sharing.
Choose users who can access, simply set all users.
No need to change Computer Settings, leave both "anyone may ..." and the password setting un-selected.
In Security & Privacy, select Firewall.
(Do not turn firewall off completely, but...)
Click Firewall Options and un-select (un-tick) Block all incoming connections.
Leave the options "automatically allow built-in ..." and "... downloaded ..." selected.
You may leave "stealth mode" selected (or off).
See "Screen sharing" in the list, showing as allowed for incoming.
Select Energy Saver.
Select (tick) Prevent computer from sleeping when the display is off.
The setting "Wake for network access" seems useless.

Run SSH on the laptop

To test things out while in the School but as if from outside, connect your laptop to UniSydney wireless.

Ensure your laptop is not running a VNC server itself.

Run ssh: in a terminal window, type the command

ssh -C -L 5900:pNNNm.pc:5900 MATHSNAME@maths.usyd.edu.au

with the name of your office Mac, and your Maths (enna) login name.

Follow the prompts: type the words from your paper skey sheet for the line number shown, or the authenticator code, then your normal enna password. You will be logged in to enna.

The very first time you use ssh, you will be prompted about the as-yet unknown authenticity fingerprint: say yes.

Leave that enna window logged in, running; you may minimize/iconize its window. Keep that session running, do not allow to time out, do not allow your computer to go to sleep/hibernate e.g. as most laptops do with the lid closed.

Connect with Screen Sharing app (VNC client)

With ssh running, logged in to enna...

In Finder choose Go and Connect to Server, in the Server Address field type

vnc://localhost

and click Connect.
Some (Mac?) machines do not know about localhost, then use 127.0.0.1 instead of the name localhost.
Set the correct username and password, click Connect, and see it connect to your office Mac, just as if you were sitting in front of its screen.

You can also copy files between the office Mac and the laptop e.g. by simple drag-and-drop. You can minimize/iconize the Screen Sharing window, or make it un-maximized.

Alternatively you could start things from a terminal window (another terminal, not the enna one), typing the command
open vnc://localhost
Or, find the app in /System/Library/CoreServices and drag it to your Launchpad, start it and connect to machine named localhost.

When done, just close the Screen Sharing window.

After disconnecting your Screen Sharing (VNC) session, you may close the ssh window (log out the enna session): type exit at the enna prompt, or just close the terminal window.

Blurb, comments

The Mac OSX "Screen Sharing" is based on VNC, Virtual Network Computing.

The remote "laptop" machine could be Linux or Windows: Linux has SSH and you could install some VNC viewer (say xtightvncviewer), for Windows you could use putty and one of many free VNC viewers; but we will not describe how to use such other machines.

You could use VNC for office Windows PCs also, but for those you are better off with RDP that is "native" to Windows.