Apple Remote Desktop (Administrator’s Guide) User Manual
Page 75
Chapter 6
Setting Up the Network and Maintaining Security
75
 Quit the Remote Desktop application when you have finished using it. If you have
not stored the Remote Desktop password in your keychain, the application prompts
you to enter the administrator name and password when you open it again.
Physical Access Security
 If you have stored the Remote Desktop password in your keychain, make sure the
keychain is secured and the application isn’t running while you are away from the
Remote Desktop window.
 If you want to leave the Remote Desktop application open but need to be away from
the computer, use a password-protected screen saver and select a hot corner so you
can instantly activate the screen saver.
Remote Desktop Authentication and Data Transport Encryption
Authentication to Apple Remote Desktop clients uses an authentication method based
on a Diffie-Hellman Key agreement protocol that creates a shared 128-bit key. This
shared key is used to encrypt both the name and password using the Advanced
Encryption Standard (AES). The Diffie-Hellman key agreement protocol used in Remote
Desktop 3 is very similar to the one used in personal file sharing, with both of them
using a 512-bit prime for the shared key calculation.
With Remote Desktop 3, keystrokes and mouse events are encrypted when you control
Mac OS X client computers. Additionally, all tasks except Control and Observe screen
data, and files copied via Copy Items and Install Packages are encrypted for transit
(though you may choose to encrypt these as well by changing your application
preferences). This information is encrypted using the Advanced Encryption Standard
(AES) with the 128-bit shared key that was derived during authentication.
Encrypting Observe and Control Network Data
Although Remote Desktop sends authentication information, keystrokes, and
management commands encrypted by default, you may want additional security. You
can choose to encrypt all Observe and Control traffic, at a certain performance cost.
Encryption is done using an SSH tunnel between the participating computers. In order
to use encryption for Observe and Control tasks, the target computers must have SSH
enabled (“Remote Login” in the computer’s Sharing Preference pane). Additionally,
firewalls between the participating computers must be configured to pass traffic on
TCP port 22 (SSH well known port).
If the you are trying to control a VNC server which is not Remote Desktop, it will not
support Remote Desktop keystroke encryption. If you try to control that VNC server,
you will get a warning that the keystrokes aren’t encrypted which you will have to
acknowledge before you can control the VNC server. If you chose to encrypt all
network data, then you will not be able to control the VNC server because Remote
Desktop is not able to open the necessary SSH tunnel to the VNC server.