Update 2009/01/15 If you connect to a particular machine frequently, you could put a clickable icon into the Dock.

  1. Put these two lines into a plain text file (I'll call it myserver.command). The filename must end with .command to be launchable from the Finder.
  2. Make sure it has UNIX line breaks.
  3. Make it executable (chmod +x myserver.command).
  4. If you use it a lot, drag it into the Dock for quick access.
(sleep 4; open vnc:// & ssh -C -4 -L 5901: myserver

That will ssh to myserver, pop back a tunnel for VNC, and point Screen Sharing to the tunnel. After you close the Screen Sharing connection and log out of the ssh session, the tunnel will be closed automatically.

Update 2008/2/3: Adam, thanks for the suggestion -- I'd forgotten about the vnc:// scheme. But who's Geoff?? I prefer aliases to functions because they're simpler, and like to leave an ssh shell open, both for my own use and as a reminder to close the tunnel when done. Here's a simpler alias -- note that you must still supply the hostname on the command line after the alias, e.g., "stss salt".

alias stss="(sleep 4; open vnc:// & \
ssh -C -4 -L 5901:"

Update 2007/12/14: I added a pbcopy command to put '' on the Clipboard (pasteboard), so now I can just Paste and then delete (pbcopy appends an undesired Return to the Clipboard), which makes the whole thing easier. New alias (note that this is really properly one line, but it doesn't wrap properly without help):

alias stss='echo | pbcopy; open \
/System/Library/CoreServices/Screen\ Sharing.app; \
ssh -C -4 -L 5901:'

I have a couple licenses for Apple Remote Desktop at work, for managing our 8+1 Mac cluster ("the orchard") and for managing other Mac servers on campus. I find ARD very useful because although Remote Desktop uses VNC as the underlying protocol, Apple's compatibility has been poor, so I had lots of trouble connecting from Chicken of the VNC and other clients. While I like ARD (particularly the automatic ssh tunneling in v3), I only use the remote control feature, never its other management capabilities.

With Mac OS X 10.5 Leopard, Apple has bundled /System/Library/CoreServices/Screen Sharing.app, which provides the VNC capabilities I use from ARD and skips the other features I don't care about. It's my favorite Leopard feature, accessible from the Finder Sidebar, iChat, Server Admin, and through Back to My Mac (which seems to have some problems with security).

The only thing I don't like about Screen Sharing is that Apple apparently built encryption into the VNC protocol in an incompatible way. Apple's encryption is of course incompatible with all the other clients & servers, since it's Apple proprietary (just like their proprietary compression encodings). It's confusing because the Preferences options look identical to the ones in ARD3, which actually uses an ssh tunnel to provide encryption. It's a firewall problem because there are lots of places we a) allow ssh, b) block unencrypted VNC, and c) would allow encrypted VNC. ARD3's ssh tunneling is usable here but Screen Sharing's port 5900 connection is blocked. Fortunately the workaround is simple -- build the ssh tunnel manually, as is normal for non-ARD3 VNC users. I have this alias:

alias stss='open /System/Library/CoreServices/Screen\ Sharing.app/; ssh -C -4 -L 5901:'

I use it with a hostname, as in: stss www

That makes an ssh connection to the specified host (www in this case), sets up a tunnel from 5901 on my admin workstation to 5900 on the server (since the admin workstation is likely to be running the Remote Management/Screen Sharing agent on 5900 already), and gives me a shell on www. As a convenience, it also launches Screen Sharing for me. In the Screen Sharing Connect window, I type, and connect to the local end of the tunnel on port 5901; it goes through ssh and I get secure remote control via the ssh port (so it works across any firewalls that allow ssh). It's actually doubly encrypted if I'm going across the Internet, since I always leave Screen Sharing's encryption on too -- if I forget to start the tunnel or connect to a machine that's not firewalled on port 5900, I want to be sure I'm not transmitting passwords in plaintext.