Security Notes

Glossary

Secure Mac remote access glossary

Short definitions, HearthGate context, search keywords, and more original phrases for VNC over SSH, localhost, authorized_keys, ML-KEM, VNC Lockdown, Mac mini servers, and studio remote access.

Open the guide hub

Core remote access

The basic language of screen sharing, SSH, tunnels, localhost, and VNC ports.

Network concepts

Reachability terms: LAN, WAN, DDNS, mesh VPNs, relays, and self-hosted paths.

SSH security

Key material, authentication, host identity, session policy, and SSH hardening basics.

SSH restrictions

The authorized_keys constraints that turn a broad key into a narrow remote access key.

HearthGate concepts

Product-specific words for the Mac-side gateway, exports, logs, hooks, and controls.

Post-quantum and crypto

Careful language for ML-KEM, hybrid SSH key exchange, and future-facing transport security.

Viewer and client terms

Common viewers and clients used in SSH-gated Mac remote screen workflows.

Platform and use-case terms

Mac mini, local AI, build server, and studio workflows that create real demand.

12 terms

Core remote access

The basic language of screen sharing, SSH, tunnels, localhost, and VNC ports.

P0

VNC

Definition: VNC is a remote screen protocol family used to view and control another computer desktop over a network.

HearthGate context: On macOS, VNC-shaped access is useful, but it should not be the first service exposed to the network.

Keywords

VNCVNC remote accesssecure VNC MacVNC screen sharingMac VNC securitymake VNC more secureVNC secure gateway

Phrases

the screen protocol is not the security boundaryremote screen access should have a gatekeep VNC useful but not exposedmaking VNC more secure starts with the gateway

Related

RFB protocol, Port 5900, VNC over SSH

P1

RFB protocol

Definition: RFB, or Remote Framebuffer, is the protocol family behind VNC-style remote desktop viewers.

HearthGate context: HearthGate keeps familiar RFB/VNC viewers in the workflow while controlling the Mac-side gateway.

Keywords

RFB protocolRFB VNCRemote FramebufferRFB viewer Macthird party VNC viewer

Phrases

viewer choice without gateway confusionRFB is the viewer language, not the access policyfamiliar viewers, stricter Mac gate

Related

VNC, RealVNC, TightVNC

P0

Apple Screen Sharing

Definition: Apple Screen Sharing is the native macOS screen control service used to view and operate a Mac remotely.

HearthGate context: HearthGate preserves Apple Screen Sharing and wraps the remote path in SSH, restricted keys, and optional VNC lockdown.

Keywords

Apple Screen SharingMac Screen Sharing securityApple Screen Sharing over SSHmacOS Screen Sharing remote access

Phrases

Apple gives you the screen service, HearthGate gives it a safer pathnative Mac screen sharing with a stricter doorwaykeep Screen Sharing, change the exposure

Related

macOS Remote Login, VNC over SSH, VNC Lockdown

P0

macOS Remote Login

Definition: macOS Remote Login is Apple terminology for enabling SSH access to a Mac.

HearthGate context: HearthGate manages the SSH side of remote access so users do not have to hand-edit every setting.

Keywords

macOS Remote LoginRemote Login MacMac SSH accessMac Remote Login security

Phrases

the SSH door Apple already shipsRemote Login with a managed remote access postureturn the Mac SSH switch into a controlled gateway

Related

SSH, Managed SSH hardening, SSH key pair

P0

SSH

Definition: SSH is an encrypted network protocol used for secure login, tunneling, and remote command transport.

HearthGate context: HearthGate uses SSH as the network-facing gate before the Mac screen service can be reached.

Keywords

SSHMac SSHsecure shell MacSSH remote accessSSH tunnel VNC

Phrases

SSH should be the road to the screenthe screen opens after key trustmake SSH the gate, not VNC

Related

SSH tunnel, Key-based authentication, VNC over SSH

P0

VNC over SSH

Definition: VNC over SSH means the VNC viewer reaches a local tunnel endpoint while SSH carries the traffic securely to the remote Mac.

HearthGate context: This is the central HearthGate pattern: the viewer remains familiar, but the Mac screen service sits behind SSH.

Keywords

VNC over SSHMac VNC over SSHsecure VNC over SSH MacApple Screen Sharing SSH tunnelsecure gateway or SSH for VNCSSH gateway for VNC

Phrases

screen sharing after key proofthe viewer talks local, SSH does the travelown the tunnel before sharing the screenuse SSH as the secure gateway for VNC

Related

SSH tunnel, Localhost, Port 5901

P0

SSH tunnel

Definition: An SSH tunnel forwards traffic through an encrypted SSH connection from one endpoint to another.

HearthGate context: HearthGate generates tunnel-ready material so common VNC viewers can connect without direct VNC exposure.

Keywords

SSH tunnelMac SSH tunnelSSH tunnel VNClocal SSH tunnel MacSSH port forwarding

Phrases

a private corridor to the Macforward the screen through the key pathtunnel first, screen second

Related

Local port forwarding, VNC over SSH, Router port forwarding

P0

Local port forwarding

Definition: Local port forwarding maps a port on the client device to a destination reachable from the SSH server side.

HearthGate context: A local VNC address such as localhost:5901 can forward through SSH to the Mac screen service.

Keywords

local port forwardingSSH local forwardinglocalhost 5901SSH -L VNCMac VNC tunnel port

Phrases

make a local port behave like the remote screenthe client sees localhost, the Mac sees its screen servicea local handle for a remote desktop path

Related

Port 5901, Localhost, SSH tunnel

P0

Localhost

Definition: Localhost is a name for the current machine, usually resolving to loopback addresses such as 127.0.0.1 or ::1.

HearthGate context: With VNC lockdown, localhost matters because the Mac is allowed to reach its own screen service through the tunnel exit.

Keywords

localhostlocalhost VNClocalhost 5900localhost 5901Mac localhost SSH tunnel

Phrases

the Mac talking to itself at the tunnel exitlocal does not mean weaklocalhost is the destination after SSH arrives

Related

Loopback address, VNC Lockdown, Port 5900

P0

Loopback address

Definition: A loopback address points back to the same machine, commonly 127.0.0.1 for IPv4 and ::1 for IPv6.

HearthGate context: HearthGate VNC Lockdown can allow the screen port only from loopback sources so network clients must arrive through SSH first.

Keywords

loopback address127.0.0.1::1Mac loopback VNCloopback SSH tunnel

Phrases

the machine calling itselfa screen service reachable only from inside the Macloopback as the final hop

Related

Localhost, pf firewall, SSH-gated localhost

P0

Port 5900

Definition: Port 5900 is the traditional default port used by VNC servers and VNC-like screen services.

HearthGate context: HearthGate treats port 5900 as something to protect behind SSH, not something to expose directly.

Keywords

port 5900VNC port 5900do not expose port 5900Mac VNC port 5900secure port 5900

Phrases

the screen port should not be the front door5900 belongs behind the gatea convenient port is not a safe boundary

Related

VNC, VNC Lockdown, Firewall-enforced VNC lockdown

P1

Port 5901

Definition: Port 5901 is commonly used as a local client-side tunnel port for VNC over SSH workflows.

HearthGate context: A viewer can connect to localhost:5901 while the tunnel carries traffic to the Mac screen service.

Keywords

port 5901localhost 5901VNC localhost 5901SSH tunnel port 5901

Phrases

the viewer port on your side of the tunnel5901 local, 5900 protecteda local handle for a protected Mac screen

Related

Local port forwarding, VNC over SSH, Port 5900

10 terms

Network concepts

Reachability terms: LAN, WAN, DDNS, mesh VPNs, relays, and self-hosted paths.

P0

LAN

Definition: A LAN is a local area network, such as the network inside a home, studio, office, or lab.

HearthGate context: LAN-only access can reduce exposure, but the LAN should not be treated as automatically safe.

Keywords

LANLAN remote access MacMac LAN accessLAN-only SSH keylocal network Mac remote access

Phrases

local is not the same as trustedthe studio network still needs boundariesLAN access deserves key scope

Related

WAN, LAN-only key, Per-key origin scope

P0

WAN

Definition: WAN usually refers to wider network access outside the local network, including internet-reachable paths.

HearthGate context: HearthGate can package internet endpoints while keeping the screen service behind SSH.

Keywords

WAN remote access Macinternet Mac remote accessMac remote access over internetWAN SSH Mac

Phrases

outside the building should still enter through SSHinternet reach does not require VNC exposureWAN access with a narrower Mac gate

Related

Public WAN IP, DDNS, Internet-only key

P1

Public WAN IP

Definition: A public WAN IP is an internet-reachable address assigned to a network by an internet provider.

HearthGate context: If you use a public WAN IP for HearthGate, it should point to the SSH endpoint, not directly to VNC.

Keywords

public WAN IP MacMac public IP SSHWAN IP remote accessSSH public IP Mac

Phrases

public address for SSH, not for the screen portthe internet endpoint belongs to the tunnelWAN IP is the route, not the policy

Related

Router port forwarding, WAN, DDNS

P1

DDNS

Definition: DDNS maps a changing public IP address to a stable hostname.

HearthGate context: A DDNS name can be used as the SSH host for remote HearthGate connections.

Keywords

DDNS Mac remote accessMac SSH DDNSdynamic DNS MacDDNS VNC over SSH

Phrases

a stable name for a moving home IPhostname convenience without exposing VNCDDNS should point to the SSH gate

Related

Public WAN IP, Router port forwarding, WAN

P0

Router port forwarding

Definition: Router port forwarding sends traffic from a public router port to a device inside the local network.

HearthGate context: If forwarding is used with HearthGate, forward only the SSH port to the Mac, not port 5900.

Keywords

router port forwarding Macforward SSH to MacMac remote access port forwardingdo not forward VNC 5900

Phrases

forward the key door, not the screen doorone public port should not be VNCrouter forwarding needs host hardening

Related

Public WAN IP, Port 5900, SSH

P1

NAT traversal

Definition: NAT traversal is a set of techniques for reaching devices behind routers that do not have direct public addresses.

HearthGate context: Mesh VPNs can solve reachability, while HearthGate controls what happens after the Mac is reached.

Keywords

NAT traversal Mac remote accessNAT remote desktop MacTailscale NAT traversalMac behind router access

Phrases

reachability is only the first layergetting to the Mac is not the same as governing the Macnetwork traversal still needs host policy

Related

Mesh VPN, Tailscale, Self-hosted remote access

P1

Mesh VPN

Definition: A mesh VPN creates private routes between enrolled devices so they can reach each other across networks.

HearthGate context: A mesh VPN can pair well with HearthGate: the mesh provides reachability, HearthGate hardens the Mac-side gateway.

Keywords

mesh VPN Mac remote accessMac mesh VPN VNCTailscale Mac remote accessprivate network Mac access

Phrases

the private road is not the gatemesh reach plus Mac-side controlVPN reachability with screen service discipline

Related

Tailscale, NAT traversal, Reachability is not policy

P1

Tailscale

Definition: Tailscale is a mesh VPN that helps devices reach each other over private WireGuard-based routes.

HearthGate context: HearthGate does not replace Tailscale; it can add Mac-side SSH/VNC policy after Tailscale makes the Mac reachable.

Keywords

Tailscale Mac remote accessTailscale VNC MacTailscale Screen Sharing MacHearthGate Tailscale

Phrases

Tailscale is the road, HearthGate is the gate at the Macprivate reachability plus host-side hardeningkeep the mesh, tighten the Mac

Related

Mesh VPN, Cloud relay, Self-hosted remote access

P0

Cloud relay

Definition: A cloud relay is a provider-operated path that forwards remote desktop traffic through the vendor network.

HearthGate context: HearthGate is built for users who prefer a self-hosted path without a relay in the screen connection.

Keywords

cloud relay remote desktopMac remote desktop without relayno cloud remote desktop Macself-hosted Mac remote access

Phrases

do not rent the path if you can own itremote access without surrendering the routea Mac path without a relay account

Related

Self-hosted remote access, Tailscale, VNC over SSH

P0

Self-hosted remote access

Definition: Self-hosted remote access means the user owns or controls the connection path instead of relying on a third-party remote desktop relay.

HearthGate context: HearthGate is a self-hosted Mac remote access gateway built around Apple Screen Sharing and OpenSSH.

Keywords

self-hosted remote accessself-hosted Mac remote accessMac remote access no cloudprivate Mac remote desktopsecure gateway for VNCAquamacs remote access alternative

Phrases

own the path to your Macremote access without handing over the keysthe Mac stays the center of trusta secure gateway for VNC without a cloud relay

Related

Cloud relay, VNC over SSH, Managed SSH hardening

12 terms

SSH security

Key material, authentication, host identity, session policy, and SSH hardening basics.

P0

SSH key pair

Definition: An SSH key pair contains a public key that can be installed on a server and a private key that must be kept secret by the user.

HearthGate context: HearthGate generates and packages keys so each remote screen path can be deliberate and revocable.

Keywords

SSH key pairMac SSH key pairSSH key for VNC tunnelgenerate SSH key Mac remote access

Phrases

the key is the permission objectone key should have one jobremote access starts with possession of the private key

Related

Public key, Private key, SSH key passphrase

P0

Public key

Definition: A public key is the shareable half of an SSH key pair that can be placed on a server to allow matching private-key authentication.

HearthGate context: HearthGate manages public keys in the Mac authorized_keys flow.

Keywords

SSH public keypublic key Mac SSHauthorized_keys public keyVNC SSH public key

Phrases

the half you can install on the Macpublic does not mean unrestrictedthe public half names the private proof

Related

Private key, authorized_keys, Key-based authentication

P0

Private key

Definition: A private key is the secret half of an SSH key pair and should be protected carefully.

HearthGate context: HearthGate can package private keys for connection bundles, so the transport channel must be trusted or encrypted.

Keywords

SSH private keyprivate key Mac SSHprotect SSH private keyVNC SSH private key

Phrases

the file that proves you are allowed intreat private keys like door keysconvenient bundles still need key discipline

Related

Public key, SSH key passphrase, Encrypted ZIP bundle

P0

SSH key passphrase

Definition: An SSH key passphrase encrypts a private key file so the file alone is not enough to use the key.

HearthGate context: HearthGate can generate or accept passphrases for key material used in remote access packages.

Keywords

SSH key passphraseprivate key passphraseMac SSH key passwordencrypted SSH key

Phrases

a second lock around the private keythe passphrase protects the key at restkey file plus passphrase is a stronger handoff

Related

Private key, Encrypted ZIP bundle, Key-based authentication

P0

authorized_keys

Definition: authorized_keys is the OpenSSH file that lists public keys allowed to authenticate for a user, optionally with restrictions.

HearthGate context: HearthGate uses generated authorized_keys constraints to limit what each remote access key can do.

Keywords

authorized_keysMac authorized_keysauthorized_keys permitopenauthorized_keys from restrictionrestricted SSH key Mac

Phrases

where the Mac learns which keys to trustauthorized does not have to mean unlimitedthe policy line behind each SSH key

Related

permitopen, from= restriction, Forced command

P1

Key fingerprint

Definition: A key fingerprint is a short representation of a key used to identify it without reading the full key.

HearthGate context: Fingerprints make it easier to recognize and revoke the right key in a remote access workflow.

Keywords

SSH key fingerprintMac SSH fingerprintidentify SSH keyrevoke SSH key fingerprint

Phrases

a human-sized name for a long keyfingerprints make revocation less blindrecognize the key before you remove it

Related

SSH key pair, authorized_keys, Instant disconnect on key revoke

P0

Key-based authentication

Definition: Key-based authentication lets SSH users authenticate with cryptographic keys instead of passwords.

HearthGate context: HearthGate relies on SSH key flows so remote screen access can be scoped, packaged, and revoked.

Keywords

key-based authenticationSSH key authentication Macdisable password SSH Macsecure SSH login Mac

Phrases

prove possession, not memory of a passwordkeys make remote access more revocablethe screen opens after key authentication

Related

Password authentication, SSH key pair, authorized_keys

P0

Password authentication

Definition: Password authentication lets SSH users log in with account passwords instead of key material.

HearthGate context: HearthGate can help disable password login when the remote access model should be key-only.

Keywords

SSH password authenticationdisable SSH password login MacMac SSH password loginSSH hardening password login

Phrases

password SSH is a wider doorkey-only access narrows the remote pathturn off the password when keys own the workflow

Related

Key-based authentication, Managed SSH hardening, Root login

P1

Root login

Definition: Root login is direct SSH login as the system superuser.

HearthGate context: HearthGate can manage root login posture as part of SSH hardening from the UI.

Keywords

SSH root logindisable root login MacMac SSH hardening rootPermitRootLogin Mac

Phrases

the broadest login should not be casualdo not make the superuser the remote entry habitroot belongs behind stronger controls

Related

Managed SSH hardening, Password authentication, macOS Remote Login

P1

Idle session timeout

Definition: Idle session timeout closes inactive sessions after a configured period.

HearthGate context: HearthGate can manage idle SSH timeout so forgotten remote paths do not linger unnecessarily.

Keywords

SSH idle timeout MacMac SSH session timeoutidle remote sessionSSH hardening timeout

Phrases

stale tunnels should not live foreverremote access needs a closing habittimeout is part of the gateway posture

Related

Managed SSH hardening, Heartbeat checks, Live session visibility

P1

SSH host key

Definition: An SSH host key identifies the server side of an SSH connection.

HearthGate context: Host keys help clients verify they are connecting to the expected Mac endpoint.

Keywords

SSH host keyMac SSH host keyhost key verificationSSH server identity

Phrases

the Mac proving it is the Macclient trust starts with server identityknow the host before trusting the tunnel

Related

known_hosts, SSH, Key fingerprint

P2

known_hosts

Definition: known_hosts is the client-side OpenSSH file that remembers server host keys.

HearthGate context: A stable known_hosts entry reduces confusion when reconnecting to a Mac through SSH.

Keywords

known_hostsMac SSH known_hostsSSH host verificationknown_hosts Mac remote access

Phrases

the client memory of server identitytrust prompts should not be ignored blindlyknown hosts make repeat connections safer

Related

SSH host key, Key fingerprint, SSH tunnel

20 terms

SSH restrictions

The authorized_keys constraints that turn a broad key into a narrow remote access key.

P0

Forced command

Definition: A forced command is an authorized_keys restriction that runs a specific command instead of giving a normal shell.

HearthGate context: HearthGate uses this style of thinking to keep screen access keys from becoming general shell keys.

Keywords

SSH forced commandauthorized_keys forced commandscreen-only SSH keyrestricted SSH key forced command

Phrases

a key with a script, not a shellthe key does one jobpermission should be shaped by purpose

Related

authorized_keys, Screen-only key, permitopen

P0

permitopen

Definition: permitopen is an OpenSSH authorized_keys restriction that limits which host and port a key may open through forwarding.

HearthGate context: HearthGate can generate constraints so a key may open the VNC tunnel without becoming a general forwarding key.

Keywords

permitopenauthorized_keys permitopenSSH permitopen VNCrestrict SSH tunnel port

Phrases

the key may open this tunnel and no otherpermission with a destinationpermit the screen path, deny the rest

Related

Forced command, Screen-only key, Port 5900

P0

from= restriction

Definition: The from= restriction in authorized_keys limits where a key is allowed to connect from.

HearthGate context: HearthGate uses origin scope so keys can be LAN-only, internet-only, or both.

Keywords

authorized_keys from restrictionSSH from restrictionLAN-only SSH keyinternet-only SSH key

Phrases

where the key may come from mattersorigin is part of access controla key for the LAN should not quietly work everywhere

Related

Per-key origin scope, LAN-only key, Internet-only key

P0

Per-key origin scope

Definition: Per-key origin scope means each key can be limited by where it is allowed to connect from.

HearthGate context: HearthGate can restrict a generated key to LAN-only access, internet access, or both.

Keywords

per-key origin scopeLAN-only key Macinternet-only key Macrestricted SSH key origin

Phrases

one key, one reach boundarygrant WAN access deliberatelydo not let every key work from everywhere

Related

from= restriction, LAN-only key, Internet-only key

P0

Per-key SSH limits

Definition: Per-key SSH limits are rules applied to one authorized SSH key instead of every user or every session globally.

HearthGate context: HearthGate 1.1 can limit each key by expiration date, allowed time window, concurrent sessions, lifetime use, and session duration.

Keywords

per-key SSH limitsauthorized_keys limitsMac SSH key limitsHearthGate Per-Key LimitsSSH key access policy

Phrases

make each key carry its own boundarythe key should know when to stop workingremote access with a built-in expiration date

Related

Per-key origin scope, SSH key expiration, Concurrent SSH session limit

P0

SSH key expiration

Definition: SSH key expiration means a key stops being accepted after a configured date or time.

HearthGate context: HearthGate can attach expiry behavior to a generated key so temporary access does not depend on someone remembering to revoke it later.

Keywords

SSH key expirationexpire SSH key Mactemporary SSH key accesscontractor SSH access expiry

Phrases

temporary access should end by itselfa contractor key with a calendarrevocation by design, not memory

Related

Per-key SSH limits, authorized_keys, Key auto-quarantine

P0

SSH time window access

Definition: SSH time window access restricts when a key may connect by weekday, start time, end time, and timezone.

HearthGate context: HearthGate can keep a key active only during approved hours, including windows that cross midnight.

Keywords

SSH time window accessSSH allowed hoursMac SSH scheduletime-based SSH key restrictionSSH access business hours

Phrases

a key for business hours, not every hourschedule the trust windowafter-hours access should be an explicit choice

Related

Per-key SSH limits, IANA timezone, SSH key expiration

P0

Concurrent SSH session limit

Definition: A concurrent SSH session limit caps how many sessions one key may keep open at the same time.

HearthGate context: HearthGate can reject a new session or disconnect the oldest one when a key reaches its concurrent session cap.

Keywords

SSH concurrent session limitlimit SSH sessions per keyMac SSH session capauthorized_keys concurrent sessionsdisconnect oldest SSH session

Phrases

one key should not sprawl across every devicecap the number of open tunnelsstop stale sessions from multiplying

Related

Per-key SSH limits, Active Sessions panel, Session duration cap

P0

Lifetime key use cap

Definition: A lifetime key use cap limits how many total successful sessions a key may start before it is quarantined or reset.

HearthGate context: HearthGate can count key use and auto-quarantine the key once the allowed number of starts is reached.

Keywords

SSH lifetime use limitlifetime SSH key capSSH key use countersingle-use SSH key Maclimited-use SSH key

Phrases

the key burns down after its job is donea ten-use key should stop after ten usesaccess with a built-in counter

Related

Per-key SSH limits, Key auto-quarantine, SSH key expiration

P0

Session duration cap

Definition: A session duration cap limits how long one SSH session may remain open.

HearthGate context: HearthGate can end a session that exceeds its configured duration cap, helping prevent forgotten tunnels from staying open.

Keywords

SSH session duration caplimit SSH session lengthMac SSH session timeoutclose long SSH session

Phrases

a tunnel should not sit open foreverremote access with a maximum runtimeclose forgotten sessions automatically

Related

Concurrent SSH session limit, Idle session timeout, Active Sessions panel

P1

Key auto-quarantine

Definition: Key auto-quarantine means a key is automatically blocked after it reaches a configured safety condition.

HearthGate context: HearthGate can auto-quarantine a key after its lifetime use cap is reached until you reset it from the UI.

Keywords

SSH key auto quarantinequarantine SSH keyauto disable SSH keylimited-use SSH key quarantineMac SSH key reset counter

Phrases

the key parks itself when the counter endsautomatic pause after trust is spentreset the key only when you mean it

Related

Lifetime key use cap, Per-key SSH limits, Active Sessions panel

P0

LAN-only key

Definition: A LAN-only key is intended to work only from the local network.

HearthGate context: HearthGate can create keys whose origin scope is local-network only.

Keywords

LAN-only keyLAN-only SSH keyMac local network SSH keyrestrict SSH to LAN

Phrases

a key for the room, not the internetlocal reach with explicit limitssame network does not mean unlimited access

Related

Per-key origin scope, LAN, from= restriction

P0

Internet-only key

Definition: An internet-only key is intended for external access while remaining separate from local-only keys.

HearthGate context: HearthGate can create keys whose origin scope is internet-focused when a WAN endpoint is needed.

Keywords

internet-only keyWAN SSH key Macexternal access SSH keyrestrict SSH key internet

Phrases

external reach should be an explicit granta travel key for the Macinternet access without opening the screen port

Related

Per-key origin scope, WAN, Router port forwarding

P0

Screen-only key

Definition: A screen-only key is a key intended to allow the remote screen path without broad shell, file transfer, or arbitrary forwarding privileges.

HearthGate context: HearthGate focuses on screen-only-by-default connection keys for VNC over SSH workflows.

Keywords

screen-only keyVNC-only SSH keyrestricted VNC keyMac screen sharing SSH key

Phrases

remote screen access without a general shellgive the viewer a tunnel, not the whole accountscreen permission should stay screen-shaped

Related

Forced command, permitopen, SCP/SFTP restriction

P1

Agent forwarding

Definition: SSH agent forwarding lets a remote host use the client SSH agent to authenticate onward connections.

HearthGate context: Screen access keys usually should not need agent forwarding. HearthGate 1.5 blocks agent socket forwarding at the SSH server level.

Keywords

SSH agent forwardingdisable agent forwardingdisable SSH agent forwardingMac SSH agent forwardingrestricted SSH key no agent forwardingblock SSH_AUTH_SOCK forwarding

Phrases

do not lend your keychain to the remote hostscreen sessions rarely need onward keysforwarding should be explicit, not incidentalclose the agent socket escape hatch

Related

Screen-only key, authorized_keys, Managed SSH hardening, Server-level SSH hardening

P1

Reverse SSH tunnel

Definition: A reverse SSH tunnel uses remote port forwarding so a port on the server side can forward traffic back through the SSH client.

HearthGate context: HearthGate 1.5 blocks reverse tunnels at the server level so remote access keys cannot quietly publish a backchannel.

Keywords

reverse SSH tunnelssh -Rremote port forwardingdisable ssh -Rblock reverse SSH tunnelMac reverse SSH tunnel

Phrases

no hidden backchannel from the Macclose reverse forwarding by defaultforwarding should be explicitdo not let a remote session become a listener

Related

SSH tunnel, Local port forwarding, GatewayPorts, Server-level SSH hardening

P1

GatewayPorts

Definition: GatewayPorts is an OpenSSH server setting that controls whether remotely forwarded ports can listen on addresses reachable by other machines.

HearthGate context: HearthGate 1.5 keeps external gateway ports blocked so an SSH session does not accidentally publish services beyond the Mac.

Keywords

GatewayPortsSSH GatewayPortsGatewayPorts noexternal gateway portsOpenSSH GatewayPorts Macdisable GatewayPorts Mac

Phrases

local forwarded ports should stay localdo not turn a tunnel into a listenerkeep the gateway from publishing surprise ports

Related

Reverse SSH tunnel, SSH tunnel, Server-level SSH hardening

P2

X11 forwarding

Definition: X11 forwarding is an SSH feature that carries X11 graphical application traffic through an SSH session.

HearthGate context: HearthGate 1.5 blocks X11 forwarding because secure Mac screen access does not need this extra forwarding surface.

Keywords

X11 forwardingdisable X11 forwardingno-X11-forwardingOpenSSH X11 forwardingMac SSH X11 forwarding

Phrases

screen sharing does not need X11no unused GUI forwarding surfaceclose the forwarding path you are not using

Related

Agent forwarding, Screen-only key, Server-level SSH hardening

P2

Layer-2 SSH tunneling

Definition: Layer-2 SSH tunneling refers to OpenSSH tunnel features that can carry lower-level network traffic instead of a single intended application path.

HearthGate context: HearthGate 1.5 blocks layer-2 tunneling at sshd level while leaving the VNC-over-SSH workflow unaffected.

Keywords

SSH layer 2 tunnelingOpenSSH TunnelTUN TAP SSHdisable SSH tunnelingTunnel nolayer 2 tunnel SSH

Phrases

remote screen access is not a virtual network cardtunnel the session, not the whole networkno hidden network interface over SSH

Related

SSH tunnel, VNC over SSH, Server-level SSH hardening

P1

SCP/SFTP restriction

Definition: SCP/SFTP restriction means preventing a key from being used for file transfer when file transfer is not part of the intended access.

HearthGate context: HearthGate screen keys can be described as access artifacts for VNC tunneling, not broad file-transfer grants.

Keywords

disable SCP SFTP keyrestrict SSH file transferscreen-only SSH no SFTPMac SSH key no SCP

Phrases

screen access should not imply file accessdo not turn a viewer key into a file-transfer keykeep the key matched to the job

Related

Screen-only key, Forced command, permitopen

22 terms

HearthGate concepts

Product-specific words for the Mac-side gateway, exports, logs, hooks, and controls.

P0

VNC Lockdown

Definition: VNC Lockdown is HearthGate terminology for keeping the Mac screen port reachable only through the protected local path.

HearthGate context: It is designed so the VNC address stays localhost while SSH controls who reaches the Mac.

Keywords

VNC LockdownMac VNC lockdownVNC port lockdownHearthGate VNC Lockdown

Phrases

the screen port stays behind the gatelocalhost by designlock the screen service to the Mac side of the tunnel

Related

Firewall-enforced VNC lockdown, pf firewall, SSH-gated localhost

P0

Firewall-enforced VNC lockdown

Definition: Firewall-enforced VNC lockdown uses firewall policy to prevent network access to the VNC port while still allowing loopback access.

HearthGate context: HearthGate can use macOS packet filtering to keep port 5900 closed to the network.

Keywords

firewall-enforced VNC lockdownpf VNC lockdown Macblock VNC port 5900 MacMac firewall VNC SSH

Phrases

network blocked, tunnel allowedthe firewall protects the screen portVNC works only after SSH arrives

Related

VNC Lockdown, pf firewall, Port 5900

P1

pf firewall

Definition: pf is the packet filter firewall technology available on macOS and BSD-derived systems.

HearthGate context: HearthGate can use pf-style firewall enforcement to keep the screen port reachable only from loopback.

Keywords

pf firewallmacOS pf firewallpf block VNCpacket filter Mac

Phrases

the packet filter at the edge of the screen servicesystem firewall rules for a local-only VNC pathpf as the bouncer for port 5900

Related

Firewall-enforced VNC lockdown, Loopback address, Port 5900

P0

SSH-gated localhost

Definition: SSH-gated localhost describes a workflow where the viewer targets localhost while SSH controls the remote path to the Mac.

HearthGate context: HearthGate uses this model so common viewers can connect locally while the Mac receives traffic through the SSH gate.

Keywords

SSH-gated localhostlocalhost VNC SSHMac SSH-gated VNCVNC localhost through SSH

Phrases

localhost is the destination after trustthe viewer sees local, the Mac sees controlled accessa local address with a remote proof

Related

Localhost, VNC over SSH, VNC Lockdown

P0

Connection package

Definition: A connection package is a bundle of settings and materials needed to connect to a Mac through a prepared remote access path.

HearthGate context: HearthGate can generate packages that include host details, key material, scripts, and human-readable instructions.

Keywords

connection packageMac connection packageHearthGate connection packageVNC SSH connection bundle

Phrases

the handoff file for a remote sessionless guessing, more repeatable connection materiala prepared path instead of a support note

Related

Encrypted ZIP bundle, Connection script, QR connection export

P1

Encrypted ZIP bundle

Definition: An encrypted ZIP bundle is a protected archive that can carry connection files such as scripts, keys, and instructions.

HearthGate context: HearthGate can export encrypted bundles for cross-platform connection handoff.

Keywords

encrypted ZIP bundleMac remote access bundleVNC SSH ZIP bundleencrypted connection package

Phrases

one protected handoff for a full connection pathbundle the key and the script without pretending it is harmlessa safer file for sensitive connection material

Related

Connection package, Private key, SSH key passphrase

P1

Connection script

Definition: A connection script is a ready-to-run script that opens the SSH tunnel or prepares the client side of a remote connection.

HearthGate context: HearthGate can generate scripts for several operating systems so users do not rebuild commands by hand.

Keywords

connection scriptVNC SSH scriptMac remote access scriptSSH tunnel script

Phrases

repeat the safe path without retyping itscript the tunnel, not the riskturn fragile commands into connection artifacts

Related

Local port forwarding, Connection package, Ready-to-run scripts

P2

QR connection export

Definition: A QR connection export encodes connection details into a scannable code.

HearthGate context: QR exports can be convenient, but they should be treated as trusted-channel artifacts.

Keywords

QR connection exportVNC QR codeMac remote access QRconnection QR code

Phrases

scan convenience still carries trustQR is a transport, not a security layerfast handoff for details you already trust

Related

Trusted-channel formats, Connection package, Private key

P1

Encrypted settings backup

Definition: An encrypted settings backup preserves selected application and access settings in a protected file.

HearthGate context: HearthGate can back up configuration without including every sensitive artifact by default.

Keywords

encrypted settings backupHearthGate backupMac remote access settings backupencrypted app backup

Phrases

restore the posture, not the chaossettings deserve protection tooa backup for the gateway configuration

Related

Export Options, Connection package, Uninstall and restore

P1

Connection log export

Definition: Connection log export saves connection history such as times, source IPs, users, methods, ports, and fingerprints.

HearthGate context: HearthGate can export connection logs for local review and troubleshooting.

Keywords

connection log exportMac remote access logsVNC SSH logsHearthGate connection logs

Phrases

remote access should leave a trailconnection history without a cloud control planelogs make revocation smarter

Related

Audit trail, Live session visibility, Encrypted ZIP bundle

P1

Audit trail

Definition: An audit trail is a record of security-relevant events and changes.

HearthGate context: HearthGate focuses on local connection visibility and exportable logs rather than a hosted audit service.

Keywords

audit trail Mac remote accessMac remote access auditVNC SSH audit loglocal audit logs Mac

Phrases

what changed, who connected, what remains visibleremote access with memoryaudit without surrendering the path

Related

Connection log export, Live session visibility, System Controls

P1

Live session visibility

Definition: Live session visibility means the app shows active or recent remote access state while sessions are happening.

HearthGate context: HearthGate can show active SSH tunnel and screen connection state for the Mac gateway.

Keywords

live session visibilityMac remote access sessionsactive SSH tunnel MacVNC session status

Phrases

see the tunnel while it existsremote access should not be invisiblesession state belongs on the Mac

Related

Connection log export, Audit trail, SecurityCheck

P0

Active Sessions panel

Definition: The Active Sessions panel is a live view of SSH sessions currently connected to the Mac.

HearthGate context: HearthGate can group active sessions by authorized key, show source IP and runtime, and let you disconnect individual sessions.

Keywords

active SSH sessions MacMac remote access active sessionsHearthGate Active SessionsSSH session visibility Macdisconnect SSH session Mac

Phrases

see who is holding the key right nowlive tunnels should be visible, not mysteriousdisconnect the session before revoking the key

Related

Live session visibility, Concurrent SSH session limit, Connection log export

P1

Clipboard guard

Definition: Clipboard guard is a control that can block or limit clipboard sharing during remote screen sessions.

HearthGate context: HearthGate can help keep clipboard flow from crossing a VNC session when tighter boundaries are needed.

Keywords

clipboard guardblock VNC clipboard Macremote session clipboard securityMac Screen Sharing clipboard block

Phrases

the clipboard is a data path tooscreen access should not always mean clipboard accessstop accidental copy-paste leakage

Related

VNC, Screen-only key, Managed SSH hardening

P1

System Controls

Definition: System Controls are HearthGate controls for inspecting and managing Mac services, processes, and logs during a remote support session.

HearthGate context: They let an authorized session restart services, inspect processes, and view logs without leaving the secure connection.

Keywords

System ControlsMac service controls remotelaunchd remote controlsMac process controls remote session

Phrases

remote support beyond moving the mouserestart the service from the same secure sessionsee the Mac underneath the screen

Related

Connection hooks, Audit trail, Live session visibility

P1

Connection hooks

Definition: Connection hooks are scripts or actions that run when a tunnel connects or disconnects.

HearthGate context: HearthGate hooks can run with safeguards such as delayed execution, timeouts, and loop protection.

Keywords

connection hooksSSH connect disconnect scriptsMac remote access hooksVNC tunnel automation

Phrases

automation at the moment access changesrun the cleanup when the tunnel closesremote access events can trigger safe scripts

Related

Connection script, System Controls, Managed SSH hardening

P0

Managed SSH hardening

Definition: Managed SSH hardening means configuring SSH security controls through a managed interface instead of hand-editing configuration files.

HearthGate context: HearthGate can manage port, bindings, timeout, password/root login controls, heartbeat checks, cleanup, and server-level forwarding restrictions from the UI.

Keywords

managed SSH hardeningMac SSH hardening UIdisable SSH password login Mac UISSH idle timeout Mac gatewayserver-level SSH hardeningOpenSSH server hardening Macblock SSH forwarding Mac

Phrases

hardening without terminal archaeologymake SSH safer from the app surfacea gateway posture, not a config scavenger hunta safer floor under every key

Related

Server-level SSH hardening, Security posture score, Periodic SSH rekey

P0

Server-level SSH hardening

Definition: Server-level SSH hardening means enforcing SSH security controls globally in the server configuration, below any individual key policy.

HearthGate context: HearthGate 1.5 blocks risky SSH features such as agent forwarding, reverse tunnels, X11 forwarding, layer-2 tunneling, and external gateway ports at the sshd level.

Keywords

server-level SSH hardeningsshd level hardeningglobal SSH hardeningOpenSSH server hardeningHearthGate 1.5 SSH hardening

Phrases

a safer floor under every keyglobal rules below per-key policyharden once, every key inherits itblock the escape hatches before they matter

Related

Managed SSH hardening, Agent forwarding, Reverse SSH tunnel, GatewayPorts

P0

Security posture score

Definition: A security posture score is a visible grade that summarizes how strongly a system or service is configured against a set of security controls.

HearthGate context: HearthGate 1.5 scores the Mac SSH configuration out of 100 across controls such as root login, password authentication, forwarding, modern key exchange, and idle timeouts.

Keywords

security posture scoreSSH posture scoringsshd configuration scoreSSH hardening scoreMac SSH security scoreremote access security score

Phrases

make hardening visiblea scorecard for the SSH gateturn config drift into a numberknow when the gateway is actually hardened

Related

Managed SSH hardening, Password authentication, Root login, Periodic SSH rekey

P1

Periodic SSH rekey

Definition: Periodic SSH rekey means negotiating fresh session encryption keys during a long-running SSH connection.

HearthGate context: HearthGate 1.5 configures OpenSSH to rekey after 1 GB of data or one hour, whichever comes first, so one transport key does not cover an entire long session.

Keywords

OpenSSH RekeyLimitSSH rekeyperiodic SSH key rotationSSH session key rotationrekey after 1 GBrekey after one hour

Phrases

long sessions should not keep one key foreverfresh session keys during remote accessrotate the transport without interrupting the userlimit the blast radius of a leaked session key

Related

Managed SSH hardening, Security posture score, Post-quantum-ready SSH

P1

Privileged helper validation

Definition: Privileged helper validation means checking that a privileged helper is being called by the expected signed application before it performs sensitive operations.

HearthGate context: HearthGate 1.5 validates the caller code signature, bundle identifier, and team identity before allowing privileged helper operations.

Keywords

privileged helper validationMac privileged helper hardeningMach service securitycode signature validation Macbundle identifier validationhardened privileged helper

Phrases

privileged operations need a trusted callerhelper access should be signed and scopedclose the local helper doorthe helper should know who is knocking

Related

Managed SSH hardening, Security posture score, Local admin lock

P1

Local admin lock

Definition: Local admin lock is an app-side protection that requires local authentication before sensitive settings can be changed.

HearthGate context: HearthGate can protect its own settings with Touch ID and auto-relock behavior so a local user cannot casually weaken the gateway.

Keywords

local admin lockTouch ID settings lockMac app admin lockprotect remote access settingsauto relock Mac security settings

Phrases

the gateway settings need a lock toolocal access should not mean local tamperingprotect the controls that protect the Mac

Related

Privileged helper validation, Managed SSH hardening, Security posture score

7 terms

Post-quantum and crypto

Careful language for ML-KEM, hybrid SSH key exchange, and future-facing transport security.

P0

Post-quantum-ready SSH

Definition: Post-quantum-ready SSH refers to SSH that can use post-quantum or hybrid key exchange when the installed SSH stack supports it.

HearthGate context: HearthGate can auto-enable OpenSSH hybrid ML-KEM key exchange when support is available.

Keywords

post-quantum-ready SSHpost quantum SSH MacOpenSSH ML-KEMquantum resistant SSH

Phrases

future-facing key exchange without weaker classical securityready when the SSH stack is readya safer handshake for recorded traffic risk

Related

ML-KEM, Hybrid key exchange, Harvest now, decrypt later

P0

ML-KEM

Definition: ML-KEM is the Module-Lattice-Based Key-Encapsulation Mechanism standardized by NIST for post-quantum cryptography.

HearthGate context: OpenSSH hybrid key exchange support can use ML-KEM as part of a post-quantum-ready SSH handshake.

Keywords

ML-KEMML-KEM SSHML-KEM OpenSSHpost quantum key encapsulation

Phrases

the post-quantum half of a modern SSH handshakelattice-based protection for future attackersML-KEM in the transport, not magic dust over the whole app

Related

ML-KEM-768, FIPS 203, Hybrid key exchange

P0

ML-KEM-768

Definition: ML-KEM-768 is a parameter set of ML-KEM commonly discussed for strong post-quantum key encapsulation.

HearthGate context: HearthGate wording should stay precise: ML-KEM-768 hybrid key exchange is used when the installed SSH stack supports it.

Keywords

ML-KEM-768ML-KEM-768 SSHOpenSSH ML-KEM-768FIPS 203 ML-KEM-768

Phrases

post-quantum key exchange when supportedML-KEM-768 plus a classical partnerfuture-facing SSH handshake material

Related

ML-KEM, Hybrid key exchange, X25519

P0

Hybrid key exchange

Definition: Hybrid key exchange combines a classical key exchange with a post-quantum mechanism.

HearthGate context: In OpenSSH, hybrid ML-KEM plus X25519 means the connection is not relying on only one cryptographic family.

Keywords

hybrid key exchangeSSH hybrid key exchangeML-KEM X25519post quantum hybrid SSH

Phrases

classical today plus post-quantum tomorrowdo not drop the gold standard while adding the futuretwo assumptions on the wire

Related

X25519, ML-KEM, Post-quantum-ready SSH

P1

FIPS 203

Definition: FIPS 203 is the NIST standard that specifies ML-KEM.

HearthGate context: HearthGate can reference FIPS 203 carefully when describing ML-KEM support without claiming separate product validation.

Keywords

FIPS 203NIST FIPS 203ML-KEM FIPS 203post quantum standard ML-KEM

Phrases

name the standard without overclaiming certificationFIPS 203 explains ML-KEM, not every app guaranteeprecise crypto language matters

Related

ML-KEM, ML-KEM-768, Post-quantum-ready SSH

P1

X25519

Definition: X25519 is a widely used elliptic-curve Diffie-Hellman key exchange mechanism.

HearthGate context: Hybrid SSH can pair X25519 with ML-KEM so classical protection remains part of the handshake.

Keywords

X25519X25519 SSHML-KEM X25519 hybridclassical key exchange SSH

Phrases

today trusted classical exchange beside tomorrow-facing ML-KEMthe classical half of a hybrid SSH handshakenothing weaker than the current standard on the wire

Related

Hybrid key exchange, ML-KEM-768, Post-quantum-ready SSH

P1

Harvest now, decrypt later

Definition: Harvest now, decrypt later is the risk that attackers record encrypted traffic today and try to decrypt it with stronger future computers.

HearthGate context: Post-quantum-ready SSH is designed to reduce this future risk when the SSH stack supports hybrid key exchange.

Keywords

harvest now decrypt laterpost quantum SSH riskfuture quantum attackerrecorded traffic quantum risk

Phrases

today traffic should not become tomorrow plaintextrecorded sessions deserve future-aware handshakesthe attacker may wait, so the handshake should evolve

Related

Post-quantum-ready SSH, ML-KEM, Hybrid key exchange

8 terms

Viewer and client terms

Common viewers and clients used in SSH-gated Mac remote screen workflows.

P1

RealVNC

Definition: RealVNC is a VNC viewer and remote access product family.

HearthGate context: HearthGate can support familiar VNC viewers while keeping the Mac-side access path behind SSH.

Keywords

RealVNC MacRealVNC over SSH MacRealVNC Apple Screen SharingRealVNC VNC over SSH

Phrases

keep the viewer, change the gateRealVNC can remain the client, SSH owns the pathfamiliar screen viewer with Mac-side lockdown

Related

VNC, RFB protocol, VNC over SSH

P1

TightVNC

Definition: TightVNC is a common VNC viewer often used on Windows.

HearthGate context: HearthGate help includes a TightVNC workflow for connecting to a Mac through a local SSH tunnel.

Keywords

TightVNC MacTightVNC over SSHTightVNC Apple Screen SharingTightVNC localhost 5901

Phrases

Windows viewer, Mac-side SSH gateTightVNC talks to localhost, the tunnel talks to the Macold-school viewer, stricter path

Related

Port 5901, VNC over SSH, Windows SSH + VNC stack

P1

TigerVNC

Definition: TigerVNC is an open-source VNC viewer and server project.

HearthGate context: HearthGate compatibility language can include TigerVNC as a familiar RFB/VNC viewer option.

Keywords

TigerVNC MacTigerVNC over SSHTigerVNC Apple Screen SharingTigerVNC localhost

Phrases

an open viewer with a controlled Mac endpointviewer choice for the SSH-gated pathTigerVNC without direct VNC exposure

Related

VNC, RFB protocol, RealVNC

P1

Remmina

Definition: Remmina is a remote desktop client commonly used on Linux and FreeBSD desktops.

HearthGate context: HearthGate help includes a Remmina on FreeBSD workflow using a HearthGate tunnel and local VNC target.

Keywords

Remmina Mac VNCRemmina VNC over SSHRemmina FreeBSD MacRemmina localhost VNC

Phrases

FreeBSD viewer, Mac-side gatewayRemmina reaches localhost while SSH reaches the Macdesktop client choice without changing the host policy

Related

FreeBSD, VNC over SSH, Localhost

P1

MobaXterm

Definition: MobaXterm is a Windows remote access and terminal toolkit with SSH and VNC capabilities.

HearthGate context: HearthGate help includes MobaXterm workflows with external tunnel and built-in SSH gateway methods.

Keywords

MobaXterm Mac VNCMobaXterm VNC over SSHMobaXterm Apple Screen SharingMobaXterm SSH gateway Mac

Phrases

Windows toolbox, Mac gateway disciplineMobaXterm can be the client, not the policyseparate the SSH host from the VNC target

Related

TightVNC, SSH tunnel, VNC over SSH

P1

PuTTY

Definition: PuTTY is a Windows SSH client often used to create tunnels and terminal sessions.

HearthGate context: PuTTY can be part of a Windows SSH plus VNC workflow for reaching a Mac screen through a tunnel.

Keywords

PuTTY Mac SSH tunnelPuTTY VNC over SSHPuTTY localhost 5901PuTTY Mac remote access

Phrases

classic tunnel tool for a modern Mac gatePuTTY opens the road, the VNC viewer opens the screenSSH first from Windows

Related

SSH tunnel, Local port forwarding, TightVNC

P1

Screens

Definition: Screens is a remote desktop client for Apple platforms including iOS and macOS.

HearthGate context: HearthGate help includes Screens on iOS steps with SSH tunnel settings and localhost VNC addressing.

Keywords

Screens iOS Mac SSHScreens VNC over SSHScreens Apple Screen Sharing localhostScreens HearthGate

Phrases

iPad viewer with a Mac-side SSH gateScreens can use localhost when the tunnel owns the routemobile screen access without direct VNC exposure

Related

Apple Screen Sharing, VNC over SSH, Localhost

P2

AVNC

Definition: AVNC is an Android VNC client.

HearthGate context: HearthGate can support Android-side viewer workflows when the connection path is packaged and tunnel-aware.

Keywords

AVNC Mac VNCAndroid VNC MacAVNC over SSH MacAndroid Mac Screen Sharing

Phrases

Android viewer, Mac-controlled gatewaymobile VNC without opening 5900the device changes, the Mac gate stays consistent

Related

VNC, RFB protocol, Connection package

8 terms

Platform and use-case terms

Mac mini, local AI, build server, and studio workflows that create real demand.

P0

Headless Mac mini

Definition: A headless Mac mini is a Mac mini used without a directly attached display, keyboard, or mouse.

HearthGate context: HearthGate is useful for headless Mac minis because screen access and SSH recovery need to be reliable and narrow.

Keywords

headless Mac miniheadless Mac mini remote accessheadless Mac mini VNC over SSHsecure Screen Sharing Mac mini

Phrases

the Mac you run without sitting in front of ita small box that still needs a safe screen pathheadless does not mean ungoverned

Related

Mac mini server, Mac mini VNC over SSH, Self-hosted remote access

P0

Mac mini server

Definition: A Mac mini server is a Mac mini used as an always-on machine for services, files, builds, automation, or local AI workloads.

HearthGate context: HearthGate helps keep the screen and SSH path controlled for Mac minis that behave like small servers.

Keywords

Mac mini serverMac mini server remote accessalways-on Mac miniMac mini SSH VNC

Phrases

the desktop Mac that became infrastructureserver habits for a Mac that still has a screensmall server, real access policy

Related

Headless Mac mini, Local AI Mac, Mac build server

P0

Local AI Mac

Definition: A local AI Mac is a Mac used to run local models, agent workflows, automation, or private AI tooling.

HearthGate context: HearthGate gives the human operator a secure Mac-side path before the agent stack becomes useful.

Keywords

local AI MacMac mini local AIsecure remote access for local LLM Maclocal AI workstation Mac remote access

Phrases

make the host safe before the agent gets cleverlocal AI still needs remote control disciplinethe AI box should not become the exposed box

Related

OpenClaw Mac mini, Ollama Mac mini, Mac mini server

P1

OpenClaw Mac mini

Definition: OpenClaw Mac mini describes using a Mac mini as a host for OpenClaw agent workflows.

HearthGate context: HearthGate pairs well with this pattern by protecting the Mac access layer before OpenClaw is configured.

Keywords

OpenClaw Mac minisecure OpenClaw setupOpenClaw remote accessOpenClaw gateway localhost

Phrases

secure the Mac before the agentOpenClaw runs the workflow, HearthGate guards the hostagent setup second, remote access first

Related

Local AI Mac, Ollama Mac mini, SSH tunnel

P1

Ollama Mac mini

Definition: Ollama Mac mini describes a Mac mini used to run local language models through Ollama.

HearthGate context: HearthGate helps keep that local model host reachable for administration without exposing the screen service directly.

Keywords

Ollama Mac miniOllama remote access Maclocal LLM Mac miniMac mini AI server remote access

Phrases

local models need a local recovery paththe model box still needs a human gateprivate AI host, controlled Mac access

Related

Local AI Mac, OpenClaw Mac mini, Headless Mac mini

P1

Mac build server

Definition: A Mac build server is a Mac used for builds, signing, tests, CI, or platform-specific development tasks.

HearthGate context: HearthGate gives developers SSH-based screen access for GUI prompts, simulators, and remote troubleshooting.

Keywords

Mac build serverremote access for Mac build serverMac mini CI remote accessiOS build Mac remote access

Phrases

the build box sometimes needs a screenCI still bumps into GUI realitydeveloper infrastructure with a controlled screen path

Related

iOS build Mac, Mac mini server, Managed SSH hardening

P1

iOS build Mac

Definition: An iOS build Mac is a Mac used for iOS builds, signing, simulator testing, or app release workflows.

HearthGate context: HearthGate can help developers reach the GUI side of the Mac without making VNC broadly reachable.

Keywords

iOS build Macremote access for iOS build MacMac mini iOS CIXcode build Mac remote access

Phrases

Xcode prompts deserve a safe remote pathsigning machines need narrower accessthe iOS build box should not expose its screen

Related

Mac build server, SSH tunnel, Live session visibility

P1

Studio Mac remote access

Definition: Studio Mac remote access refers to remote support or control of Macs used in creative, audio, video, design, or production studios.

HearthGate context: HearthGate is useful when studio Macs need support without a broad cloud remote desktop dependency.

Keywords

studio Mac remote accessMac remote access for creative studiosMac remote access for recording studiossecure remote access for post production Mac

Phrases

creative Macs need operational control, not casual exposuresupport the room-bound Mac without opening the screen portstudio workflow, self-hosted gateway

Related

Apple Screen Sharing, VNC over SSH, System Controls