Can HearthGate do more than VNC screen sharing?

Yes. Under the hood HearthGate is a full SSH gateway. An unrestricted key can opt beyond VNC-only mode to use SFTP, SCP, remote terminal, port forwarding, VS Code Remote-SSH, rsync, and other OpenSSH workflows.

How do I transfer files to my Mac with HearthGate?

Use SFTP or SCP with tools such as WinSCP, FileZilla, Cyberduck, or the command line. Files move with the same key authentication, rate limits, and audit trail that protect remote screen sessions.

Does the default HearthGate key allow shell access?

No. The default key is restricted to the VNC tunnel only, with no shell, no agent forwarding, no X11 forwarding, and localhost:5900 only. You opt a separate key into full SSH when a workflow needs it.

Can I use VS Code Remote-SSH with HearthGate?

Yes. Add a single entry to your ~/.ssh/config and VS Code connects through your existing HearthGate key with no separate authentication and no new ports. The key must have the VNC-only restriction turned off under Connection tab > Operation restrictions > Allow full SSH.

Can I forward a database port over SSH to my Mac?

Yes. Local port forwarding can tunnel PostgreSQL, MongoDB, Redis, MQTT brokers, development servers, and other TCP services through the encrypted SSH path while the key keeps its policy and session visibility.

Power User Features for HearthGate SSH Gateway

Home HearthGate Help FeaturesPower User Features

Power User Features

Beyond VNC: use HearthGate as a full SSH gateway for SFTP, SCP, shell access, port forwarding, VS Code Remote-SSH, and rsync when a key is explicitly allowed to go beyond VNC-only mode.

Beyond VNC: HearthGate's quiet superpowers

Most people install HearthGate to get secure remote desktop on macOS without exposing port 5900 to the world. That is the headline. Under the hood, HearthGate is also a full SSH gateway, and an unrestricted key can opt into the wider OpenSSH toolset behind the same hardened gate.

The important part is intent. HearthGate starts from a safe VNC-only model, then lets you widen one specific key only when that person or workflow really needs SFTP, shell access, port forwarding, VS Code Remote-SSH, rsync, or another OpenSSH capability.

The default is safe

New keys are restricted to one job by default: opening the protected VNC tunnel. That keeps routine screen access narrow even when the SSH layer is doing the transport.

VNC tunnel onlyNo shellNo agent forwardingNo X11 forwardinglocalhost:5900 only

The opt-in is conscious

When you need more, turn off the VNC-only restriction for that specific key from the Connection tab. A contractor can get SFTP, an admin can get terminal access, and your own development key can get tunnels. Other keys stay locked down.

Secure file transfer

Use SFTP or SCP with tools such as WinSCP, FileZilla, Cyberduck, or the command line. Move files with the same key authentication, rate limits, and audit trail that protect remote screen sessions.

sftp -P 22023 user@your-mac.local

Remote terminal

Open a shell when an admin or trusted teammate actually needs it. Run builds, tail logs, inspect processes, or manage launchd jobs without creating a separate remote-access path.

ssh -p 22023 user@your-mac.local

Port forwarding

Tunnel local development servers, PostgreSQL, MongoDB, Redis, MQTT brokers, dashboards, and other TCP services through the encrypted SSH path.

ssh -p 22023 -L 15432:localhost:5432 user@your-mac.local

VS Code Remote-SSH

Edit your Mac's source tree from Windows or Linux while the Mac does the compiling, indexing, and local environment work. This requires Microsoft's free Remote - SSH extension for VS Code. Add a single entry to your ~/.ssh/config, using any host alias you like, and VS Code connects through your existing HearthGate key with no separate authentication and no new ports.

Host my-mac
    HostName 192.168.1.10
    Port 22023
    User you
    IdentityFile ~/.ssh/hearthgate-key

Note: The key used for VS Code must have the VNC tunnel only restriction turned off in HearthGate: Connection tab > Operation restrictions > Allow full SSH. The default HearthGate key is restricted to VNC, so create or opt out a separate key for development.

rsync over SSH

Run differential, encrypted, scriptable backups between your Mac and another machine without mounting a separate file-sharing service.

rsync -avz -e "ssh -p 22023" ~/Documents/ user@mac:~/backup/

Advanced OpenSSH workflows

Reverse tunnels, command-mode execution, and other OpenSSH workflows can ride through HearthGate when that specific key is allowed to use them.

ssh -p 22023 -R 9000:localhost:3000 user@your-mac.local

Same gate, same controls

A widened key still passes through HearthGate's security model. VNC, SFTP, SCP, shell access, tunnels, and rsync all remain tied to the key's policy and session visibility.

Per-key time windows

Expiration dates

Concurrent session caps

Brute-force IP blocking

Mid-session enforcement

One-click Disconnect all

Connection logs

Key revoke and session cleanup

Rule of thumb: leave day-to-day viewer keys in VNC-only mode. Create an unrestricted key only for the user or workflow that needs broader OpenSSH behavior, then add expiration, schedules, session caps, and revocation policy around that key.