Sometimes it’s practical for the same person to setup multiple accounts on one machine for distinct purposes. While the fast user switching feature in OS X does make it easy to quickly move between accounts some people may find it more practical to be able to interact with the desktop of a different account while still logged into another one. If you’re this kind of person then you may find this post useful.
The method I’m using, which is based on information that I found in some forums, involves using Screen Sharing to connect to a different account on the same machine.
All of the necessary features are already built into OS X but unfortunately they won’t work in this scenario (by default). If one enables Screen Sharing, and then attempts to use the Screen Sharing app to connect to the local host, the screen sharing app will not connect and instead state that it cannot connect to the same computer. I’m not certain why this check is actually needed but it turns out that the check for enforcing this is not sophisticated.
It appears to only be checking for a connection to the local machine on port 5900 so changing the service to use a different port will work.
The way that I have done this is certainly not very sophisticated and someone with a deeper knowledge of Unix and OS X may be able to actually create a completely separate service whereas I’m simply modifying the existing Screen Sharing service. In addition, the modification that I’ve made may very well be wiped out after a system update or OS upgrade.
For the purposes of this post I’ll assume that our new port will be 5901 instead of 5900.
The change that is necessary does require editing a system file but if you’re using OS X El Capitan, as I am, the System Integrity Protection (SIP) in this version will prevent you from being able to modify the file. In order to work around this you will need to temporarily disable SIP.
If you’re using an older version of OS X these instructions may work but you can skip the SIP enabling and disabling steps.
To disable SIP first restart the system into Recovery Mode by holding Command + R at startup. Choose your language and then on the next screen instead of proceeding with the options on the screen go the menu bar and open Terminal from the Utilities menu option.
In the terminal enter the following command:
csrutil disable
Next, restart the system normally. Once you’ve logged back in you will need to find the following file and copy it to your desktop (you will need to authenticate to complete this action):
/System/Library/LaunchDaemons/com.apple.screensharing.plist
Open the file that you’ve copied and then find the following text:
<string>vnc-server</string>
and change it to the following (replace 5901 with the port that you would prefer to use):
<string>5901</string>
Next, copy the file that you edited back to the system location and overwrite the original file.
We’re not finished yet. The proper change has been applied but the file that was copied over is currently owned by the logged in user. It needs to be owned by root (“system” in the Get Info Permissions window). While still logged in open Terminal, which is located in /Applications/Utilities and then enter the following commands to change the ownership and permissions.
cd /System/Library/LaunchDaemons sudo chown root ./com.apple.screensharing.plist sudo chmod 644 ./com.apple.screensharing.plist
Once these changes have been applied you can then restart the system into Recovery Mode again and bring up the terminal and enter the following command to re-enable SIP:
csrutil enable
After executing the command restart and login normally. Then enable the “Screen Sharing” service via System Preferences -> Sharing.
You should now be able to connect to 127.0.0.1:5901, which will provide you with the ability to interact with another user’s desktop in OS X on the same machine. Note that when this is successful you should receive a prompt asking if you want to request to take over the other session or to simply login as that user.
At this point it should work. However, if you don’t want anyone else to be able to connect to this port then you’ll need to block access to that port. Unfortunately the built-in OS X firewall will not allow you to block a service that is controlled under the Sharing preference. One solution is to load a third-party utility to create this limitation.
Press Any Key 
Another solution that doesn’t require changing your default vnc port or restarting to disable SIP and modifying multiple files is to use port forwarding. This can be done either with pfctl (packet filter) or by setting up a local ssh tunnel and forwarding the ports.
Method 1 – pfctl:
echo ”
rdr pass inet proto tcp from any to any port 5901 -> 127.0.0.1 port 5900
” | sudo pfctl -ef –
I’m not sure if this will persist across reboots. If not, you may need to modify some config files, which may or may not requires disabling SIP. Alternately, you can create a LaunchAgent that runs the script at startup.
Method 2 – ssh (make sure “Remote Login” is enabled in sharing preferences first):
ssh -fN localhost -L 127.0.0.1:5901:localhost:5900
This will persist until you logout or restart, or if you manually kill the process. Like the pfctl method, this can be made easier by creating a LaunchAgent so it runs at boot. Or you can download the application “SSH Tunnel Manager” which is a gui tool for creating ssh tunnels. You can set it to auto connect the tunnel when it starts and set it to open at login.
to clarify: LaunchAgents run at login, not at boot. You can make a LaunchDaemon to run at boot.