SSH / VNC Guide 18 May 2026

2026 Cloud Mac lease-end offboarding: SSH trust teardown, client known_hosts hygiene, and VNC handoff evidence before return

MacLogin Security Team 18 May 2026 ~17 min read

Security and platform teams returning a MacLogin cloud Mac must treat lease end as a bilateral trust problem: the mini stops accepting your keys, and every engineer laptop must forget host keys, JumpHost aliases, and cached Screen Sharing invitations. This 18 May 2026 runbook gives a wipe-vs-preserve matrix, executable SSH teardown steps, VNC residue checks, an evidence tarball recipe, and a nine-step execution path aligned with JSON-LD on this page. Pair it with admin vs service account parity, Fast User Switching roster discipline, and invitation-only Screen Sharing governance. Operational questions also belong beside MacLogin help; when you re-provision elsewhere, compare tiers on pricing.

Who owns lease termination when multiple vendors touch the same mini

FinOps usually owns the commercial renewal decision, but security must own cryptographic teardown because a missed authorized_keys line can outlive the invoice. Platform engineering should own LaunchAgents and CI tokens, while IT helpdesk owns Screen Sharing invitations that were granted to contractors. Document a single RACI row per region (Hong Kong, Tokyo, Seoul, Singapore, United States) so midnight decommission in one timezone does not strand a Tokyo teammate who still has an open VNC window.

When a pilot ends, the worst failures are silent: automation continues to poll TCP 22 using a hostname that now maps to another tenant, or a developer’s ~/.ssh/config block keeps reconnecting to recycled hardware. The procedures below force explicit human acknowledgements instead of assuming hypervisor wipes cover client trust.

  • Security lead signs the host key rotation or non-rotation decision.
  • Identity team revokes any short-lived certificates mapped to the lease ID.
  • App owners export databases or object stores before disk imaging.

Decision matrix: wipe, preserve, or archive with legal hold

Use the matrix as a design-review artifact; every row should end with an initials box in your change ticket. Numbers referenced here mirror common enterprise retention: 90-day log retention for sshd, 180-day artifact storage for SOC2 evidence, and 7-day overlap where both old and new leases exist during migration.

Artifact Default posture When to preserve Evidence to attach
User home directories on the mini Cryptographic wipe or provider recycle Legal hold—snapshot to encrypted object storage first Checksum manifest + custodian name
/var/log unified log slices Export bounded predicates Regulator requests 180-day replay window Saved search JSON + byte size
Client known_hosts rows Delete matching hostnames Shared bastion reuses alias—migrate to new stanza List of fingerprints removed
Screen Sharing invitations Revoke + verify GUI list empty Still supporting break-glass on adjacent lease HR ticket cross-link

SSH trust teardown: server-side keys, principals, and client hygiene

Start by freezing changes for 48 hours so your last unified log export correlates with a stable sshd configuration. Remove automation entries from ~/.ssh/authorized_keys before human keys if you need a final human login for FDA or FileVault workflows. If you deployed SSH user certificates, revoke the principal tied to the lease ID in your internal CA—do not only delete the public half on disk.

Client hygiene is where teams fail audits: distribute a CSV of canonical hostnames and IP addresses that must disappear from ~/.ssh/known_hosts on macOS, Windows, and Linux CI runners. Pair removal with a communication template that tells engineers why ssh -o StrictHostKeyChecking=accept-new is temporarily forbidden during recycle week.

Warning: If you rotate sshd host keys without broadcasting new fingerprints, the next legitimate connection attempt will look like an attack to every unattended script that pinned the old key.

VNC & Screen Sharing residue: invitations, observers, and GUI-only trust

Screen Sharing leaves social residue: saved computer names, Kerberos tickets in some enterprise binds, and cached credentials inside the Screen Sharing .app bundle on operator laptops. Walk the invitation-only checklist from the May 12 governance article, then verify the mini’s System Settings ➜ General ➜ Sharing list shows no unexpected observers. If contractors paired with Apple IDs for temporary access, revoke those pairings even when corporate SSO covers SSH.

For fleets that alternated SSH automation with GUI debugging, reconcile the roster from the Fast User Switching runbook so you do not delete an automation account while its GUI session is still mid-install.

Per-user Keychain items, Login Items, and LaunchAgents

Each human account that touched the mini may have stored Wi-Fi enterprise credentials, Git HTTPS tokens in Keychain, or developer certificates used for ad-hoc signing. Export a list of security find-generic-password -a samples (redacted) for audit, then delete only lease-scoped items. LaunchAgents installed under ~/Library/LaunchAgents must be unloaded with launchctl bootout before file deletion so launchd does not resurrect broken ProgramArguments paths.

System-wide daemons in /Library/LaunchDaemons require elevated change windows; snapshot plist hashes into your evidence tarball before removal so rollback is possible if finance extends the lease last-minute.

Evidence pack: what auditors expect in the tarball metadata

Your tarball should be boringly complete: sshd_config with comments, final sudoers drop-ins, diskutil apfs list output, system_profiler SPHardwareDataType serial snippet, and a CSV of removed SSH fingerprints. Include a README that states the lease ID, MacLogin region code, and whether host keys rotated. Hash the tarball with SHA-256 and upload the digest to your change system—this single habit satisfies most SOC2 evidence requests without exposing raw disk images.

File Purpose Minimum retention
sshd_unified.log.zst Accepted key events + disconnect reasons 90 days hot, 1 year cold
vnc_invite_screenshot.png Proof invitation list empty Until next audit sample
launchctl_print.txt Snapshot of loaded services 180 days
Numbers to cite in exit meetings: administrative SSH on TCP 22, Screen Sharing on TCP 5900 (when explicitly enabled), ARP cache TTL defaults near 60 seconds on many switches—use that window when validating last-hop disconnects during recycle.

Nine-step execution path from freeze to MacLogin recycle request

  1. Freeze configuration for 48 hours and announce the freeze in Slack/Teams channels tied to HK, JP, KR, SG, and US operators.
  2. Export unified log predicates for sshd, tccd, and screensharingd.
  3. Revoke automation principals from authorized_keys and sudoers fragments tied to the lease.
  4. Unload LaunchAgents/LaunchDaemons referencing project paths, then delete plist files with checksum proof.
  5. Capture application data exports or database dumps before wiping user homes.
  6. Ship a client package that scrubs known_hosts and stale ~/.ssh/config Host blocks.
  7. Verify Screen Sharing invitation lists and remove cached credentials on operator laptops.
  8. Attach SHA-256 of the evidence tarball to the recycle change ticket.
  9. Request MacLogin recycle only after security sign-off; keep a rollback window of at least 24 hours if finance reinstates the lease.

FAQ

Can we skip client known_hosts cleanup if we rotate host keys? No—rotation without client updates yields hard failures; skipping cleanup while not rotating yields silent trust in stale keys. Do both or document explicit risk acceptance.

What if contractors used personal Apple IDs for Screen Sharing? Treat those identities like shadow IT: revoke pairing, capture screenshots for HR, and ban the pattern in the next lease via policy addendum.

How does this relate to recycled hardware? The next tenant inherits whatever host keys and storage state remain after provider wipe levels—assume partial overlap and never reuse private keys across leases.

Do we need VNC if SSH already disabled? If FDA or Installer prompts never occurred, you may skip VNC—but record “N/A with reason” in the evidence tarball README.

Why Mac mini M4 is the right hardware shape for disciplined lease handoffs

Apple Silicon M4’s unified memory and deterministic sleep behaviour make it faster to capture consistent diskutil and system_profiler snapshots than on thermally noisy laptops under someone’s desk. MacLogin’s multi-region footprint means you can rehearse offboarding in a low-risk Singapore lab mini before touching United States production, then apply the same checklist to Hong Kong and Tokyo without rewriting scripts for x86 drift.

Renting keeps the endgame reversible for 7 days: if finance revives the lease, you can restore from the tarball-backed plist set without waiting for procurement to ship new bare metal. When you are ready for the next project, pair this runbook with VNC access guidance so GUI-heavy cleanup steps stay consistent across operators.

Plan the next lease with clean SSH and VNC boundaries

Reserve Apple Silicon in HK, JP, KR, SG, or US with room to rehearse offboarding, archive evidence, and re-open under a fresh trust domain.