Too Jewish with Rabbi Cohon

Miro Video Player

All 

Last 10 

«  
  »

Sun’s VirtualBox 3.1.x: Getting VRDP (remote desktop) to authenticate properly with Linux PAM

I rebuilt an Ubuntu 9.10 server this past week, ripping off VMware and replacing it with VirtualBox 3.1.2. Setting up VirtualBox as a headless server was very easy with VBoxTool. However, I ran into a problem that I was unable to connect using remote desktop (rdesktop) as any user but the user that started the virtual machine.

Jan 21 22:43:13 vm-holder unix_chkpwd[16040]: check pass; user unknown
Jan 21 22:43:13 vm-holder unix_chkpwd[16040]: password check failed for user (jason)
Jan 21 22:43:13 vm-holder VBoxHeadless: pam_unix(vrdpauth:auth): authentication failure; logname=virtualbox uid=1001 euid=1001 tty= ruser= rhost=  user=jason

This is, currently, an undocumented security feature of VirtualBox 3.1x to prevent just anyone from accessing the virtual machine console. For most folk, this might be a very good thing but if you have a team of sysadmins that should have access to the virtual machine consoles, you probably don’t want them to use the same login.

If that is the case, you can add the user(s) that should have access the virtual machine console to the shadow group on the host Linux machine. Be warned though that the user(s) that are added to the shadow group should not be able to log into the host machine else they will be able to read the shadow file where all the passwords to the box are stored. If the users need access to the host box, then they should have a login for host access (not part of the shadow group) and another for virtual machine console access.

Adding linux user jason_vrdp to the shadow group:

(root) # usermod -G shadow,virtualbox jason_vrdp

Prevent jason_vrdp from logging in to the host or anyone from sudo’ing to it:

(root) # usermod --shell /bin/false jason_vrdp

That’s it :)

January 22nd, 2010 | Tags: , , , , , , , , , , , | Category: How To, Linux, OS, virtualbox | 3 comments

3 comments to Sun’s VirtualBox 3.1.x: Getting VRDP (remote desktop) to authenticate properly with Linux PAM

  • Jason L Froebe
    January 22nd, 2010 at 10:48 am · Reply

    UPDATE! Only the user that starts the virtualmachines need to be part of shadow. Even better

  • Equals42
    January 22nd, 2010 at 7:06 pm · Reply

    Is virtualbox a service that is started by init.d or some such or are you referring to the user that spins up each guest? I’m just wondering why anyone should have to be added to shadow if system or root starts the process. Maybe I’ve just had too many margaritas.

    Chris R

  • Jason L Froebe
    January 23rd, 2010 at 7:56 am · Reply

    VirtualBox, itself, doesn’t have a rc.init service but VBoxTool has a rc.init script for it. You’re right, if the user that starts the virtual machines is root or equivalent, then they don’t need to be added to the shadow group because it already has access to it (uid 0). :)

    So, adding the user to the shadow group only applies if the user is not root and you’re using the normal PAM authentication modules. The nice thing about PAM is that you can have it authenticate against just about anything.

    jason

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>