Setting up VirtualBox external VRDP authentication
[NOTE: I originally posted this on the VirtualBox forum for those that were having issues with using external VRDP authentication and wanted to add it here as well...]
I finally found a workable solution that will work for everyone (at least for the PAM challenged folks.) It’s more secure that setting group suid bits on VirtualBox and you’re not hacking the user to be a member of the shadow group. I’m running on Ubuntu 7.10 so your setup may vary slightly…
[EDIT: Thanks to Finger for validating this through version 2.1.0]
You have two options depending on your comfort level (both tested and verified).
- Modify your existing
/etc/pam.d/loginfile(s) - Create a custom PAM service in
/etc/pam.d
FIRST OPTION
The VirtualBox provided VRDPAuth.so library defaults to using the /etc/pam.d/login service so changes have to be made there. In Ubuntu, the existing /etc/pam.d/login file includes pointers to other /etc/pam.d files, namely common-account that actually do the work (referenced by an @ in the file), so we need to modify /etc/pam.d/common-account.
My default /etc/pam.d/common-account looks like:
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account required pam_unix.so
To fix, append “broken_shadow” to the account line. E.g.
account required pam_unix.so broken_shadow
This fixes the issue with minimal changes to your system. The impact of this change is that the change is valid for ALL services that use common-account.
SECOND OPTION
If your concerned about modifying a default PAM service, we can create our own. To resolve this issue using a custom PAM service:
- Create a new file named
/etc/pam.d/vrdpauth(or whatever your want) - Add this to the following file.
auth required pam_unix.so account required pam_unix.so broken_shadow
- In order to use a custom service you must either set the
VRDP_AUTH_PAM_SERVICEenvironment variable (or recompile the library). So…jhowk@host:~$ export VRDP_AUTH_PAM_SERVICE=vrdpauth
That’s all that’s needed. Easy fixes. If anyone has any questions just let me know.
Second method confirmed in v2.1.0
Thanks for confirming this.
Hi,
I chose the 2nd option. When I run :
rdesktop localhost:3389
on the ubuntu host (which is running Win XP in VirtualBox), a window appears and then disappears after a couple of seconds. Any help is apprecaited.
Do I need to start/restart seomthing in the second option ? (I started /usr/bin/VirtualBox afresh)
Thanks
- Sri
Are you sure that you are exporting the
VRDP_AUTH_PAM_SERVICEenvironment variable?try:
rdesktop localhost:3389 -p -
Adding to my earlier email … in VirtualBox settings I did select ‘external’ for authentication.
So far the only way to get rdesktop to work is by chosing ‘null’ method.
Any help is appreciated.
Hello, i have chosen the method with custom pam method, but I have got a different problem. I need to run VBoxHeadless machine under account A (on Gentoo Linux), but to use credentials from account B (also present on Gentoo). Hosts are Win XP SP3 and I can connect (rdesktop or MS RDP client) only when supplying account A credentials. I need to supply account B credentials. In log, it says following:
00:18:17.224 VRDPAUTH: User: [account2]. Domain: []. Authentication type: [External]
00:18:19.375 VRDPAUTH: external authentication module returned ‘access denied’
00:18:19.375 VRDPAUTH: Access denied.
Jason, could u test this scenario when u have time? Thanks
Oh, sorry, just replace “Hosts are Win XP SP3″ by “Guests are Win XP SP3″ . In Czech language, english “guest” is said “host”
Just to add that it works also under VirtualBox 3.0.12 and Ubuntu Karmic x64.
Another Tip for option 2: Add VRDP_AUTH_PAM_SERVICE=”vrdpauth” to /usr/bin/VBox to make the change permanent and start the virtual boxes through init or upstart scripts
This worked until VBox 4.0 was released. External auth no
longer works.
@Hypatia
It no longer works, because if you’ve upgraded your VirtualBox from an older version, then the preserved old settings will be pointing to the wrong authentication module that doesn’t exist anymore.
From your VirtualBox Manager, go to File > Preferences > General. There you’ll find the VRDP Authentication Library pointing to something like VRDPAuth.so, which is no longer there in versions 4+. You need to change that to /usr/lib/virtualbox/VBoxAuth.so
After doing that, if you follow the instructions laid out by Jason in his post above, then you will discover that the external authentication works (again)!