Sun’s VirtualBox 3.1.x: Getting VRDP (remote desktop) to authenticate properly with Linux PAM

I rebuilt an Ubuntu 9.10 server this past week, ripping off VMware and replacing it with VirtualBox 3.1.2. Setting up VirtualBox as a headless server was very easy with VBoxTool. However, I ran into a problem that I was unable to connect using remote desktop (rdesktop) as any user but the user that started the virtual machine.

Jan 21 22:43:13 vm-holder unix_chkpwd[16040]: check pass; user unknown
Jan 21 22:43:13 vm-holder unix_chkpwd[16040]: password check failed for user (jason)
Jan 21 22:43:13 vm-holder VBoxHeadless: pam_unix(vrdpauth:auth): authentication failure; logname=virtualbox uid=1001 euid=1001 tty= ruser= rhost=  user=jason

This is, currently, an undocumented security feature of VirtualBox 3.1x to prevent just anyone from accessing the virtual machine console. For most folk, this might be a very good thing but if you have a team of sysadmins that should have access to the virtual machine consoles, you probably don’t want them to use the same login.

If that is the case, you can add the user(s) that should have access the virtual machine console to the shadow group on the host Linux machine. Be warned though that the user(s) that are added to the shadow group should not be able to log into the host machine else they will be able to read the shadow file where all the passwords to the box are stored. If the users need access to the host box, then they should have a login for host access (not part of the shadow group) and another for virtual machine console access.

Adding linux user jason_vrdp to the shadow group:

(root) # usermod -G shadow,virtualbox jason_vrdp

Prevent jason_vrdp from logging in to the host or anyone from sudo’ing to it:

(root) # usermod --shell /bin/false jason_vrdp

That’s it 🙂

4 Replies to “Sun’s VirtualBox 3.1.x: Getting VRDP (remote desktop) to authenticate properly with Linux PAM”

  1. Is virtualbox a service that is started by init.d or some such or are you referring to the user that spins up each guest? I’m just wondering why anyone should have to be added to shadow if system or root starts the process. Maybe I’ve just had too many margaritas.

    Chris R

  2. VirtualBox, itself, doesn’t have a rc.init service but VBoxTool has a rc.init script for it. You’re right, if the user that starts the virtual machines is root or equivalent, then they don’t need to be added to the shadow group because it already has access to it (uid 0). 🙂

    So, adding the user to the shadow group only applies if the user is not root and you’re using the normal PAM authentication modules. The nice thing about PAM is that you can have it authenticate against just about anything.


  3. I am also running an ubuntu server 9.10, trying to get multiple users with user accounts to be able to log in to the same vm. I can successfully login with the user that started the vm. I tried your solution, but am running into the problem detailed here: , which is that VRDP just passes the login information right to pam which verifies the username and password against the uid, which of course fails for any user who is not the user who started the headless session. Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *