I rebuilt an Ubuntu 9.10 server this past week, ripping off VMware and replacing it with VirtualBox 3.1.2. Setting up VirtualBox as a headless server was very easy with VBoxTool. However, I ran into a problem that I was unable to connect using remote desktop (rdesktop) as any user but the user that started the virtual machine.
Jan 21 22:43:13 vm-holder unix_chkpwd: check pass; user unknown Jan 21 22:43:13 vm-holder unix_chkpwd: password check failed for user (jason) Jan 21 22:43:13 vm-holder VBoxHeadless: pam_unix(vrdpauth:auth): authentication failure; logname=virtualbox uid=1001 euid=1001 tty= ruser= rhost= user=jason
This is, currently, an undocumented security feature of VirtualBox 3.1x to prevent just anyone from accessing the virtual machine console. For most folk, this might be a very good thing but if you have a team of sysadmins that should have access to the virtual machine consoles, you probably don’t want them to use the same login.
If that is the case, you can add the user(s) that should have access the virtual machine console to the shadow group on the host Linux machine. Be warned though that the user(s) that are added to the shadow group should not be able to log into the host machine else they will be able to read the shadow file where all the passwords to the box are stored. If the users need access to the host box, then they should have a login for host access (not part of the shadow group) and another for virtual machine console access.
Adding linux user jason_vrdp to the shadow group:
(root) # usermod -G shadow,virtualbox jason_vrdp
Prevent jason_vrdp from logging in to the host or anyone from sudo’ing to it:
(root) # usermod --shell /bin/false jason_vrdp
That’s it 🙂