Opened 8 years ago
Last modified 7 years ago
#15653 reopened defect
VRDP not working after upgrading to 5.1
| Reported by: | Mik Foxi | Owned by: | |
|---|---|---|---|
| Component: | RDP | Version: | VirtualBox 5.1.0 |
| Keywords: | vrdp | Cc: | foxibiz@… |
| Guest type: | other | Host type: | Linux |
Description
Host: Debian 8 (and Ubuntu 16.04). Updated from 5.0.26 to 5.1. Extension Pask updated. Firewall is not set, the ports are opened. Tested on the local (127.0.0.1) and remote connection.
Attachments (1)
Change History (8)
by , 8 years ago
comment:1 by , 8 years ago
comment:3 by , 7 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
This appears to be happening again in 5.1.10 on CentOS7:
From VBox.log:
20:39:26.684024 AUTH: User: [josh]. Domain: []. Authentication type: [External]
20:39:26.684923 AUTH: Loading external authentication library 'VBoxAuth'
20:39:26.685134 AUTH: Using entry point 'AuthEntry'
20:39:29.704339 AUTH: external authentication module returned 'access denied'
20:39:29.704364 AUTH: Access denied.
From /var/log/secure:
Dec 16 10:40:35 sdf-6 unix_chkpwd[4437]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: password check failed
for user (josh)
Dec 16 10:40:35 sdf-6 VBoxHeadless: pam_unix(login:auth): authentication failure; logname= uid=995 euid=995 tty= ruser= rhost= user=josh
Password has been verified to work with SSH, I see no SELinux errors. /etc/default/virtualbox has VRDP_AUTH_PAM_SERVICE=vrdpauth in it to simplify PAM debugging, and the PAM config file is as follows:
auth required pam_unix.so debug audit
account required pam_unix.so debug broken_shadow audit
comment:4 by , 7 years ago
Update: strace indicates that the value from VRDP_AUTH_PAM_SERVICE is being ignored, so it might be something from the default login/system-auth settings in /etc/pam.d. Actually, it looks like the value isn't even being set - VBoxAutostart is called as 'su - $usr -c "$*"', meaning any sourced environment is going away. I'll try adding the values to the vbox user's env and see if it helps...
comment:5 by , 7 years ago
OK, now this is weird. The strace log for /usr/sbin/unix_chkpwd indicates that it can't read /etc/shadow:
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
However, it's setuid root:
-rwsr-xr-x. 1 root root 36280 Nov 5 19:14 /usr/sbin/unix_chkpwd
but it doesn't seem to actually pick up root privs. This looks like it's not necessarily a VBox issue, but any help would be appreciated.
comment:6 by , 7 years ago
And that's the issue - if VBoxHeadless isn't running as root, PAM won't let it auth as anyone else with the pam_unix module. Does anyone know of a different PAM module to use?
This is something that should be documented more thoroughly to assist VirtualBox users with configuring thier systems.
comment:7 by , 7 years ago
I've written a first pass at an extension and helper binary that will allow PAM to auth any user when VBox is running as a non-root user, but i want to refine it a little before I attach it - the current form is posted on the Forum for reference. It appears to be partly distro-specific - Debian uses the shadow group and runs unix_chkpwd setGID shadow (which works), whereas RH doesn't and requires actual root user privs to read /etc/shadow which is what causes this problem.
Should be fixed in the most recent 5.1 test builds.