VirtualBox

Ticket #15653 (reopened defect)

Opened 14 months ago

Last modified 9 months ago

VRDP not working after upgrading to 5.1

Reported by: Mik Foxi Owned by:
Priority: major Component: RDP
Version: VirtualBox 5.1.0 Keywords: vrdp
Cc: foxibiz@… Guest type: other
Host type: Linux

Description

Host: Debian 8 (and Ubuntu 16.04). Updated from 5.0.26 to 5.1. Extension Pask updated. Firewall is not set, the ports are opened. Tested on the local (127.0.0.1) and remote connection.

Attachments

log.txt Download (65.9 KB) - added by Mik Foxi 14 months ago.

Change History

Changed 14 months ago by Mik Foxi

comment:1 Changed 14 months ago by frank

Should be fixed in the most recent 5.1 test builds.

comment:2 Changed 14 months ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in 5.1.2.

comment:3 Changed 9 months ago by Joshua Megerman

  • Status changed from closed to reopened
  • Resolution fixed deleted

This appears to be happening again in 5.1.10 on CentOS7:

From VBox.log:
20:39:26.684024 AUTH: User: [josh]. Domain: []. Authentication type: [External]
20:39:26.684923 AUTH: Loading external authentication library 'VBoxAuth'
20:39:26.685134 AUTH: Using entry point 'AuthEntry'
20:39:29.704339 AUTH: external authentication module returned 'access denied'
20:39:29.704364 AUTH: Access denied.

From /var/log/secure:
Dec 16 10:40:35 sdf-6 unix_chkpwd[4437]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: password check failed
for user (josh) Dec 16 10:40:35 sdf-6 VBoxHeadless: pam_unix(login:auth): authentication failure; logname= uid=995 euid=995 tty= ruser= rhost= user=josh

Password has been verified to work with SSH, I see no SELinux errors. /etc/default/virtualbox has VRDP_AUTH_PAM_SERVICE=vrdpauth in it to simplify PAM debugging, and the PAM config file is as follows:

auth required pam_unix.so debug audit
account required pam_unix.so debug broken_shadow audit

comment:4 Changed 9 months ago by Joshua Megerman

Update: strace indicates that the value from VRDP_AUTH_PAM_SERVICE is being ignored, so it might be something from the default login/system-auth settings in /etc/pam.d. Actually, it looks like the value isn't even being set - VBoxAutostart is called as 'su - $usr -c "$*"', meaning any sourced environment is going away. I'll try adding the values to the vbox user's env and see if it helps...

comment:5 Changed 9 months ago by Joshua Megerman

OK, now this is weird. The strace log for /usr/sbin/unix_chkpwd indicates that it can't read /etc/shadow:

open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

However, it's setuid root:

-rwsr-xr-x. 1 root root 36280 Nov 5 19:14 /usr/sbin/unix_chkpwd

but it doesn't seem to actually pick up root privs. This looks like it's not necessarily a VBox issue, but any help would be appreciated.

comment:6 Changed 9 months ago by Joshua Megerman

And that's the issue - if VBoxHeadless isn't running as root, PAM won't let it auth as anyone else with the pam_unix module. Does anyone know of a different PAM module to use?

This is something that should be documented more thoroughly to assist VirtualBox users with configuring thier systems.

comment:7 Changed 9 months ago by Joshua Megerman

I've written a first pass at an extension and helper binary that will allow PAM to auth any user when VBox is running as a non-root user, but i want to refine it a little before I attach it - the current form is posted on the Forum for reference. It appears to be partly distro-specific - Debian uses the shadow group and runs unix_chkpwd setGID shadow (which works), whereas RH doesn't and requires actual root user privs to read /etc/shadow which is what causes this problem.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use