Opened 7 years ago

Last modified 7 years ago

#15653 reopened defect

VRDP not working after upgrading to 5.1

Reported by: Mik Foxi Owned by:
Component: RDP Version: VirtualBox 5.1.0
Keywords: vrdp Cc: foxibiz@…
Guest type: other Host type: Linux


Host: Debian 8 (and Ubuntu 16.04). Updated from 5.0.26 to 5.1. Extension Pask updated. Firewall is not set, the ports are opened. Tested on the local ( and remote connection.

Attachments (1)

log.txt (65.9 KB ) - added by Mik Foxi 7 years ago.

Download all attachments as: .zip

Change History (8)

by Mik Foxi, 7 years ago

Attachment: log.txt added

comment:1 by Frank Mehnert, 7 years ago

Should be fixed in the most recent 5.1 test builds.

comment:2 by Frank Mehnert, 7 years ago

Resolution: fixed
Status: newclosed

Fixed in 5.1.2.

comment:3 by Joshua Megerman, 7 years ago

Resolution: fixed
Status: closedreopened

This appears to be happening again in 5.1.10 on CentOS7:

From VBox.log:
20:39:26.684024 AUTH: User: [josh]. Domain: []. Authentication type: [External]
20:39:26.684923 AUTH: Loading external authentication library 'VBoxAuth'
20:39:26.685134 AUTH: Using entry point 'AuthEntry'
20:39:29.704339 AUTH: external authentication module returned 'access denied'
20:39:29.704364 AUTH: Access denied.

From /var/log/secure:
Dec 16 10:40:35 sdf-6 unix_chkpwd[4437]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: password check failed
for user (josh) Dec 16 10:40:35 sdf-6 VBoxHeadless: pam_unix(login:auth): authentication failure; logname= uid=995 euid=995 tty= ruser= rhost= user=josh

Password has been verified to work with SSH, I see no SELinux errors. /etc/default/virtualbox has VRDP_AUTH_PAM_SERVICE=vrdpauth in it to simplify PAM debugging, and the PAM config file is as follows:

auth required debug audit
account required debug broken_shadow audit

comment:4 by Joshua Megerman, 7 years ago

Update: strace indicates that the value from VRDP_AUTH_PAM_SERVICE is being ignored, so it might be something from the default login/system-auth settings in /etc/pam.d. Actually, it looks like the value isn't even being set - VBoxAutostart is called as 'su - $usr -c "$*"', meaning any sourced environment is going away. I'll try adding the values to the vbox user's env and see if it helps...

comment:5 by Joshua Megerman, 7 years ago

OK, now this is weird. The strace log for /usr/sbin/unix_chkpwd indicates that it can't read /etc/shadow:

open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

However, it's setuid root:

-rwsr-xr-x. 1 root root 36280 Nov 5 19:14 /usr/sbin/unix_chkpwd

but it doesn't seem to actually pick up root privs. This looks like it's not necessarily a VBox issue, but any help would be appreciated.

comment:6 by Joshua Megerman, 7 years ago

And that's the issue - if VBoxHeadless isn't running as root, PAM won't let it auth as anyone else with the pam_unix module. Does anyone know of a different PAM module to use?

This is something that should be documented more thoroughly to assist VirtualBox users with configuring thier systems.

comment:7 by Joshua Megerman, 7 years ago

I've written a first pass at an extension and helper binary that will allow PAM to auth any user when VBox is running as a non-root user, but i want to refine it a little before I attach it - the current form is posted on the Forum for reference. It appears to be partly distro-specific - Debian uses the shadow group and runs unix_chkpwd setGID shadow (which works), whereas RH doesn't and requires actual root user privs to read /etc/shadow which is what causes this problem.

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use