Ticket #15653 (reopened defect)

Opened 10 months ago

Last modified 5 months ago

VRDP not working after upgrading to 5.1

Reported by: Mik Foxi Owned by:
Priority: major Component: RDP
Version: VirtualBox 5.1.0 Keywords: vrdp
Cc: foxibiz@… Guest type: other
Host type: Linux


Host: Debian 8 (and Ubuntu 16.04). Updated from 5.0.26 to 5.1. Extension Pask updated. Firewall is not set, the ports are opened. Tested on the local ( and remote connection.


log.txt Download (65.9 KB) - added by Mik Foxi 10 months ago.

Change History

Changed 10 months ago by Mik Foxi

comment:1 Changed 10 months ago by frank

Should be fixed in the most recent 5.1 test builds.

comment:2 Changed 10 months ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in 5.1.2.

comment:3 Changed 5 months ago by Joshua Megerman

  • Status changed from closed to reopened
  • Resolution fixed deleted

This appears to be happening again in 5.1.10 on CentOS7:

From VBox.log:
20:39:26.684024 AUTH: User: [josh]. Domain: []. Authentication type: [External]
20:39:26.684923 AUTH: Loading external authentication library 'VBoxAuth'
20:39:26.685134 AUTH: Using entry point 'AuthEntry'
20:39:29.704339 AUTH: external authentication module returned 'access denied'
20:39:29.704364 AUTH: Access denied.

From /var/log/secure:
Dec 16 10:40:35 sdf-6 unix_chkpwd[4437]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: check pass; user unknown
Dec 16 10:40:35 sdf-6 unix_chkpwd[4438]: password check failed
for user (josh) Dec 16 10:40:35 sdf-6 VBoxHeadless: pam_unix(login:auth): authentication failure; logname= uid=995 euid=995 tty= ruser= rhost= user=josh

Password has been verified to work with SSH, I see no SELinux errors. /etc/default/virtualbox has VRDP_AUTH_PAM_SERVICE=vrdpauth in it to simplify PAM debugging, and the PAM config file is as follows:

auth required debug audit
account required debug broken_shadow audit

comment:4 Changed 5 months ago by Joshua Megerman

Update: strace indicates that the value from VRDP_AUTH_PAM_SERVICE is being ignored, so it might be something from the default login/system-auth settings in /etc/pam.d. Actually, it looks like the value isn't even being set - VBoxAutostart is called as 'su - $usr -c "$*"', meaning any sourced environment is going away. I'll try adding the values to the vbox user's env and see if it helps...

comment:5 Changed 5 months ago by Joshua Megerman

OK, now this is weird. The strace log for /usr/sbin/unix_chkpwd indicates that it can't read /etc/shadow:

open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

However, it's setuid root:

-rwsr-xr-x. 1 root root 36280 Nov 5 19:14 /usr/sbin/unix_chkpwd

but it doesn't seem to actually pick up root privs. This looks like it's not necessarily a VBox issue, but any help would be appreciated.

comment:6 Changed 5 months ago by Joshua Megerman

And that's the issue - if VBoxHeadless isn't running as root, PAM won't let it auth as anyone else with the pam_unix module. Does anyone know of a different PAM module to use?

This is something that should be documented more thoroughly to assist VirtualBox users with configuring thier systems.

comment:7 Changed 5 months ago by Joshua Megerman

I've written a first pass at an extension and helper binary that will allow PAM to auth any user when VBox is running as a non-root user, but i want to refine it a little before I attach it - the current form is posted on the Forum for reference. It appears to be partly distro-specific - Debian uses the shadow group and runs unix_chkpwd setGID shadow (which works), whereas RH doesn't and requires actual root user privs to read /etc/shadow which is what causes this problem.

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use