RDP authentication

For each virtual machine that is remotely accessible via RDP, you can individually determine if and how client connections are authenticated. For this, use VBoxManage modifyvm command with the –vrdeauthtype option; see the section called “VBoxManage modifyvm” for a general introduction. Three methods of authentication are available:

  • The “null” method means that there is no authentication at all; any client can connect to the VRDP server and thus the virtual machine. This is, of course, very insecure and only to be recommended for private networks.
  • The “external” method provides external authentication through a special authentication library. VirtualBox ships with two such authentication libraries:
    1. The default authentication library, VBoxAuth, authenticates against user credentials of the hosts. Depending on the host platform, this means:
      • On Linux hosts, VBoxAuth.so authenticates users against the host’s PAM system.
      • On Windows hosts, VBoxAuth.dll authenticates users against the host’s WinLogon system.
      • On Mac OS X hosts, VBoxAuth.dylib authenticates users against the host’s directory service.[34]

In other words, the “external” method per default performs authentication with the user accounts that exist on the host system. Any user with valid authentication credentials is accepted, i.e. the username does not have to correspond to the user running the VM.

    1. An additional library called VBoxAuthSimple performs authentication against credentials configured in the “extradata” section of a virtual machine’s XML settings file. This is probably the simplest way to get authentication that does not depend on a running and supported guest (see below). The following steps are required:
  1. Enable VBoxAuthSimplewith the following command:

VBoxManage setproperty vrdeauthlibrary “VBoxAuthSimple”

  1. To enable the library for a particular VM, you must then switch authentication to external:

VBoxManage modifyvm <vm> –vrdeauthtype external

Replace <vm> with the VM name or UUID.

  1. You will then need to configure users and passwords by writing items into the machine’s extradata. Since the XML machine settings file, into whose “extradata” section the password needs to be written, is a plain text file, VirtualBox uses hashes to encrypt passwords. The following command must be used:

VBoxManage setextradata <vm> “VBoxAuthSimple/users/<user>” <hash>

Replace <vm> with the VM name or UUID, <user> with the user name who should be allowed to log in and <hash> with the encrypted password. As an example, to obtain the hash value for the password “secret”, you can use the following command:

VBoxManage internalcommands passwordhash “secret”

This will print

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

You can then use VBoxManage setextradata to store this value in the machine’s “extradata” section.

As example, combined together, to set the password for the user “john” and the machine “My VM” to “secret”, use this command:

VBoxManage setextradata “My VM” “VBoxAuthSimple/users/john”

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

 

Leave a Reply

Your email address will not be published. Required fields are marked *