VRDP and PAM authentication

Discussions related to using VirtualBox on Linux hosts.
Aero9000
Posts: 13
Joined: 19. Feb 2008, 15:49

VRDP and PAM authentication

Post by Aero9000 »

Hi there,

Perhaps someone can help me out here.

I run VirtualBox on Ubuntu 7.10 headless server and I use rdesktop to connect to VMs. As long as I just start the VMs and connect to them, there are no problems. But it also means that anyone who knows the IP-address and the ports on my server can connect to my VMs. So, in accordance with the manual I issued the "VBoxManage modifyvm" command with the "-vrdpauthtype external" option. But no matter what I tried, I just can't seem to log on to the VM.

So for now I have to resort to VPN tunneling which doesn't help GUI performance, to say the least...

Are there any additional steps I need to take in order to get this working? My configuration files in /etc/pam.d are just plain vanilla as Ubuntu installed them.

A detailed walk-through would be greatly appreciated! :)
Sasquatch
Volunteer
Posts: 17798
Joined: 17. Mar 2008, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux
Location: /dev/random

Post by Sasquatch »

If they are using a bridged network, then why not enable RDP in the Guest itself and connect to there, disabling the VRDP of VB. Assuming you have Windows systems as guests. If they are Linux systems, then indeed, you need the build-in VRDP. Doesn't the manual or howto say something about it (I haven't read the whole manual, but it appears some info is missing about this part)?
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
valombre
Posts: 1
Joined: 22. Mar 2008, 16:13

Post by valombre »

I have exactly the same problem the only diff is that i m using NAT,
the question is how to solve the pam or authentification issue on the 7.10 ubuntu.
With vrdp authentifiaction null it works with external no... log =>

Code: Select all

00:30:56.278 VRDP: New connection: 
00:30:56.439 VRDP: Channel: [cliprdr] [1004]. Accepted.
00:30:57.037 VRDP: Client seems to be rdesktop.
00:30:57.037 VRDP: Logon: kelimvir (192.168.10.151) build 2600. User: [sysadmin] Domain: [] Screen: 0
00:30:57.037 VRDPAUTH: User: [sysadmin]. Domain: []. Authentication type: [external]
00:30:57.037 VRDPAUTH: external authentication module returned 'access denied'
00:30:57.037 VRDPAUTH: Access denied.
00:30:57.037 VRDP: Connection closed: 
00:30:57.038 VRDP: Logoff: kelimvir (192.168.10.151) build 2600. User: [sysadmin] Domain: [] Reason 0x0001.
Im using a user account sysadmin from the hosted ubuntu 7.10 with its password associated.
From my station kelimvir (you see the ip add) from a local network to a hosted server on internet.

I know i can use other methods to secure the connection but i would like to use the native secure method from VB.
Is that a bug or just some parameters to add to pam.d or pam.conf ?
Yes i Read The F.. Manual :wink:
Giupersu
Posts: 5
Joined: 24. Mar 2008, 14:32

Post by Giupersu »

Same problem here. I'm very interested to the solution. I found the following info

http://thread.gmane.org/gmane.comp.emul ... neral/2053

But I don't know what I'd do.
Aero9000
Posts: 13
Joined: 19. Feb 2008, 15:49

Post by Aero9000 »

From the VBox buglist (http://www.virtualbox.org/ticket/932):
the username/password which you use with auth external must be valid on the VRDP server system. The VRDPAuth module uses PAM to authenticate the user, 'login' PAM service name is used. The 'access denied' error is most likely a PAM misconfiguration. The VRDPAuth module can produce a debug output. To enable it do: export VRDP_AUTH_DEBUG_FILENAME=/full/path/to/logfile and run the VM with the env var. Then try to connect with the RDP client and take a look in the logile.
First attempt:
u[vboxadmin], d[], p[11]
vrdpauth_pam_init: dlopen libpam.so failed
vrdpauth_pam_init failed 4

A quick search on my system told me "libpam.so" doesn't exist. I do however have a "libpam.so.0" and a "libpamc.so.0.81.6". So, in /lib, sudo ln -s libpam.so.0 libpam.so

Next attempt:
u[vboxadmin], d[], p[11]
init ok
Using PAM service: login
start ok
conv: num 1 u[vboxadmin] p[11]
conv: 0 returning password [11]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info
vrdpauth_pam_close completed

Next attempt (using an unprivileged account):
u[vboxuser], d[], p[3]
init ok
Using PAM service: login
start ok
conv: num 1 u[vboxuser] p[3]
conv: 0 returning password [3]
pam_authenticate failed 7. Authentication failure
vrdpauth_pam_close completed

I am pretty certain I can type a 3-character password without typos. :)

Now I am at a loss. :?:
Giupersu
Posts: 5
Joined: 24. Mar 2008, 14:32

Post by Giupersu »

Thank you!

With

Code: Select all

ln -sf /lib/libpam.so.0 /lib/libpam.so
works fine now.


Edit: if I use

rdesktop -u root -p - 192.168.1.3:3389

then server exits with a "segmentation fault" :shock:

No problem with rdesktop -u root -p PASSWORD 192.168.3:3389 :roll:
Aero9000
Posts: 13
Joined: 19. Feb 2008, 15:49

Post by Aero9000 »

Hi Giupersu,
Edit: if I use

rdesktop -u root -p - 192.168.1.3:3389

then server exits with a "segmentation fault" :shock:

No problem with rdesktop -u root -p PASSWORD 192.168.3:3389 :roll:
Good that it worked for you! Can you now try with a "regular" user account? On a Ubuntu system "root" login is not possible and I am starting to believe the problems many of us appear to be having are somehow related to regular user accounts not having enough permissions.

Also, which server are you running?
Giupersu
Posts: 5
Joined: 24. Mar 2008, 14:32

Post by Giupersu »

Aero9000 wrote: Good that it worked for you! Can you now try with a "regular" user account? On a Ubuntu system "root" login is not possible and I am starting to believe the problems many of us appear to be having are somehow related to regular user accounts not having enough permissions.

Also, which server are you running?
I'm running Ubuntu 7.10 server edition with 1GB, Turion X2 1.60GHz, FreeBSD Guest OS. Again I get a "segmentation fault" using my account "giulio".
rdesktop -u giulio -p qwerty 192.168.1.3:3389 wrote: u[giulio], d[], p[6]
init ok
Using PAM service: login
start ok
conv: num 1 u[giulio] p[6]
auth ok
Could be virtual box needs more memory, about 2GB?
Edit
I'm not only one having this "segmantation fault" problem: http://kerneltrap.org/mailarchive/openb ... /27/145142
Peter wrote: I get
either a segmentation fault if started using a non-priv user...
Giupersu
Posts: 5
Joined: 24. Mar 2008, 14:32

Post by Giupersu »

Now My Tests with

/etc/group

Code: Select all

vboxusers:x:1001:giulio

Code: Select all

chown -R root:vboxusers /srv/vbox
(where I installed my virtual machines)

and

Code: Select all

root@mango:~# VBoxVRDP -startvm giupersu@myemail
are:

1) rdesktop -u root -p qwerty 192.168.1.3:3389
success

2) rdesktop -u root -p - 192.168.1.3:3389
success

3) rdesktop -u root -p A_WRONG_PASS 192.168.1.3:3389
Client: connection reset by peer
Server: segmentation fault :o

4) rdesktop -u giulio -p qwerty 192.168.1.3:3389
success

5) rdesktop -u giulio -p A_WRONG_PASS 192.168.1.3:3389
Client: connection reset by peer
Server: segmentation fault :o
Aero9000
Posts: 13
Joined: 19. Feb 2008, 15:49

Post by Aero9000 »

Giupersu,


Do you remember if you made any changes to any libraries (rights-wise)?

I, too, run Ubuntu server 7.10 (32-bit), but on my system "root" is disabled. I enabled "root" and ran the chown command as you wrote, but I still just cannot seem to log in.

Now my logfile reads,
u[root], d[], p[6]
init ok
Using PAM service: login
start ok
pam_authenticate failed 3. Error in service module
vrdpauth_pam_close completed
Then, in the Logs directory of the VM I find this:
00:00:05.953 VRDP: New connection:
00:00:05.995 VRDP: Channel: [cliprdr] [1004]. Accepted.
00:00:06.002 VRDP: Client seems to be rdesktop.
00:00:06.002 VRDP: Logon: pardus (192.168.12.101) build 2600. User: [root] Domain: [] Screen: 0
00:00:06.020 VRDPAUTH: User: [root]. Domain: []. Authentication type: [external]
00:00:06.021 VRDPAUTH: ConsoleVRDPServer::Authenticate: loading external authentication library 'VRDPAuth.so'
00:00:06.022 VRDPAUTH: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND
00:00:06.022 VRDPAUTH: Using entry point 'VRDPAuth'.
00:00:06.048 VRDPAUTH: external authentication module returned 'access denied'
00:00:06.048 VRDPAUTH: Access denied.
00:00:06.048 VRDP: Connection closed:
00:00:06.048 VRDP: Logoff: pardus (192.168.12.101) build 2600. User: [root] Domain: [] Reason 0x0001.
This is so frustrating! :x
Giupersu
Posts: 5
Joined: 24. Mar 2008, 14:32

Post by Giupersu »

I don't know pam, neverthless I added a comment to the following entryes:

File: /etc/pam.d/login

Code: Select all


# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
#auth       requisite  pam_nologin.so
Could be my fault, I'd like know how to do a secure login service for the VRDP protocol :roll:
Any input it'd be very appreciated
Aero9000
Posts: 13
Joined: 19. Feb 2008, 15:49

Post by Aero9000 »

Could be my fault, I'd like know how to do a secure login service for the VRDP protocol :roll:
Any input it'd be very appreciated
The Vbox manual states that the VRDP implementation supports RDP4, 5.1 and 5.2, but also warns that 4 and 5.1 are considered insecure nowadays. Therefore only 5.2 should be used. However, it is the client (NOT the server) that sets the encryption protocol. Rdesktop defaults to 5.2, so you should be alright here.

My concern (and which I why I started this thread) is that once a VM is running and logged on to, anyone who knows the the IP-address and the port number of the server can log connect to the VM without a credentials check. And let's face it, users don't lock their desktop.

So this is why I now have to resort to VPN. My users must set up a VPN-tunnel and can only then connect to the VM.

Changing /etc/pam.d/login didn't do the trick for me, unfortunately :cry:

One last thing. Did you do a fresh install of Ubuntu server 7.10 or did you upgrade from a previous version?
ZenGuy
Posts: 11
Joined: 27. Mar 2008, 05:36

Post by ZenGuy »

Aero9000, I feel your pain on this issue. I'm running a Feisty server and I'm seeing the exact same problem. (I should preface this by stating that I'm trying to come up to speed on PAM as I write this.)

I've done some poking around, but have not come up with any solutions. I even tried stripping down the PAM login config file to basically nothing, but the authentication still fails. It's not clear to me if any other PAM config files are being processed, or if VBox has a dependency on how PAM is configured.

One of the comments on the forum stated that this error was probably a result of a poorly configured PAM installation. It's possible, but unlikly, that the shipping version of the Ubuntu PAM config files should be broken. Possibly there is a switch that needs to be turned on in order to get PAM operational on a Ubuntu server?

Giupersu - Did you make any changes to any other PAM configuration files?
hankedr
Posts: 7
Joined: 29. Mar 2008, 20:04

Post by hankedr »

Aero9000 wrote:From the VBox buglist (http://www.virtualbox.org/ticket/932):
the username/password which you use with auth external must be valid on the VRDP server system. The VRDPAuth module uses PAM to authenticate the user, 'login' PAM service name is used. The 'access denied' error is most likely a PAM misconfiguration. The VRDPAuth module can produce a debug output. To enable it do: export VRDP_AUTH_DEBUG_FILENAME=/full/path/to/logfile and run the VM with the env var. Then try to connect with the RDP client and take a look in the logile.
First attempt:
u[vboxadmin], d[], p[11]
vrdpauth_pam_init: dlopen libpam.so failed
vrdpauth_pam_init failed 4

A quick search on my system told me "libpam.so" doesn't exist. I do however have a "libpam.so.0" and a "libpamc.so.0.81.6". So, in /lib, sudo ln -s libpam.so.0 libpam.so

Next attempt:
u[vboxadmin], d[], p[11]
init ok
Using PAM service: login
start ok
conv: num 1 u[vboxadmin] p[11]
conv: 0 returning password [11]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info
vrdpauth_pam_close completed

Next attempt (using an unprivileged account):
u[vboxuser], d[], p[3]
init ok
Using PAM service: login
start ok
conv: num 1 u[vboxuser] p[3]
conv: 0 returning password [3]
pam_authenticate failed 7. Authentication failure
vrdpauth_pam_close completed

I am pretty certain I can type a 3-character password without typos. :)

Now I am at a loss. :?:
In addition to the libpam link you note, the log mechanism shows that pam_acct_mgmt() fails and this is because it wants to read the shadow info. I don't know the proper solution, although I verified that granting read access to shadow will give success (on Debian lenny). In production, we will to authenticate via NIS+.
ZenGuy
Posts: 11
Joined: 27. Mar 2008, 05:36

Post by ZenGuy »

I can confirm that giving read access to the /etc/shadow file will fix this problem on Ubuntu server!

It appears to be doing a proper PAM authentication now.

Thanks for the info.

Do any security conscious folks want to comment on the trade-off between allowing global read access to "shadow" versus having an open RDP port without authentication? Which is less secure?
Post Reply