VBoxManage unattended install --password=password Is Encrypted Password supported?

This is for discussing general topics about how to use VirtualBox.
Post Reply
Gene77072
Posts: 10
Joined: 21. Aug 2015, 17:23

VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by Gene77072 »

I cannot find any discussion or documentation on whether encrypted passwords are accepted for password specifications that can be commonly used in scripting for vboxmanage commands.

Specifically, i would like to script
VBoxManage unattended install --password=password
but would prefer not to have the password in clear text.

I would appreciate an answer to this particular use case however this issue spans any place in VirtualBox where passwords can be specified.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by scottgus1 »

All I've ever seen is that cleartext is the only option.

One can search the PDF of the Virtualbox manual, using the PDF viewer's search function. Use this link to get a particular Virtualbox version's manual:

https://download.virtualbox.org/virtualbox/Z.Y.X/UserManual.pdf

where Z.Y.X is the version number you want. So for 7.0.6:

https://download.virtualbox.org/virtualbox/7.0.6/UserManual.pdf

From such a search I get this, under section 9.21 in 7.0.6's PDF manual, "VBoxManage unattended install":
--password-file=<file>
Alternative to --password for providing the password. Special filename stdin can be used to read the password from standard input.
You can pass the password as cleartext, or tell the script to pause and wait for keyboard input through stdin.

No indication of accepting encrypted passwords is discussed that I could find. Stdin and typing the password manually is the most hidden method I see possible.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by mpack »

I'm not sure what an encrypted password would do for you anyway, since if decrypting it is something VirtualBox can do with no other info then the hacker need only copy and paste the encrypted password into his own script.
Gene77072
Posts: 10
Joined: 21. Aug 2015, 17:23

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by Gene77072 »

mpack wrote:I'm not sure what an encrypted password would do for you anyway, since if decrypting it is something VirtualBox can do with no other info then the hacker need only copy and paste the encrypted password into his own script.
Everyone responding, Thanks for your input!

Since 2020, the Ubuntu community had implemented support for accepting encrypted passwords in it's Live-Server and other distributions Automated Installation process for setting machine admins passwords.

So long as the script author did not keep
"clear text password" = "encrypted password" within the scripting, any usage of the encrypted password by hackers only means they are setting passwords to a site specified value that is unknown short of being able to hack the encrypted string.

I refer anyone reading this post to a Ubuntu GNOME posting concerning their implementation.
https://www.golinuxcloud.com/customize- ... onfig_file

I regularly test the daily drops of the Ubuntu Distributions actively in development. Currently their are 8.
I would either have to manually enter a machine password 8 times or some variation less if I used a prompt once then pass the value using a script variable. I would still be required to enter the password for every instance of manually running the scripting which is tedious.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by scottgus1 »

To the best of our knowledge, passing an encrypted password through Virtualbox's unattended install process has not been programmed yet. Enhancement requests can be posted in the Bugtracker.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by fth0 »

Gene77072 wrote:Specifically, i would like to script
VBoxManage unattended install --password=password
but would prefer not to have the password in clear text.
I haven't played with VirtualBox's unattended installation yet, but I think you can do what you want:

Take a look at the unattended installation script template for your guest OS (e.g. /usr/share/virtualbox/UnattendedTemplates/ubuntu_preseed.cfg), and you'll see that VirtualBox just uses the Linux-distribution-specific mechanisms for unattended installations, with the given password simply passed through. Modify the template to your liking, so that it uses an encrypted password.

I'm interested in reading what you'll find out. ;)
Gene77072
Posts: 10
Joined: 21. Aug 2015, 17:23

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by Gene77072 »

fth0 wrote:
Gene77072 wrote:Specifically, i would like to script
VBoxManage unattended install --password=password
but would prefer not to have the password in clear text.
I haven't played with VirtualBox's unattended installation yet, but I think you can do what you want:

Take a look at the unattended installation script template for your guest OS (e.g. /usr/share/virtualbox/UnattendedTemplates/ubuntu_preseed.cfg), and you'll see that VirtualBox just uses the Linux-distribution-specific mechanisms for unattended installations, with the given password simply passed through. Modify the template to your liking, so that it uses an encrypted password.

I'm interested in reading what you'll find out. ;)
Thank you for pointing this out however I'm afraid this mechanism is now obsolete. In an earlier post I mentioned since 2020, Ubuntu delivered a new Automated installation process with Live-Server. Actually this came out in 2018.04. Live-Server switched to Subiquity as the installation engine. Ubuntu referred to past versions of their server distribution as Legacy Server which was based on Debian Installer. The seed file you referenced corresponds with that older technology. Ubuntu stopped development on Legacy Server.

I have entered and enhancement request through Bug Tracker to add support for encrypted passwords. I know this can be done with the Ubuntu base Guests.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by fth0 »

I'm not sure if I really understand your initial request, because either me or you (or the both of us ;)) are missing vital information. Let's try and sort it out:

1. Ubuntu 22.04 LTS (Desktop) uses the DebianInstaller-based Ubiquity installer for automated installations. VirtualBox's unattended installation supports this via VBoxManage (6.1 + 7.0) and via the VirtualBox Manager (7.0).

2. Ubuntu Server 22.04 LTS uses the newer Subiquity installer for automated installations. I don't know (but could be wrong) if VirtualBox supports this at all.

3. Despite their similar names, Ubiquity and Subiquity do not have much in common, so I cannot really estimate the effort necessary to support Subiquity in VirtualBox. I'm not even sure if such support is necessary at all, because nowadays system admins use dedicated automation tools (e.g. Ansible, Chef, Puppet) for automated installations of VirtualBox VMs. But since I'm not a VirtualBox developer, that's not for me to decide anyway. ;)

Do you know if VirtualBox's unattended installation supports Subiquity at all?
Gene77072
Posts: 10
Joined: 21. Aug 2015, 17:23

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by Gene77072 »

fth0 wrote:I'm not sure if I really understand your initial request, because either me or you (or the both of us ;)) are missing vital information. Let's try and sort it out:

1. Ubuntu 22.04 LTS (Desktop) uses the DebianInstaller-based Ubiquity installer for automated installations. VirtualBox's unattended installation supports this via VBoxManage (6.1 + 7.0) and via the VirtualBox Manager (7.0).

2. Ubuntu Server 22.04 LTS uses the newer Subiquity installer for automated installations. I don't know (but could be wrong) if VirtualBox supports this at all.

3. Despite their similar names, Ubiquity and Subiquity do not have much in common, so I cannot really estimate the effort necessary to support Subiquity in VirtualBox. I'm not even sure if such support is necessary at all, because nowadays system admins use dedicated automation tools (e.g. Ansible, Chef, Puppet) for automated installations of VirtualBox VMs. But since I'm not a VirtualBox developer, that's not for me to decide anyway. ;)

Do you know if VirtualBox's unattended installation supports Subiquity at all?
Responses to above issues raised:
I am an amateur user of these products and do not have a development background with any of these distributions.
Having said that these are my best understanding to the issues you raised.
1. The Live-Server/Subiquity Installer deployment in 2018 and the corresponding stabilization and retirement of any new versions of Legacy Server/Ubiquity Installer marks a direction that Canonical abandoned Debian Installer at least with respect to Server products. I would tend to think this direction maybe adopted by the distributions also but only the distribution owners know for sure.
2. I tried installing the current Live Server 23.04 selecting the Unattended Install options. Although Virtualbox identifies that the ISO is eligible for Unattended installation and prompts for all of the required input, the user is left to the initial landing page for Live Server installation and must manually respond to the rest of the installation dialog manually, In summary the answer was No.
3. I delved into trying Vagrant based off of a referral from software developer friend's recommendation. The creation of these advanced automation tools in part has to cover for capabilities that infrastructure like Virtualbox and VMWare lacks.

Getting back to my original request and observation, I identified in VirtualBox a scenario where a command can be issued to set a machine Administrator's UserId and Password in preparation for a unattended install of a supported OS.
The password currently is accepted in clear text and if stored in a script or external input file is vulnerable to hacking.
My suggestion is that Virtualbox should address the issue directly by devising some mechanism for the Virtualbox user to create an encrypted input string for the password component that can be identified and converted to the clear text string originally input by the string creator. As a side comment, this technique should also be applied to the userid as well to protect both potentially sensitive pieces of information.
I would hope that the encrypted string withstands rigorous attempts at decryption external techniques.
In summary, this issue is a Virtualbox issue that needs to be addressed by Virtualbox and should not rely on any underlying Guest OS Install infrastructure.
The Virtualbox GUI Screen addresses accepting the password in a masked-dotted field with the option to show the value for inputer verification.
My request addresses that security concern for the batch environment.

Thanks for your attention on this issue.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by scottgus1 »

I'm no encryption guru, but I think that in order to convert an encoded password to a cleartext password, an encryption scheme needs to be put in place, something that makes the installer be able to decrypt the hash/code/whatever to the cleartext password.

For example, Virtualbox encrypts disk files (and now whole VMs) via a pre-selected password and a DEK encryption key generated somehow. The DEK is stored in the .vbox file, and the password is stored in the user's head. To start the VM, the user provides the password which is processed against the DEK to provide the encryption key to on-the-fly work with the encrypted disk file.

Another encryption method is password hashing, where "p@s$w0rd" becomes "9df733661f50f5dcf8ae7125997f91768cb02d66" or some such. You enter "9df733661f50f5dcf8ae7125997f91768cb02d66", but how does that get back to "p@s$w0rd"? Hashing isn't reversible, I think, and the hash could go back to other passwords too.

So you're back to the shared and compared key and password method to enter an encrypted password string and have the installer decrypt the string to the desired clear-text password. Which means you still need to store a password in your head to authenticate the decryption of the string for the unattended install.

There may be other methods, but I'm not certain what those methods are. If you could show an encryption method to the devs, this may go further.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by fth0 »

Thanks for your detailed explanation! :)
Gene77072 wrote:I delved into trying Vagrant based off of a referral from software developer friend's recommendation. The creation of these advanced automation tools in part has to cover for capabilities that infrastructure like Virtualbox and VMWare lacks.
To give you an alternative POV, I like to use different tools for different tasks. For example, I use a TV and a separate SAT receiver, because each of those devices is good at its core task and not so good at the task of the other. For the same reason, I'd use VirtualBox as a hypervisor and Ansible as an automation tool.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by fth0 »

scottgus1 wrote:Another encryption method is password hashing, where "p@s$w0rd" becomes "9df733661f50f5dcf8ae7125997f91768cb02d66" or some such. You enter "9df733661f50f5dcf8ae7125997f91768cb02d66", but how does that get back to "p@s$w0rd"? Hashing isn't reversible, I think, and the hash could go back to other passwords too.

So you're back to the shared and compared key and password method to enter an encrypted password string and have the installer decrypt the string to the desired clear-text password. Which means you still need to store a password in your head to authenticate the decryption of the string for the unattended install.
You don't need to reverse the hashing, because you don't need the clear-text password during the installation: You can calculate the password hash on the host in advance, and during the installation, VirtualBox (or Ansible) simply could add the password hash to the /etc/passwd and/or the /etc/shadow file in the guest.
Gene77072
Posts: 10
Joined: 21. Aug 2015, 17:23

Re: VBoxManage unattended install --password=password Is Encrypted Password supported?

Post by Gene77072 »

fth0 wrote:
scottgus1 wrote:Another encryption method is password hashing, where "p@s$w0rd" becomes "9df733661f50f5dcf8ae7125997f91768cb02d66" or some such. You enter "9df733661f50f5dcf8ae7125997f91768cb02d66", but how does that get back to "p@s$w0rd"? Hashing isn't reversible, I think, and the hash could go back to other passwords too.

So you're back to the shared and compared key and password method to enter an encrypted password string and have the installer decrypt the string to the desired clear-text password. Which means you still need to store a password in your head to authenticate the decryption of the string for the unattended install.
You don't need to reverse the hashing, because you don't need the clear-text password during the installation: You can calculate the password hash on the host in advance, and during the installation, VirtualBox (or Ansible) simply could add the password hash to the /etc/passwd and/or the /etc/shadow file in the guest.
Thank you for your response however it was not my intention to extract possible solutions on how to address this problem. Doing this may tie Development's hands as far as creating a scheme to address the issue.
Whatever scheme is created should be mindful that currently this user is working with latest versions of Ubuntu but the VirtualBox needs to support all supported OSes and their supported OS levels.
The resulting scheme to address protecting clear text Admin Ids and Admin passwords should be OS independent and OS Release Level independent to be effective.
Post Reply