sudo chown root:shadow VBoxVRDP
sudo chmod 2755 VBoxVRDP
I can't find a better way to fix this at the moment, but would love to hear about one if it exists. Maybe pam_unix.so could be made SUID root, but would this open a bigger security hole than the above? Security experts, please comment!:D
I don't know the proper solution, although I verified that granting read access to shadow will give success
The file is world-readable (its contents are visible to all users), but only writable by root. This means that an attacker with access to the system at normal privilege level can obtain the hashed form of every user's password. These can then be used to mount a brute force attack offline, using the hashed passwords as a relatively fast way to test guessed passwords without alerting system security modules designed to detect an abnormal number of failed login attempts. Most users select passwords that are vulnerable to such password cracking techniques.
The "external" method provides external authentication through a special authentication library. VirtualBox comes with two default libraries for external authentication:
On Linux hosts, VRDPAuth.so authenticates users against the host's PAM system.
On Windows hosts, VRDPAuth.dll authenticates users against the host's WinLogon system.
The pam_acct_mgmt function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
# /etc/pam.d/common-account - authorization settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
account required pam_unix.so
auth required pam_unix.so
account required pam_unix.so broken_shadow
Users browsing this forum: dhkorman and 27 guests