June 1st, 2009


VirtualBox Remote Desktop (VRDP)

VirtualBox is a pretty cool (for private use) free virtualization program that I use to have a virtual Windows running on my Linux box. One nice feature is that you can use the Remote Desktop Protocol to access virtual machines from another computer.. just it's not totally easy to get that running with authentication enabled. The latter is important because I don't want anyone who somehow managed to hack into my wireless network to get free access to my virtual windows.

So here's the solution:
  1. Create the file /etc/pam.d/vbox_vrdpauth with the following content:
    auth    required        pam_unix.so
    account required        pam_unix.so broken_shadow
  2. Add the following line to /etc/profile
    export VRDP_AUTH_PAM_SERVICE=vbox_vrdpauth
  3. In your virtual machine setup, set the authentication method for vrdp to Extern.

The explanation:

VirtualBox uses PAM to authenticate users on the Linux host machine. PAM is accessing the file /etc/shadow to determine user information and therin lies the problem. VirtualBox is being started by a user and users usually don't have read permission to /etc/shadow. Unless you want to give users read permissions on that file you have to tell PAM to ignore errors when reading from it. That's accomplished by the broken_shadow option in the above module file.

To tell VirtualBox that it should authenticate using the newly created PAM module vbox_vrdpauth we have to set the environment variable VRDP_AUTH_PAM_SERVICE. To do that automatically on login, we add that to /etc/profile.