vbox-auth.dita@ 105145

Last change on this file since 105145 was 99797, checked in by vboxsync, 21 months ago
Docs: bugref:10302. Merging changes from the docs team. Almost exclusively conkeyref related stuff.
Property svn:eol-style set to `native` Property svn:keywords set to `Id Revision`
File size: 7.1 KB

Line
1	<?xml version='1.0' encoding='UTF-8'?>
2	<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
3	<topic xml:lang="en-us" id="vbox-auth">
4	<title>RDP Authentication</title>
5
6	<body>
7	<p>
8	For each virtual machine that is remotely accessible using RDP, you can individually
9	determine if and how client connections are authenticated. For this, use the
10	<userinput>VBoxManage modifyvm</userinput> command with the
11	<codeph>--vrde-auth-type</codeph> option. See <xref href="vboxmanage-modifyvm.dita">
12	VBoxManage modifyvm</xref>. The following methods of authentication are available:
13	</p>
14	<ul>
15	<li>
16	<p>
17	The <b outputclass="bold">null</b> method means that
18	there is no authentication at all. Any client can connect to
19	the VRDP server and thus the virtual machine. This is very
20	insecure and only to be recommended for private networks.
21	</p>
22	</li>
23	<li>
24	<p>
25	The <b outputclass="bold">external</b> method
26	provides external authentication through a special
27	authentication library. <ph conkeyref="vbox-conkeyref-phrases/product-name"/> ships with two
28	special authentication libraries:
29	</p>
30	<ol>
31	<li>
32	<p>
33	The default authentication library,
34	<userinput>VBoxAuth</userinput>, authenticates against user
35	credentials of the hosts. Depending on the host
36	platform, this means the following:
37	</p>
38	<ul>
39	<li>
40	<p>
41	On Linux hosts, <userinput>VBoxAuth.so</userinput>
42	authenticates users against the host's PAM system.
43	</p>
44	</li>
45	<li>
46	<p>
47	On Windows hosts, <userinput>VBoxAuth.dll</userinput>
48	authenticates users against the host's WinLogon
49	system.
50	</p>
51	</li>
52	<li>
53	<p>
54	On macOS hosts, <userinput>VBoxAuth.dylib</userinput>
55	authenticates users against the host's directory
56	service.
57	</p>
58	</li>
59	</ul>
60	<p>
61	In other words, the external method by default performs
62	authentication with the user accounts that exist on the
63	host system. Any user with valid authentication
64	credentials is accepted. For example, the username does
65	not have to correspond to the user running the VM.
66	</p>
67	</li>
68	<li>
69	<p>
70	An additional library called
71	<userinput>VBoxAuthSimple</userinput> performs
72	authentication against credentials configured in the
73	<codeph>extradata</codeph> section of a virtual
74	machine's XML settings file. This is probably the
75	simplest way to get authentication that does not depend
76	on a running and supported guest. The following steps
77	are required:
78	</p>
79	<ol>
80	<li>
81	<p>
82	Enable <userinput>VBoxAuthSimple</userinput> with the
83	following command:
84	</p>
85	<pre xml:space="preserve">VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</pre>
86	</li>
87	<li>
88	<p>
89	To enable the library for a particular VM, you must
90	switch authentication to external, as follows:
91	</p>
92	<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> --vrde-auth-type external</pre>
93	<p>
94	Replace <varname>VM-name</varname> with the
95	VM name or UUID.
96	</p>
97	</li>
98	<li>
99	<p>
100	You then need to configure users and passwords by
101	writing items into the machine's extradata. Since
102	the XML machine settings file, into whose
103	<codeph>extradata</codeph> section the password
104	needs to be written, is a plain text file,
105	<ph conkeyref="vbox-conkeyref-phrases/product-name"/> uses hashes to encrypt passwords. The
106	following command must be used:
107	</p>
108	<pre xml:space="preserve">VBoxManage setextradata <varname>VM-name</varname> "VBoxAuthSimple/users/<varname>user</varname>" <varname>hash</varname>
109	</pre>
110	<p>
111	Replace <varname>VM-name</varname> with the
112	VM name or UUID, <varname>user</varname>
113	with the user name who should be allowed to log in
114	and <varname>hash</varname> with the
115	encrypted password. The following command example
116	obtains the hash value for the password
117	<codeph>secret</codeph>:
118	</p>
119	<pre xml:space="preserve">$ VBoxManage internalcommands passwordhash "secret"
120	2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
121	<p>
122	You then use <userinput>VBoxManage
123	setextradata</userinput> to store this value in the
124	machine's <codeph>extradata</codeph> section.
125	</p>
126	<p>
127	As a combined example, to set the password for the
128	user <codeph>john</codeph> and the machine
129	<codeph>My VM</codeph> to
130	<codeph>secret</codeph>, use this command:
131	</p>
132	<pre xml:space="preserve">VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
133	2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
134	</li>
135	</ol>
136	</li>
137	</ol>
138	</li>
139	<li>
140	<p>
141	The <b outputclass="bold">guest</b> authentication
142	method performs authentication with a special component that
143	comes with the Guest Additions. As a result, authentication
144	is not performed on the host, but with the guest user
145	accounts.
146	</p>
147	<p>
148	This method is currently still in testing and not yet
149	supported.
150	</p>
151	</li>
152	</ul>
153	<p>
154	In addition to the methods described above, you can replace the
155	default external authentication module with any other module.
156	For this, <ph conkeyref="vbox-conkeyref-phrases/product-name"/> provides a well-defined interface that
157	enables you to write your own authentication module. This is
158	described in detail in the <ph conkeyref="vbox-conkeyref-phrases/product-name"/> Software Development
159	Kit (SDK) reference. See <xref href="VirtualBoxAPI.dita#VirtualBoxAPI"/>.
160	</p>
161	</body>
162
163	</topic>

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format