VirtualBox

source: vbox/trunk/doc/manual/en_US/dita/topics/vbox-auth.dita@ 98549

Last change on this file since 98549 was 98549, checked in by vboxsync, 2 years ago

Docs: bugref:10302. Uploading .dita user manual files we received from the doc team on 25th Jan.
  • Property svn:eol-style set to native
File size: 7.0 KB
Line 
1<?xml version='1.0' encoding='UTF-8'?>
2<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
3<topic xml:lang="en-us" id="vbox-auth">
4 <title>RDP Authentication</title>
5
6 <body>
7 <p>
8 For each virtual machine that is remotely accessible using RDP,
9 you can individually determine if and how client connections are
10 authenticated. For this, use the <userinput>VBoxManage
11 modifyvm</userinput> command with the
12 <codeph>--vrde-auth-type</codeph> option. See
13 <xref href="man_VBoxManage-modifyvm.dita">VBoxManage modifyvm</xref>. The following methods of
14 authentication are available:
15 </p>
16 <ul>
17 <li>
18 <p>
19 The <b outputclass="bold">null</b> method means that
20 there is no authentication at all. Any client can connect to
21 the VRDP server and thus the virtual machine. This is very
22 insecure and only to be recommended for private networks.
23 </p>
24 </li>
25 <li>
26 <p>
27 The <b outputclass="bold">external</b> method
28 provides external authentication through a special
29 authentication library. Oracle VM VirtualBox ships with two
30 special authentication libraries:
31 </p>
32 <ol>
33 <li>
34 <p>
35 The default authentication library,
36 <userinput>VBoxAuth</userinput>, authenticates against user
37 credentials of the hosts. Depending on the host
38 platform, this means the following:
39 </p>
40 <ul>
41 <li>
42 <p>
43 On Linux hosts, <userinput>VBoxAuth.so</userinput>
44 authenticates users against the host's PAM system.
45 </p>
46 </li>
47 <li>
48 <p>
49 On Windows hosts, <userinput>VBoxAuth.dll</userinput>
50 authenticates users against the host's WinLogon
51 system.
52 </p>
53 </li>
54 <li>
55 <p>
56 On macOS hosts, <userinput>VBoxAuth.dylib</userinput>
57 authenticates users against the host's directory
58 service.
59 </p>
60 </li>
61 </ul>
62 <p>
63 In other words, the external method by default performs
64 authentication with the user accounts that exist on the
65 host system. Any user with valid authentication
66 credentials is accepted. For example, the username does
67 not have to correspond to the user running the VM.
68 </p>
69 </li>
70 <li>
71 <p>
72 An additional library called
73 <userinput>VBoxAuthSimple</userinput> performs
74 authentication against credentials configured in the
75 <codeph>extradata</codeph> section of a virtual
76 machine's XML settings file. This is probably the
77 simplest way to get authentication that does not depend
78 on a running and supported guest. The following steps
79 are required:
80 </p>
81 <ol>
82 <li>
83 <p>
84 Enable <userinput>VBoxAuthSimple</userinput> with the
85 following command:
86 </p>
87 <pre xml:space="preserve">VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</pre>
88 </li>
89 <li>
90 <p>
91 To enable the library for a particular VM, you must
92 switch authentication to external, as follows:
93 </p>
94 <pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> --vrde-auth-type external</pre>
95 <p>
96 Replace <varname>VM-name</varname> with the
97 VM name or UUID.
98 </p>
99 </li>
100 <li>
101 <p>
102 You then need to configure users and passwords by
103 writing items into the machine's extradata. Since
104 the XML machine settings file, into whose
105 <codeph>extradata</codeph> section the password
106 needs to be written, is a plain text file,
107 Oracle VM VirtualBox uses hashes to encrypt passwords. The
108 following command must be used:
109 </p>
110 <pre xml:space="preserve">VBoxManage setextradata <varname>VM-name</varname> "VBoxAuthSimple/users/<varname>user</varname>" <varname>hash</varname>
111 </pre>
112 <p>
113 Replace <varname>VM-name</varname> with the
114 VM name or UUID, <varname>user</varname>
115 with the user name who should be allowed to log in
116 and <varname>hash</varname> with the
117 encrypted password. The following command example
118 obtains the hash value for the password
119 <codeph>secret</codeph>:
120 </p>
121 <pre xml:space="preserve">$ VBoxManage internalcommands passwordhash "secret"
1222bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
123 <p>
124 You then use <userinput>VBoxManage
125 setextradata</userinput> to store this value in the
126 machine's <codeph>extradata</codeph> section.
127 </p>
128 <p>
129 As a combined example, to set the password for the
130 user <codeph>john</codeph> and the machine
131 <codeph>My VM</codeph> to
132 <codeph>secret</codeph>, use this command:
133 </p>
134 <pre xml:space="preserve">VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
135 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
136 </li>
137 </ol>
138 </li>
139 </ol>
140 </li>
141 <li>
142 <p>
143 The <b outputclass="bold">guest</b> authentication
144 method performs authentication with a special component that
145 comes with the Guest Additions. As a result, authentication
146 is not performed on the host, but with the guest user
147 accounts.
148 </p>
149 <p>
150 This method is currently still in testing and not yet
151 supported.
152 </p>
153 </li>
154 </ul>
155 <p>
156 In addition to the methods described above, you can replace the
157 default external authentication module with any other module.
158 For this, Oracle VM VirtualBox provides a well-defined interface that
159 enables you to write your own authentication module. This is
160 described in detail in the Oracle VM VirtualBox Software Development
161 Kit (SDK) reference. See <xref href="VirtualBoxAPI.dita#VirtualBoxAPI"/>.
162 </p>
163 </body>
164
165</topic>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette