RDP Authentication

For each virtual machine that is remotely accessible using RDP, you can individually determine if and how client connections are authenticated. For this, use the VBoxManage modifyvm command with the --vrde-auth-type option. See . The following methods of authentication are available:

The null method means that there is no authentication at all. Any client can connect to the VRDP server and thus the virtual machine. This is very insecure and only to be recommended for private networks.
The external method provides external authentication through a special authentication library. ships with two special authentication libraries:
1. The default authentication library, VBoxAuth, authenticates against user credentials of the hosts. Depending on the host platform, this means the following:
  - On Linux and Oracle Solaris hosts, VBoxAuth.so authenticates users against the host's PAM system.
  - On Windows hosts, VBoxAuth.dll authenticates users against the host's WinLogon system.
  - On macOS hosts, VBoxAuth.dylib authenticates users against the host's directory service.
  In other words, the external method by default performs authentication with the user accounts that exist on the host system. Any user with valid authentication credentials is accepted. For example, the username does not have to correspond to the user running the VM.
2. An additional library called VBoxAuthSimple performs authentication against credentials configured in the extradata section of a virtual machine's XML settings file. This is probably the simplest way to get authentication that does not depend on a running and supported guest. The following steps are required:
  1. Enable VBoxAuthSimple with the following command:
```
VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"
```
  2. To enable the library for a particular VM, you must switch authentication to external, as follows:
```
VBoxManage modifyvm VM-name --vrde-auth-type external
```
    Replace VM-name with the VM name or UUID.
  3. You then need to configure users and passwords by writing items into the machine's extradata. Since the XML machine settings file, into whose extradata section the password needs to be written, is a plain text file, uses hashes to encrypt passwords. The following command must be used:
```
VBoxManage setextradata VM-name "VBoxAuthSimple/users/user" hash
                                    
```
    Replace VM-name with the VM name or UUID, user with the user name who should be allowed to log in and hash with the encrypted password. The following command example obtains the hash value for the password secret:
```
$ VBoxManage internalcommands passwordhash "secret"
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
```
    You then use VBoxManage setextradata to store this value in the machine's extradata section.
    
    As a combined example, to set the password for the user john and the machine My VM to secret, use this command:
```
VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
    2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
```
The guest authentication method performs authentication with a special component that comes with the Guest Additions. As a result, authentication is not performed on the host, but with the guest user accounts.

This method is currently still in testing and not yet supported.

In addition to the methods described above, you can replace the default external authentication module with any other module. For this, provides a well-defined interface that enables you to write your own authentication module. This is described in detail in the Software Development Kit (SDK) reference. See .