Download Oracle VM VirtualBox User Manual

9 Advanced topics
are present, a logon will be attempted. After retrieving the credentials, the logon modules will
erase them so that the above command will have to be repeated for subsequent logons.
For security reasons, credentials are not stored in any persistent manner and will be lost when
the VM is reset. Also, the credentials are “write-only”, i.e. there is no way to retrieve the
credentials from the host side. Credentials can be reset from the host side by setting empty
values.
Depending on the particular variant of the Windows guest, the following restrictions apply:
1. For Windows XP guests, the logon subsystem needs to be configured to use the classic
logon dialog as the VirtualBox GINA module does not support the XP-style welcome dialog.
2. For Windows Vista and Windows 7 guests, the logon subsystem does not support the
so-called Secure Attention Sequence (CTRL+ALT+DEL). As a result, the guest’s group policy
settings need to be changed to not use the Secure Attention Sequence. Also, the user name
given is only compared to the true user name, not the user friendly name. This means
that when you rename a user, you still have to supply the original user name (internally,
Windows never renames user accounts).
3. Auto-logon handling of the built-in Windows Remote Desktop Service (formerly known as
Terminal Services) is disabled by default. To enable it, create the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions\AutoLogon
with a DWORD value of 1.
The following command forces VirtualBox to keep the credentials after they were read by the
guest and on VM reset:
VBoxManage setextradata "Windows XP" VBoxInternal/Devices/VMMDev/0/Config/KeepCredentials 1
Note that this is a potential security risk as a malicious application running on the guest could
request this information using the proper interface.
9.2.2 Automated Linux/Unix guest logons
Starting with version 3.2, VirtualBox provides a custom PAM module (Pluggable Authentication
Module) which can be used to perform automated guest logons on platforms which support this
framework. Virtually all modern Linux/Unix distributions rely on PAM.
The pam_vbox.so module itself does not do an actual verification of the credentials passed to
the guest OS; instead it relies on other modules such as pam_unix.so or pam_unix2.so down
in the PAM stack to do the actual validation using the credentials retrieved by pam_vbox.so.
Therefore pam_vbox.so has to be on top of the authentication PAM service list.
Note: The pam_vbox.so only supports the auth primitive. Other primitives such as
account, session or password are not supported.
The pam_vbox.so module is shipped as part of the Guest Additions but it is not installed
and/or activated on the guest OS by default. In order to install it, it has to be copied from
/opt/VBoxGuestAdditions-<version>/lib/VBoxGuestAdditions/ to the security modules
directory, usually /lib/security/ on 32-bit guest Linuxes or /lib64/security/ on 64-bit
ones. Please refer to your guest OS documentation for the correct PAM module directory.
For example, to use pam_vbox.so with a Ubuntu Linux guest OS and GDM (the GNOME
Desktop Manager) to logon users automatically with the credentials passed by the host, the
guest OS has to be configured like the following:
1. The pam_vbox.so module has to be copied to the security modules directory, in this case it
is /lib/security.
142