7 Alternative front-ends; remote virtual machines
–
On Linux hosts,
VRDPAuth.so
authenticates users against the host’s PAM
system.
–
On Windows hosts,
VRDPAuth.dll
authenticates users against the host’s
WinLogon system.
In other words, the “external” method per default performs authentication with
the user accounts that exist on the host system. Any user with valid authentica-
tion credentials is accepted, i.e. the username does not have to correspond to
the user running the VM.
However, you can replace the default “external” authentication module with any
other module. For this, VirtualBox provides a well-defined interface that allows
you to write your own authentication module; see chapter
9.3
,
Custom external
VRDP authentication
, page
129
for details.
•
Finally, the “guest” authentication method performs authentication with a special
component that comes with the Guest Additions; as a result, authentication is
not performed with the host users, but with the guest user accounts. This method
is currently still in testing and not yet supported.
7.4.5 RDP encryption
RDP features data stream encryption, which is based on the RC4 symmetric cipher
(with keys up to 128bit). The RC4 keys are being replaced in regular intervals (every
4096 packets).
RDP provides three different authentication methods:
1. Historically, RDP4 authentication was used, with which the RDP client does not
perform any checks in order to verify the identity of the server it connects to.
Since user credentials can be obtained using a man in the middle (MITM) attack,
RDP4 authentication is insecure and should generally not be used.
2. RDP5.1 authentication employs a server certificate for which the client possesses
the public key. This way it is guaranteed that the server possess the correspond-
ing private key. However, as this hard-coded private key became public some
years ago, RDP5.1 authentication is also insecure and cannot be recommended.
3. RDP5.2 authentication is based on TLS 1.0 with customer-supplied certificates.
The server supplies a certificate to the client which must be signed by a certificate
authority (CA) that the client trusts (for the Microsoft RDP Client 5.2, the CA
has to be added to the Windows Trusted Root Certificate Authorities database).
VirtualBox allows you to supply your own CA and server certificate and uses
OpenSSL for encryption.
While VirtualBox supports all of the above, only RDP5.2 authentication should be
used in environments where security is a concern. As the client that connects to the
server determines what type of encryption will be used, with rdesktop, the Linux RDP
viewer, use the
-4
or
-5
options.
98