├── autostart.cfg ├── ports.sh ├── LICENSE ├── backup-settings.sh ├── config-linux-vm.sh ├── backup.sh ├── backup-single.sh ├── provision.sh ├── README.md └── secure-vbox-rdp.sh /autostart.cfg: -------------------------------------------------------------------------------- 1 | # Let any user start VMs. 2 | default_policy = allow 3 | -------------------------------------------------------------------------------- /ports.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Show the exposed network / NAT port forwarding configuration 5 | # for all running VMs. 6 | # 7 | 8 | MACHINES=$(vboxmanage list vms | cut -f 2 -d \") 9 | 10 | echo "Networking setup looks like:" 11 | echo "" 12 | 13 | while read -r machine; do 14 | echo "vboxmanage showvminfo \"${machine}\"" 15 | vboxmanage showvminfo "${machine}" | grep "^NIC" | grep -v "disabled" 16 | vboxmanage showvminfo "${machine}" | grep "^VRDE:" 17 | 18 | echo "" 19 | done <<< "${MACHINES}" 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Max 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /backup-settings.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Called by the backup.sh script to perform the actual backup 5 | # operation. Customize to your heart's content. 6 | # 7 | # Passing in the option "--dry-run" as the first parameter to 8 | # this function will cause duplicity to run in dry-run mode. 9 | # 10 | function backupOperation () { 11 | PARAM_DRY_RUN=$1 12 | 13 | duplicity remove-all-but-n-full 2 --force "sftp://user@host/VirtualBox VMs" 14 | duplicity --full-if-older-than 1W ${PARAM_DRY_RUN} "~/VirtualBox VMs" "sftp://user@host/VirtualBox VMs" 15 | } 16 | 17 | if [ $1 == "set" ]; then 18 | echo "Exporting extra path." 19 | 20 | export PATH=${HOME}/devtools/homebrew/bin:/usr/local/bin:${HOME}/Library/Python/2.7/bin:${PATH} 21 | 22 | echo "Exporting sftp target." 23 | export SFTP_TARGET="user@host" 24 | 25 | echo "Exporting passwords." 26 | 27 | export PASSPHRASE="" 28 | export FTP_PASSWORD="" 29 | 30 | echo "Exporting reporting address." 31 | 32 | export MAILTO="report@host" 33 | else 34 | echo "Unsetting passwords." 35 | 36 | unset FTP_PASSWORD 37 | unset PASSPHRASE 38 | 39 | echo "Unsetting reporting address." 40 | 41 | unset MAILTO 42 | fi 43 | -------------------------------------------------------------------------------- /config-linux-vm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while getopts ":v:P:" opt; do 4 | case $opt in 5 | v) 6 | echo "Modifying VM: ${OPTARG}" 7 | VM_NAME="${OPTARG}" 8 | ;; 9 | P) 10 | echo "Setting VDRE port." 11 | VRDE_PORT="${OPTARG}" 12 | ;; 13 | esac 14 | done 15 | 16 | basicConfig () { 17 | VBoxManage modifyvm "${VM_NAME}" --memory 384 --acpi on --ioapic on --rtcuseutc on --accelerate2dvideo on 18 | VBoxManage modifyvm "${VM_NAME}" --bioslogofadein off --bioslogofadeout off --bioslogodisplaytime 250 19 | VBoxManage modifyvm "${VM_NAME}" --keyboard ps2 --mouse ps2 20 | VBoxManage modifyvm "${VM_NAME}" --audio none 21 | VBoxManage modifyvm "${VM_NAME}" --usb off 22 | VBoxManage modifyvm "${VM_NAME}" --nic1 nat 23 | VBoxManage modifyvm "${VM_NAME}" --boot1 dvd 24 | } 25 | 26 | # If the RDP server is going to have no authentication 27 | # then the rule is to only allow it to serve via localhost:port 28 | # 29 | # You can then use SSH tunnelling to connect safely. 30 | nullAuth () { 31 | VBoxManage modifyvm "${VM_NAME}" --vrde on 32 | VBoxManage modifyvm "${VM_NAME}" --vrdeauthtype "null" 33 | VBoxManage modifyvm "${VM_NAME}" --vrdeaddress "127.0.0.1" 34 | VBoxManage modifyvm "${VM_NAME}" --vrdeport "${VRDE_PORT}" 35 | VBoxManage modifyvm "${VM_NAME}" --vrdemulticon "on" 36 | 37 | echo "You can now connect to the VM at localhost:${VRDE_PORT}." 38 | } 39 | 40 | usage () { 41 | echo "Usage: " 42 | echo "" 43 | echo "$0 -v [virtual machine] -P [vdre port]" 44 | echo "" 45 | echo " Resets authentication to null, sets listening interface to" 46 | echo " localhost, sets port to specified value. Useful for ssh-tunneling." 47 | echo "" 48 | } 49 | 50 | if [ -n "${VM_NAME}" ] && [ ${VRDE_PORT} -ne 0 ]; then 51 | basicConfig 52 | nullAuth 53 | else 54 | usage 55 | fi 56 | -------------------------------------------------------------------------------- /backup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Usage: 5 | # 6 | # backup.sh [-d] [-f] 7 | # 8 | # -d Dry run 9 | # -f Force full backup 10 | # 11 | 12 | # Read in passwords and other settings from separate, non-checked-in file. 13 | # 14 | # It needs to provide the following environment variables: 15 | # 16 | # PASSPHRASE 17 | # FTP_PASSWORD 18 | # MAILTO 19 | # 20 | # And a function called backupOperation() which gets called to do the 21 | # actual backup process. 22 | 23 | source backup-settings.sh set 24 | 25 | DRY_RUN=0 26 | 27 | PARAM_DRY_RUN="" 28 | PARAM_BACKUP_TYPE="" # By default, Duplicity will try to do incremental backups, if a full backup already exists. 29 | 30 | MACHINES=$(vboxmanage list runningvms | cut -f 2 -d \") 31 | 32 | while getopts ":d" opt; do 33 | case $opt in 34 | d) 35 | echo "Dry run." 36 | DRY_RUN=1 37 | PARAM_DRY_RUN="--dry-run" 38 | ;; 39 | f) 40 | echo "Full backup." 41 | PARAM_BACKUP_TYPE="full" 42 | ;; 43 | esac 44 | done 45 | 46 | # See: http://www.pclinuxos.com/forum/index.php?topic=103651.0 47 | 48 | function wait_for_closing_machines() { 49 | echo "Wait for machines to be stopped." 50 | 51 | RUNNING_MACHINES=$(vboxmanage list runningvms | wc -l) 52 | 53 | if [ $RUNNING_MACHINES != 0 ]; then 54 | echo "Waiting for VM shutdown to complete." 55 | sleep 5 56 | 57 | wait_for_closing_machines 58 | fi 59 | } 60 | 61 | 62 | echo "Sleep the virtual machines." 63 | 64 | while read -r machine; do 65 | echo "vboxmanage controlvm \"${machine}\" savestate" 66 | 67 | if [ ${DRY_RUN} -eq 0 ]; then 68 | vboxmanage controlvm "${machine}" savestate 69 | fi 70 | done <<< "${MACHINES}" 71 | 72 | if [ ${DRY_RUN} -eq 0 ]; then 73 | wait_for_closing_machines 74 | fi 75 | 76 | 77 | echo "Run backup." 78 | 79 | ulimit -n 2048 80 | 81 | backupOperation "${PARAM_DRY_RUN}" 82 | 83 | echo "Wake the virtual machines." 84 | 85 | while read -r machine; do 86 | echo "vboxmanage startvm \"${machine}\" --type headless" 87 | 88 | if [ ${DRY_RUN} -eq 0 ]; then 89 | vboxmanage startvm "${machine}" --type headless 90 | fi 91 | done <<< "${MACHINES}" 92 | 93 | 94 | echo "Mail backup logs." 95 | 96 | cat backup.mail backup.log | msmtp -a default "${MAILTO}" 97 | 98 | 99 | source backup-settings.sh unset 100 | 101 | -------------------------------------------------------------------------------- /backup-single.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Usage: 5 | # 6 | # backup.sh [-d] [-n name] [-R] [-N] 7 | # 8 | # -d Dry run 9 | # -n Name of VM to backup 10 | # -R Reset the VM after backup 11 | # -N Do not start VM after backup 12 | # 13 | 14 | # Read in passwords and other settings from separate, non-checked-in file. 15 | # 16 | # It needs to provide the following environment variables: 17 | # 18 | # SFTP_TARGET 19 | # PASSPHRASE 20 | # FTP_PASSWORD 21 | # MAILTO 22 | # 23 | 24 | source backup-settings.sh set 25 | 26 | DRY_RUN="" 27 | VMNAME="" 28 | START_VM=1 29 | RESET_VM=0 30 | 31 | # See: http://www.pclinuxos.com/forum/index.php?topic=103651.0 32 | 33 | while getopts ":dn:RN" opt; do 34 | case $opt in 35 | d) 36 | echo "Dry run." 37 | DRY_RUN="--dry-run" 38 | ;; 39 | n) 40 | VMNAME="${OPTARG}" 41 | echo "Backing up single VM: ${VMNAME}" 42 | ;; 43 | N) 44 | echo "Don't start the VM again after backup." 45 | START_VM=0 46 | ;; 47 | R) 48 | echo "Reset the VM after starting it again." 49 | RESET_VM=1 50 | ;; 51 | esac 52 | done 53 | 54 | if [ -z "${VMNAME}" ]; then 55 | echo "No virtual machine name specified." 56 | else 57 | RUNNING=$(vboxmanage list runningvms | grep "${VMNAME}" | wc -l | tr -d ' ') 58 | 59 | if [ "${RUNNING}" -eq "1" ]; then 60 | echo "Sleep the virtual machine: ${VMNAME}" 61 | 62 | echo "vboxmanage controlvm \"${VMNAME}\" savestate" 63 | vboxmanage controlvm "${VMNAME}" savestate 64 | fi 65 | 66 | SOURCE_FOLDER=$(find ~/VirtualBox\ VMs -name "${VMNAME}" -type d) 67 | TARGET_FOLDER="sftp://${SFTP_TARGET}/VMs/${VMNAME}" 68 | 69 | if [ -n "${SOURCE_FOLDER}" ]; then 70 | echo "Run backup: \"${SOURCE_FOLDER}\" \"${TARGET_FOLDER}\"" 71 | 72 | ulimit -n 2048 73 | 74 | duplicity remove-all-but-n-full 2 ${DRY_RUN} --force "${TARGET_FOLDER}" 75 | duplicity --full-if-older-than 1W ${DRY_RUN} "${SOURCE_FOLDER}" "${TARGET_FOLDER}" 76 | fi 77 | 78 | RUNNING=$(vboxmanage list runningvms | grep "${VMNAME}" | wc -l | tr -d ' ') 79 | 80 | if [ "${RUNNING}" -eq "0" ] && [ "${START_VM}" -eq "1" ]; then 81 | echo "Wake the virtual machine: ${VMNAME}" 82 | 83 | echo "vboxmanage startvm \"${VMNAME}\" --type headless" 84 | vboxmanage startvm "${VMNAME}" --type headless 85 | fi 86 | 87 | if [ "$START_VM" -eq "1" ] && [ "${RESET_VM}" -eq "1" ]; then 88 | echo "Reset the restarted VM." 89 | sleep 30 90 | 91 | vboxmanage controlvm "${VMNAME}" reset 92 | fi 93 | 94 | echo "Mail backup logs." 95 | 96 | cat backup.mail backup.log | msmtp -a default "${MAILTO}" 97 | fi 98 | 99 | source backup-settings.sh unset 100 | 101 | -------------------------------------------------------------------------------- /provision.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Utility functions 4 | 5 | # Launch Daemons 6 | 7 | # Disable Apple Push Notification Service daemon 8 | # https://apple.stackexchange.com/questions/92214/how-to-disable-apple-push-notification-service-apsd-on-os-x-10-8 9 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist 10 | 11 | # Disable CalendarAgent 12 | launchctl unload -w /System/Library/LaunchAgents/com.apple.CalendarAgent.plist 13 | 14 | # Disable NetBIOS daemon (netbiosd) 15 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist 16 | 17 | # Disable Location Services (locationd) 18 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.locationd.plist 19 | 20 | # Disable Notification Center 21 | # https://apple.stackexchange.com/questions/106149/how-do-i-permanently-disable-notification-center-in-mavericks 22 | sudo launchctl unload -w /System/Library/LaunchAgents/com.apple.notificationcenterui.plist 23 | 24 | # Disable QuickLook 25 | # https://superuser.com/questions/617658/quicklooksatellite-mac-os-high-cpu-use 26 | sudo launchctl unload -w /System/Library/LaunchAgents/com.apple.quicklook.* 27 | 28 | # Disable Spotlight 29 | # http://osxdaily.com/2011/12/10/disable-or-enable-spotlight-in-mac-os-x-lion/ 30 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist 31 | 32 | # Disabling Maverick's Unicast ARP Cache Validation Script (thanks, MMV!) 33 | bash <(curl -Ls http://git.io/6YzLCw) 34 | 35 | # Disable Bonjour Script (thanks MMV!) 36 | bash <(curl -Ls http://git.io/q9j5Zw) 37 | 38 | # Launch Agents 39 | 40 | DISABLE_DIR=/System/Library/LaunchAgentsDisabled 41 | sudo mkdir ${DISABLE_DIR} 42 | 43 | # Disable Game Center daemon (gamed) 44 | sudo mv /System/Library/LaunchAgents/com.apple.gamed.plist ${DISABLE_DIR} 45 | 46 | # Disable Airplay Mirroring 47 | # http://www.ehcho.com/guide/disable-airplay-mirroring/ 48 | sudo mv /System/Library/LaunchAgents/com.apple.AirPlayUIAgent.plist ${DISABLE_DIR} 49 | 50 | # Install Applications 51 | 52 | # Check for existence, download, and run installer(8) on these apps. 53 | 54 | # If VirtualBox's vboxautostart.plist file is available, copy it to 55 | # the /Library/LaunchDaemons folder and enable it. 56 | # 57 | # Set up the /etc/vbox/autostart.cfg file to just allow all users 58 | # on the OS X host to start virtual machines. (No security here.) 59 | # 60 | # Don't start the autostart just yet though. 61 | 62 | VBOX_AUTOSTART_SOURCE=/Applications/VirtualBox.app/Contents/MacOS/org.virtualbox.vboxautostart.plist 63 | VBOX_AUTOSTART_TARGET=/Library/LaunchDaemons/org.virtualbox.vboxautostart.plist 64 | 65 | VBOX_AUTOSTARTDB_FOLDER=/Users/vboxautostartdb 66 | 67 | if [ -f "${VBOX_AUTOSTART_SOURCE}" ]; then 68 | echo "Setting up VirtualBox Autostart." 69 | 70 | echo "Create /etc/vbox folder." 71 | sudo mkdir -p /etc/vbox 72 | 73 | echo "Copy autostart.cfg to /etc/vbox." 74 | sudo cp autostart.cfg /etc/vbox 75 | 76 | # Appears this is unnecessary on OS X. 77 | # 78 | # echo "Create /Users/vboxautostartdb folder." 79 | # sudo mkdir -p "${VBOX_AUTOSTARTDB_FOLDER}" 80 | # sudo chown -Rv root:staff "${VBOX_AUTOSTARTDB_FOLDER}" 81 | # sudo chmod 1770 "${VBOX_AUTOSTARTDB_FOLDER}" 82 | 83 | echo "Copy ${VBOX_AUTOSTART_SOURCE} to ${VBOX_AUTOSTART_TARGET}." 84 | sudo cp "${VBOX_AUTOSTART_SOURCE}" "${VBOX_AUTOSTART_TARGET}" 85 | sudo defaults write "${VBOX_AUTOSTART_TARGET}" Disabled -bool false 86 | sudo plutil -convert xml1 "${VBOX_AUTOSTART_TARGET}" 87 | sudo chmod 755 "${VBOX_AUTOSTART_TARGET}" 88 | 89 | # Appears this is unnecessary on OS X, and you'll get an error if you try. 90 | # 91 | # echo "To enable autostarts for a particular user, make sure to run" 92 | # echo "VBoxManage setproperty autostartdbpath ${VBOX_AUTOSTARTDB_FOLDER}" 93 | # echo "as that user." 94 | echo 95 | echo "To manually start the service, all the autostartable VMs, use the following command:" 96 | echo "launchctl load /Library/LaunchDaemons/org.virtualbox.vboxautostart.plist" 97 | fi 98 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | provision-osx 2 | ============= 3 | 4 | A batch file to provision OS X as a virtual machine host. 5 | 6 | The goal is to disable as many services as possible, while leaving the system usable and stable. There are a lot of services that only make sense in the desktop use-case, but don't make as much sense in a server use-case. 7 | 8 | Current numbers show memory usage without anyone logged in around "PhysMem: 1150M used (606M wired), 7040M unused." But I think this number could go even lower. 9 | 10 | 11 | secure-vbox-rdp 12 | =============== 13 | 14 | A script to set up VirtualBox using TLS cryptography to secure the link. 15 | 16 | Adds a user and a password to the specified Virtual Machine. 17 | 18 | To log in using Microsoft Remote Desktop Connection, you have to make sure you specify the username and password before attempting to connect, and save these credentials. 19 | 20 | 21 | backup and backup-settings 22 | ========================== 23 | 24 | A pair of scripts to back up VirtualBox virtual machines, by saving the current machine state (i.e. stopping the machines), then using Duplicity to send the current disk images and saved state to a backup system. 25 | 26 | backup-single 27 | ============= 28 | 29 | An improved script to back up individual VirtualBox machines. It saves the current machine state, uses Duplicity to send the disk images to a backup system, then optionally restarts the VirtualBox machines. 30 | 31 | Set it up by editing the `backup-settings.sh` file, making sure to set `SFTP_TARGET`, `PASSPHRASE`, `FTP_PASSWORD`, and `MAILTO`. 32 | 33 | To use the script regularly, you just add something like the following to your `crontab` file: 34 | 35 | MAILTO=user@host 36 | 37 | # Start and Power Cycle this VM after backing it up. 38 | @weekly $HOME/backup-single.sh -n "Some Machine" -R &> $HOME/backup.log 39 | 40 | # Baseline VM (this doesn't change much), back it up, but do not Start it. 41 | 30 22 * * * $HOME/backup-single.sh -n "Ubuntu 12.04.3" -N &> $HOME/backup.log 42 | 43 | # Derived VMs (these change constantly), once it's backed up, Start it again. 44 | 0 0 * * * $HOME/backup-single.sh -n "Precise Machine" &> $HOME/backup.log 45 | 46 | Once `backup-single.sh` completes, it mails the log file to the `MAILTO` address. The log output looks something like: 47 | 48 | Exporting extra path. 49 | Exporting sftp target. 50 | Exporting passwords. 51 | Exporting reporting address. 52 | Backing up single VM: Some Machine 53 | Reset the VM after starting it again. 54 | Sleep the virtual machine: Some Machine 55 | vboxmanage controlvm "Some Machine" savestate 56 | 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% 57 | Run backup: "/Users/user/VirtualBox VMs/Others/Some Machine" "sftp://user@host/VMs/Some Machine" 58 | Local and Remote metadata are synchronized, no sync needed. 59 | Last full backup date: Tue Feb 25 07:12:29 2014 60 | No old backup sets found, nothing deleted. 61 | Local and Remote metadata are synchronized, no sync needed. 62 | Last full backup date: Tue Feb 25 07:12:29 2014 63 | --------------[ Backup Statistics ]-------------- 64 | StartTime 1393334744.89 (Tue Feb 25 07:25:44 2014) 65 | EndTime 1393334790.12 (Tue Feb 25 07:26:30 2014) 66 | ElapsedTime 45.23 (45.23 seconds) 67 | SourceFiles 11 68 | SourceFileSize 2531726484 (2.36 GB) 69 | NewFiles 4 70 | NewFileSize 101843900 (97.1 MB) 71 | DeletedFiles 1 72 | ChangedFiles 7 73 | ChangedFileSize 2429882584 (2.26 GB) 74 | ChangedDeltaSize 0 (0 bytes) 75 | DeltaEntries 12 76 | RawDeltaSize 107086570 (102 MB) 77 | TotalDestinationSizeChange 74829172 (71.4 MB) 78 | Errors 0 79 | ------------------------------------------------- 80 | 81 | Wake the virtual machine: Some Machine 82 | vboxmanage startvm "Some Machine" --type headless 83 | Waiting for VM "Some Machine" to power on... 84 | VM "Some Machine" has been successfully started. 85 | Reset the restarted VM. 86 | Mail backup logs. 87 | -------------------------------------------------------------------------------- /secure-vbox-rdp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # By default, don't use a different certificate for each VM. 4 | PER_MACHINE_CERTS=0 5 | 6 | # Overwrite certificates 7 | OVERWRITE_CERTS=0 8 | 9 | # Clear certificates from virtual machine. 10 | CLEAR_CERTS=0 11 | 12 | # Use null authentication, but specify the localhost port where 13 | # you can connect to the VM. 14 | # 15 | # Use this with SSH tunnels, of the form: 16 | # 17 | # ssh -fCNq -L some-local-port:localhost:VRDE_PORT vmhost.domain.com 18 | # 19 | NULL_AUTH=0 20 | 21 | # The port at which the VRDE server listens. 22 | VRDE_PORT=0 23 | 24 | while getopts ":v:u:p:ifCNP:" opt; do 25 | case $opt in 26 | v) 27 | echo "Modifying VM: ${OPTARG}" 28 | VM_NAME="${OPTARG}" 29 | ;; 30 | u) 31 | echo "Setting username: ${OPTARG}" 32 | USERNAME="${OPTARG}" 33 | ;; 34 | p) 35 | echo "Setting password: ${OPTARG}" 36 | PASSWORD="${OPTARG}" 37 | ;; 38 | i) 39 | echo "Using individual certificates." 40 | PER_MACHINE_CERTS=1 41 | ;; 42 | f) 43 | echo "Overwriting certificates." 44 | OVERWRITE_CERTS=1 45 | ;; 46 | C) 47 | echo "Clearing certificates for machine." 48 | CLEAR_CERTS=1 49 | ;; 50 | N) 51 | echo "Setting --vrdeauthtype to 'null'." 52 | NULL_AUTH=1 53 | ;; 54 | P) 55 | echo "Setting VDRE port." 56 | VRDE_PORT="${OPTARG}" 57 | ;; 58 | esac 59 | done 60 | 61 | createUser () { 62 | VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple" 63 | VBoxManage modifyvm "${VM_NAME}" --vrdeauthtype external 64 | HASH=$(VBoxManage internalcommands passwordhash "${PASSWORD}" | sed "s_Password hash: __g") 65 | VBoxManage setextradata "${VM_NAME}" "VBoxAuthSimple/users/${USERNAME}" "${HASH}" 66 | } 67 | 68 | createCertificate () { 69 | if [ ${PER_MACHINE_CERTS} -eq 1 ]; then 70 | VM_PATH="${HOME}/VirtualBox VMs/${VM_NAME}" 71 | else 72 | VM_PATH="${HOME}/VirtualBox VMs" 73 | fi 74 | 75 | if [ ${OVERWRITE_CERTS} -eq 0 ]; then 76 | if [ -f "${VM_PATH}/ca_cert.pem" ] && [ -f "${VM_PATH}/server_cert.pem" ] && [ -f "${VM_PATH}/server_key_private.pem" ]; then 77 | echo "Don't overwrite certificates." 78 | return 79 | fi 80 | fi 81 | 82 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/Method=TLS" 83 | 84 | openssl req -new -x509 -days 730 -extensions v3_ca -keyout "${VM_PATH}/ca_key_private.pem" -out "${VM_PATH}/ca_cert.pem" 85 | openssl genrsa -out "${VM_PATH}/server_key_private.pem" 86 | openssl req -new -key "${VM_PATH}/server_key_private.pem" -out "${VM_PATH}/server_req.pem" 87 | openssl x509 -req -days 730 -in "${VM_PATH}/server_req.pem" -CA "${VM_PATH}/ca_cert.pem" -CAkey "${VM_PATH}/ca_key_private.pem" -set_serial 01 -out "${VM_PATH}/server_cert.pem" 88 | 89 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/CACertificate=${VM_PATH}/ca_cert.pem" 90 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/ServerCertificate=${VM_PATH}/server_cert.pem" 91 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/ServerPrivateKey=${VM_PATH}/server_key_private.pem" 92 | } 93 | 94 | clearCertificates() { 95 | VM_PATH="${HOME}/VirtualBox VMs/${VM_NAME}" 96 | 97 | rm "${VM_PATH}/*.pem" 98 | 99 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/Method=Negotiate" 100 | 101 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/CACertificate=" 102 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/ServerCertificate=" 103 | VBoxManage modifyvm "${VM_NAME}" --vrdeproperty "Security/ServerPrivateKey=" 104 | } 105 | 106 | # If the RDP server is going to have no authentication 107 | # then the rule is to only allow it to serve via localhost:port 108 | # 109 | # You can then use SSH tunnelling to connect safely. 110 | nullAuth() { 111 | VBoxManage modifyvm "${VM_NAME}" --vrdeauthtype "null" 112 | VBoxManage modifyvm "${VM_NAME}" --vrdeaddress "127.0.0.1" 113 | VBoxManage modifyvm "${VM_NAME}" --vrdeport "${VRDE_PORT}" 114 | VBoxManage modifyvm "${VM_NAME}" --vrdemulticon "on" 115 | 116 | echo "You can now connect to the VM at localhost:${VRDE_PORT}." 117 | } 118 | 119 | usage () { 120 | echo "Usage: " 121 | echo "" 122 | echo "$0 -v [virtual machine] -u [username] -p [password] (optional -i)" 123 | echo "" 124 | echo " Creates a TLS-secured user/password on the virtual machine," 125 | echo " using a single certificate for the entire virtual machine host." 126 | echo "" 127 | echo "$0 -v [virtual machine] -C" 128 | echo "" 129 | echo " Clears certificates from a single virtual machine." 130 | echo "" 131 | echo "$0 -v [virtual machine] -N -P [vdre port]" 132 | echo "" 133 | echo " Resets authentication to null, sets listening interface to" 134 | echo " localhost, sets port to specified value. Useful for ssh-tunneling." 135 | echo "" 136 | } 137 | 138 | if [ -n "${VM_NAME}" ] && [ -n "${USERNAME}" ] && [ -n "${PASSWORD}" ]; then 139 | createUser "${USERNAME}" "${PASSWORD}" 140 | createCertificate 141 | elif [ -n "${VM_NAME}" ] && [ ${CLEAR_CERTS} -eq 1 ]; then 142 | clearCertificates 143 | elif [ -n "${VM_NAME}" ] && [ ${NULL_AUTH} -eq 1 ] && [ ${VRDE_PORT} -ne 0 ]; then 144 | nullAuth 145 | else 146 | usage 147 | fi 148 | --------------------------------------------------------------------------------