I’ve run into an issue today.
I’m running Whonix 15.0.0.8.7 on an Ubuntu Server 18.04 host over KVM (libvirt 4.0.0).
Following the KVM Guide[1] I was able to get everything up and running(*), including logging into both Gateway and Workstation VMs via console with the command virsh console
.
After running whonixsetup
and apt upgrade
I wasn’t able to log in anymore as a regular user in both VMs, getting a “Permission denied” after entering the correct password. The only way to get access again was by rebooting the VM in recovery mode, logging in as root.
After some help from Patrick on the Whonix Telegram Group the issue could be traced to the recent addition of Console Lockdown[2]. Adding the terminal ttyS0
, which you get connected to using virsh console
, to the list of allowed consoles for the console
group in /etc/security/access-security-misc.conf
[3] resolved the issue.
(*): Had to change a line in the Workstation XML; <codec type='output'/>
to <codec type='micro'/>
, since output
is only supported since libvirt 4.4.0[4]
[1]: whonix /wiki/KVM
[2]: whonix /wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
[3]: github /Whonix/security-misc/blob/master/etc/security/access-security-misc.conf
[4]: libvirt /formatdomain.html#elementsSound