test

Solaris Trusted Extensions Administrator's Procedures

ProcedureEnable Remote Login From an Unlabeled System

Before You Begin

This procedure is not secure.

You have relaxed PAM policy to allow remote role assumption, as described in Enable Remote Login by a Role in Trusted Extensions.

  1. On the trusted system, apply the appropriate security template to the unlabeled system.

    Caution – Caution –

    With the default settings, another unlabeled system could log in and administer the remote system. Therefore, you must change the 0.0.0.0 network default from ADMIN_LOW to a different label. For the procedure, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

  2. In the trusted editor, open the /etc/pam.conf file.


    # /usr/dt/bin/trusted_edit /etc/pam.conf

  3. Find the smcconsole entries.

  4. Add allow_unlabeled to the tsol_account module.

    Use the Tab key between fields.


    smcconsole   account required  pam_tsol_account.so.1 allow_unlabeled

    After your edits, this section appears similar to the following:


    # Solaris Management Console definition for Account management
#
smcconsole  account  requisite      pam_roles.so.1    allow_remote
smcconsole  account  required       pam_unix_account.so.1
smcconsole  account  required       pam_tsol_account.so.1 allow_unlabeled