Follow this procedure only if you must administer a headless system by using the rlogin or ssh command.
Configuration errors can be debugged remotely.
If you are using local files to administer the remote system, you have completed Enable Remote Login by root User in Trusted Extensions. Then, as the root user, perform this task on both systems.
On both systems, identify the other system as a labeled system.
The desktop system and the headless system must identify each other as using the identical security template. For the procedure, see How to Assign a Security Template to a Host or a Group of Hosts.
To assign a temporary label, see Example 6–1.
On both systems, create identical users and roles.
The names and IDs must be identical, and the role must be assigned to the user on both systems. To create users and roles, see Creating Roles and Users in Trusted Extensions.
To contact a remote Solaris Management Console, do the following on both systems:
Add the other system's host name and IP address to the /etc/hosts file.
# /usr/dt/bin/trusted_edit /etc/hosts |
127.0.0.1 localhost 192.168.66.66 local-system-name loghost 192.168.66.12 remote-system-name |
To allow remote role assumption, modify the pam.conf file to relax PAM policy.
Copy the /etc/pam.conf file to /etc/pam.conf.orig.
# cp /etc/pam.conf /etc/pam.conf.orig |
In the trusted editor, open the pam.conf file.
# /usr/dt/bin/trusted_edit /etc/pam.conf |
Copy the default entries under Account management.
In each copied entry, change other to smcconsole.
To the copied pam_roles.so.1 entry, add allow_remote.
Use the Tab key between fields. This section now appears similar to the following:
# Solaris Management Console definition for Account management # smcconsole account requisite pam_roles.so.1 allow_remote smcconsole account required pam_unix_account.so.1 smcconsole account required pam_tsol_account.so.1 # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_tsol_account.so.1 |
Save the file and exit the editor.
(Optional) Copy the file to /etc/pam.conf.site.
# cp /etc/pam.conf /etc/pam.conf.site |
If you upgrade the system to a later release, you must then evaluate if you should copy the changes from /etc/pam.conf.site into the pam.conf file.
In this example, the administrator wants to start configuring a remote Trusted Extensions system before the host type definitions are set up. To do so, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system:
remote-TX# tnctl -h desktop-TX:cipso |
Later, the administrator wants to reach the remote Trusted Extensions system from a desktop system that is not configured with Trusted Extensions. In this case, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system as an unlabeled system that runs at the ADMIN_LOW label:
remote-TX# tnctl -h desktop-TX:admin_low |