Skip Navigation Links | |
Exit Print View | |
Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases |
1. Security Planning for Trusted Extensions
2. Installation and Configuration Roadmap for Trusted Extensions
3. Installing Solaris Trusted Extensions Software (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Headless System Configuration in Trusted Extensions (Task Map)
Enable Remote Login in Trusted Extensions
Use the rlogin Command to Log In to a Headless System in Trusted Extensions
Use the ssh Command to Log In to a Headless System in Trusted Extensions
B. Using CDE Actions to Install Zones in Trusted Extensions
On headless systems, a console is connected by means of a serial line to a terminal emulator window. The line is typically secured by the tip command. Depending on what type of second system is available, you can use one of the following methods to configure a headless system. The methods are listed from most preferred to least preferred in Task 3 in the following table.
|
Follow this procedure only if you must administer a headless system by using the rlogin or ssh command. This procedure is not secure.
Configuration errors can be debugged remotely.
Consult your security policy to determine which methods of remote login are permissible at your site. The desktop system and the headless system must identify each other as using the identical security template.
#CONSOLE=/dev/console
Modify the /etc/ssh/sshd_config file. By default, ssh is enabled on a Solaris system.
PermitRootLogin yes
If root is a role, this modification is required for remote logins by the root role.
# vi /etc/pam.conf
Use the Tab key between fields.
other account requisite pam_roles.so.1 allow_remote
After your edits, this section looks similar to the following:
other account requisite pam_roles.so.1 allow_remote other account required pam_unix_account.so.1 other account required pam_tsol_account.so.1
# vi /etc/pam.conf
Use the Tab key between fields.
other account required pam_tsol_account.so.1 allow_unlabeled
After your edits, this section looks similar to the following:
other account requisite pam_roles.so.1 allow_remote other account required pam_unix_account.so.1 other account required pam_tsol_account.so.1 allow_unlabeled
Assign to these users an administrative label range. The username on the desktop must be the same as the username on the headless system.
# usermod -R root -K min_label=ADMIN_LOW -K clearance=ADMIN_LOW username
The host type of the desktop system and the host type of the headless system must match. To create this temporary definition, use the tnctl command. For more information, see the tnctl(1M) man page.
# tnctl -h desktop-IP-address:cipso
# tnctl -h desktop-IP-address:admin_low
This procedure enables you to use the command line and Trusted Extensions GUIs to administer a headless system by assuming a role.
The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris 10 11/06 Installation Guide: Basic Installations.
If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.
You have completed Enable Remote Login in Trusted Extensions.
You are a user who is enabled to log in to the headless system.
desktop $ xhost + headless-host
desktop $ echo $DISPLAY :n.n
desktop # rlogin headless Password: Type the headless user's password
If you are logged in to the headless system as an unprivileged user, assume a role with administrative privileges. Use the same terminal window. For example, assume the root role.
headless $ su - root Password: Type the root password
You are now in the global zone.
headless $ setenv DISPLAY desktop:n.n headless $ export DISPLAY=n:n
You can now administer the headless system by using Trusted Extensions GUIs.
headless $ /usr/sbin/smc &
The Solaris Management Console displays on the desktop system. From the list of toolboxes, choose the Scope=Files, Policy=TSOL for the headless system.
headless $ /usr/sbin/txzonemgr
headless # /usr/dt/bin/dtappsession desktop Password: Type the remote password
This procedure enables you to use the command line to administer a headless system as superuser. To use Trusted Extensions GUIs, complete the steps for remote display in Use the rlogin Command to Log In to a Headless System in Trusted Extensions.
The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris 10 11/06 Installation Guide: Basic Installations.
If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.
You have completed Enable Remote Login in Trusted Extensions.
You are a user who is enabled to log in to the headless system.
desktop $ ssh -l username-on-headless headless Password: Type the headless user's password headless $
The terminal window now displays actions on the headless system.
If you are not in the global zone on the headless system, switch user to root in the same terminal window:
headless $ su - root Password: Type the root password
You can now administer the headless system by using the command line.
To administer the system by using the administrative GUIs, enable the headless system to display its processes on the desktop. For details, see Use the rlogin Command to Log In to a Headless System in Trusted Extensions.
Example 6-1 Setting Up Remote Administration of a Headless System
In this example, the administrator sets up a labeled headless system from a labeled desktop system. As in the Solaris OS, the administrator enables X server access to the desktop system and sets the DISPLAY variable on the headless system.
TXdesk1 $ xhost + TXnohead4 TXdesk1 $ whoami config1 TXdesk1 $ uname -n ; echo $DISPLAY TXdesk1 :1.0
TXdesk1 $ ssh -l install1 TXnohead4 Password: Ins1PwD1 TXnohead4 $
In the global zone, the administrator sets the DISPLAY variable.
TXnohead4 # su - Password: abcd1EFG TXnohead4 # setenv DISPLAY TXdesk1:1.0 TXnohead4 # export DISPLAY=TXdesk1:1.0
Then, the administrator starts the Solaris Management Console.
TXnohead4 # /usr/sbin/smc &
Finally, the administrator selects the This Computer (TXnohead:Scope=Files, Policy=TSOL) toolbox.
Follow this procedure only if you do not have a desktop system with which to configure the headless system. This procedure is not secure.
You must be superuser in single-user mode on the headless system. For a modicum of security, two people should be present while the system is being configured.
For details, see the serial login procedure in Managing Devices in Trusted Extensions (Task Map) in Solaris Trusted Extensions Administrator’s Procedures.