test

Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases

ProcedureEnable Remote Login in Trusted Extensions

Follow this procedure only if you must administer a headless system by using the rlogin or ssh command. This procedure is not secure.

Configuration errors can be debugged remotely.

Before You Begin

Consult your security policy to determine which methods of remote login are permissible at your site. The desktop system and the headless system must identify each other as using the identical security template.

  1. Log in to the root account through the console device.

  2. Choose to activate one or more of the following methods of remote login:

    • Enable remote login by the root user.

      1. Comment out the CONSOLE= line in the /etc/default/login file.


        #CONSOLE=/dev/console

      2. Permit root user login for the ssh service.

        Modify the /etc/ssh/sshd_config file. By default, ssh is enabled on a Solaris system.


        PermitRootLogin yes

    • Permit roles to log in by using the rlogin service.

      If root is a role, this modification is required for remote logins by the root role.

      1. In a text editor, open the pam.conf file.


        # vi /etc/pam.conf

      2. Find other account requisite toward the end of the file.

      3. Add allow_remote to the roles module.

        Use the Tab key between fields.


        other account requisite      pam_roles.so.1        allow_remote

        After your edits, this section looks similar to the following:


        other account requisite      pam_roles.so.1        allow_remote
other account required       pam_unix_account.so.1
other account required       pam_tsol_account.so.1

    • Allow remote login to the global zone from an unlabeled host.

      1. In a text editor, open the pam.conf file.


        # vi /etc/pam.conf

      2. Find other account requisite toward the end of the file.

      3. Add allow_unlabeled to the tsol_account module.

        Use the Tab key between fields.


        other account required       pam_tsol_account.so.1 allow_unlabeled

        After your edits, this section looks similar to the following:


        other account requisite      pam_roles.so.1        allow_remote
other account required       pam_unix_account.so.1
other account required       pam_tsol_account.so.1 allow_unlabeled

    • Enable specific users to log in to the global zone.

      Assign to these users an administrative label range. The username on the desktop must be the same as the username on the headless system.


      # usermod -R root -K min_label=ADMIN_LOW -K clearance=ADMIN_LOW username

  3. On the headless system, define the host type of your desktop.

    The host type of the desktop system and the host type of the headless system must match. To create this temporary definition, use the tnctl command. For more information, see the tnctl(1M) man page.

    • For a labeled desktop system, define the host type as cipso.


      # tnctl -h desktop-IP-address:cipso

    • For an unlabeled desktop system, define the host type as an unlabeled system that is running at ADMIN_LOW.


      # tnctl -h desktop-IP-address:admin_low