This procedure is not secure.
You have relaxed PAM policy to allow remote role assumption, as described in Enable Remote Login by a Role in Trusted Extensions.
On the trusted system, apply the appropriate security template to the unlabeled system.
With the default settings, another unlabeled system could log in and administer the remote system. Therefore, you must change the 0.0.0.0 network default from ADMIN_LOW to a different label. For the procedure, see How to Limit the Hosts That Can Be Contacted on the Trusted Network in Oracle Solaris Trusted Extensions Administrator’s Procedures.
In the trusted editor, open the /etc/pam.conf file.
# /usr/dt/bin/trusted_edit /etc/pam.conf
Find the smcconsole entries.
Add allow_unlabeled to the tsol_account module.
Use the Tab key between fields.
smcconsole account required pam_tsol_account.so.1 allow_unlabeled
After your edits, this section appears similar to the following:
# Solaris Management Console definition for Account management # smcconsole account requisite pam_roles.so.1 allow_remote smcconsole account required pam_unix_account.so.1 smcconsole account required pam_tsol_account.so.1 allow_unlabeled