Oracle Solaris Trusted Extensions Configuration Guide

ProcedureEnable Remote Login by a Role in Trusted Extensions

Follow this procedure only if you must administer a headless system by using the rlogin or ssh command.

Configuration errors can be debugged remotely.

Before You Begin

If you are using local files to administer the remote system, you have completed Enable Remote Login by root User in Trusted Extensions. Then, as the root user, perform this task on both systems.

  1. On both systems, identify the other system as a labeled system.

    The desktop system and the headless system must identify each other as using the identical security template. For the procedure, see How to Assign a Security Template to a Host or a Group of Hosts in Oracle Solaris Trusted Extensions Administrator’s Procedures.

    To assign a temporary label, see Example 6–1.

  2. On both systems, create identical users and roles.

    The names and IDs must be identical, and the role must be assigned to the user on both systems. To create users and roles, see Creating Roles and Users in Trusted Extensions.

  3. To contact a remote Solaris Management Console, do the following on both systems:

    1. Add the other system's host name and IP address to the /etc/hosts file.

      # /usr/dt/bin/trusted_edit /etc/hosts
    	localhost	local-system-name	loghost	remote-system-name
    2. To allow remote role assumption, modify the pam.conf file to relax PAM policy.

      1. Copy the /etc/pam.conf file to /etc/pam.conf.orig.

        # cp /etc/pam.conf /etc/pam.conf.orig
      2. In the trusted editor, open the pam.conf file.

        # /usr/dt/bin/trusted_edit /etc/pam.conf
      3. Copy the default entries under Account management.

      4. In each copied entry, change other to smcconsole.

      5. To the copied entry, add allow_remote.

        Use the Tab key between fields. This section now appears similar to the following:

        # Solaris Management Console definition for Account management
        smcconsole   account requisite   allow_remote
        smcconsole   account required
        smcconsole   account required
        # Default definition for Account management
        # Used when service name is not explicitly mentioned for account management
        other   account requisite
        other   account required
        other   account required
      6. Save the file and exit the editor.

      7. (Optional) Copy the file to /etc/

        # cp /etc/pam.conf /etc/

        If you upgrade the system to a later release, you must then evaluate if you should copy the changes from /etc/ into the pam.conf file.

Example 6–1 Creating a Temporary Definition of a Trusted Extensions Host Type

In this example, the administrator wants to start configuring a remote Trusted Extensions system before the host type definitions are set up. To do so, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system:

remote-TX# tnctl -h desktop-TX:cipso

Later, the administrator wants to reach the remote Trusted Extensions system from a desktop system that is not configured with Trusted Extensions. In this case, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system as an unlabeled system that runs at the ADMIN_LOW label:

remote-TX# tnctl -h desktop-TX:admin_low