test

Oracle Solaris Trusted Extensions Configuration Guide

ProcedureEnable Remote Login by a Role in Trusted Extensions

Follow this procedure only if you must administer a headless system by using the rlogin or ssh command.

Configuration errors can be debugged remotely.

Before You Begin

If you are using local files to administer the remote system, you have completed Enable Remote Login by root User in Trusted Extensions. Then, as the root user, perform this task on both systems.

  1. On both systems, identify the other system as a labeled system.

    The desktop system and the headless system must identify each other as using the identical security template. For the procedure, see How to Assign a Security Template to a Host or a Group of Hosts in Oracle Solaris Trusted Extensions Administrator’s Procedures.

    To assign a temporary label, see Example 6–1.

  2. On both systems, create identical users and roles.

    The names and IDs must be identical, and the role must be assigned to the user on both systems. To create users and roles, see Creating Roles and Users in Trusted Extensions.

  3. To contact a remote Solaris Management Console, do the following on both systems:

    1. Add the other system's host name and IP address to the /etc/hosts file.


      # /usr/dt/bin/trusted_edit /etc/hosts


      127.0.0.1	localhost	
192.168.66.66	local-system-name	loghost
192.168.66.12	remote-system-name

    2. To allow remote role assumption, modify the pam.conf file to relax PAM policy.

      1. Copy the /etc/pam.conf file to /etc/pam.conf.orig.


        # cp /etc/pam.conf /etc/pam.conf.orig

      2. In the trusted editor, open the pam.conf file.


        # /usr/dt/bin/trusted_edit /etc/pam.conf

      3. Copy the default entries under Account management.

      4. In each copied entry, change other to smcconsole.

      5. To the copied pam_roles.so.1 entry, add allow_remote.

        Use the Tab key between fields. This section now appears similar to the following:


        # Solaris Management Console definition for Account management
#
smcconsole   account requisite   pam_roles.so.1   allow_remote
smcconsole   account required    pam_unix_account.so.1
smcconsole   account required    pam_tsol_account.so.1

# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite    pam_roles.so.1
other   account required     pam_unix_account.so.1
other   account required     pam_tsol_account.so.1

      6. Save the file and exit the editor.

      7. (Optional) Copy the file to /etc/pam.conf.site.


        # cp /etc/pam.conf /etc/pam.conf.site

        If you upgrade the system to a later release, you must then evaluate if you should copy the changes from /etc/pam.conf.site into the pam.conf file.

Example 6–1 Creating a Temporary Definition of a Trusted Extensions Host Type

In this example, the administrator wants to start configuring a remote Trusted Extensions system before the host type definitions are set up. To do so, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system:


remote-TX# tnctl -h desktop-TX:cipso

Later, the administrator wants to reach the remote Trusted Extensions system from a desktop system that is not configured with Trusted Extensions. In this case, the administrator uses the tnctl command on the remote system to temporarily define the host type of the desktop system as an unlabeled system that runs at the ADMIN_LOW label:


remote-TX# tnctl -h desktop-TX:admin_low