Configuring and administering Solaris Trusted Extensions software on headless systems such as the NetraTM series require different procedures than the same tasks on systems that have monitors. Trusted Extensions software divides administrative responsibilities into roles, which cannot be assumed remotely. The software also provides an administrative GUI. The GUI does not display on a serial line.
The configuration methods that headless systems require do not satisfy the criteria for an evaluated configuration. For more information, see Understanding Your Site's Security Policy.
On headless systems, a console is connected by means of a serial line to a terminal emulator window. The line is typically secured by the tip command. Depending on what type of second system is available, you can use one of the following methods to configure a headless system. The methods are listed from most preferred to least preferred in Task 3 in the following table.
Tasks |
Description |
For Instructions |
---|---|---|
1. Identify the headless system as a cipso system. |
If the desktop system where you are going to configure the headless system is configured with Trusted Extensions, make the headless system of host type cipso. |
If you have not already made the headless system part of the trusted network, assign to the system the appropriate security template. See How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures. |
2. Enable remote login. |
As superuser, enable remote login to the headless system. | |
3. Choose a configuration and administration method to set up the headless system. The choice is based on available hardware and software on a second system that communicates with the headless system. The choices are listed in descending order of ease and security. |
Use the rlogin command to administer the remote system in a role. |
To assume a role to administer the remote system, go to Use the rlogin Command to Log In to a Headless System in Trusted Extensions. |
Use the ssh command to administer the remote system as superuser. |
To administer the remote system as superuser, go to Use the ssh Command to Log In to a Headless System in Trusted Extensions. |
|
If you have no windowing system, you can use serial login. This procedure is insecure. |
To use serial login to configure and administer the headless system, go to Set Up Administration by Serial Login in Trusted Extensions. |
|
4. Configure Trusted Extensions on the headless system. |
Having logged in, continue configuration as you would on a system with a monitor. |
See Chapter 4, Configuring Trusted Extensions (Tasks), and use the methods that are possible given your chosen login method. |
Follow this procedure only if you must administer a headless system by using the rlogin or ssh command. This procedure is not secure.
Configuration errors can be debugged remotely.
Consult your security policy to determine which methods of remote login are permissible at your site. The desktop system and the headless system must identify each other as using the identical security template.
Log in to the root account through the console device.
Choose to activate one or more of the following methods of remote login:
Enable remote login by the root user.
Permit roles to log in by using the rlogin service.
If root is a role, this modification is required for remote logins by the root role.
In a text editor, open the pam.conf file.
# vi /etc/pam.conf |
Find other account requisite toward the end of the file.
Add allow_remote to the roles module.
Use the Tab key between fields.
other account requisite pam_roles.so.1 allow_remote |
After your edits, this section looks similar to the following:
other account requisite pam_roles.so.1 allow_remote other account required pam_unix_account.so.1 other account required pam_tsol_account.so.1 |
Allow remote login to the global zone from an unlabeled host.
In a text editor, open the pam.conf file.
# vi /etc/pam.conf |
Find other account requisite toward the end of the file.
Add allow_unlabeled to the tsol_account module.
Use the Tab key between fields.
other account required pam_tsol_account.so.1 allow_unlabeled |
After your edits, this section looks similar to the following:
other account requisite pam_roles.so.1 allow_remote other account required pam_unix_account.so.1 other account required pam_tsol_account.so.1 allow_unlabeled |
Enable specific users to log in to the global zone.
Assign to these users an administrative label range. The username on the desktop must be the same as the username on the headless system.
# usermod -R root -K min_label=ADMIN_LOW -K clearance=ADMIN_LOW username |
On the headless system, define the host type of your desktop.
The host type of the desktop system and the host type of the headless system must match. To create this temporary definition, use the tnctl command. For more information, see the tnctl(1M) man page.
This procedure enables you to use the command line and Trusted Extensions GUIs to administer a headless system by assuming a role.
The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris Express Installation Guide: Basic Installations.
If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.
You have completed Enable Remote Login in Trusted Extensions.
You are a user who is enabled to log in to the headless system.
On the desktop system, enable processes from the headless system to display.
On the Trusted Extensions desktop system, open a Trusted Path workspace.
From this terminal window, remotely log in to the headless system.
desktop # rlogin headless Password: Type the headless user's password |
Assume a role.
If you are logged in to the headless system as an unprivileged user, assume a role with administrative privileges. Use the same terminal window. For example, assume the root role.
headless $ su - root Password: Type the root password |
You are now in the global zone.
Enable processes on the headless system to display on the desktop system.
headless $ setenv DISPLAY desktop:n.n headless $ export DISPLAY=n:n |
You can now administer the headless system by using Trusted Extensions GUIs.
Administer the headless system.
Start the Solaris Management Console.
headless $ /usr/sbin/smc & |
The Solaris Management Console displays on the desktop system. From the list of toolboxes, choose the Scope=Files, Policy=TSOL for the headless system.
Start the txzonemgr.
headless $ /usr/sbin/txzonemgr |
Access Trusted CDE actions.
headless # /usr/dt/bin/dtappsession desktop Password: Type the remote password |
This procedure enables you to use the command line to administer a headless system as superuser. To use Trusted Extensions GUIs, complete the steps for remote display in Use the rlogin Command to Log In to a Headless System in Trusted Extensions.
The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris Express Installation Guide: Basic Installations.
If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.
You have completed Enable Remote Login in Trusted Extensions.
You are a user who is enabled to log in to the headless system.
On the Trusted Extensions desktop system, open a Trusted Path workspace.
From this terminal window, remotely log in to the headless system.
desktop $ ssh -l username-on-headless headless Password: Type the headless user's password headless $ |
The terminal window now displays actions on the headless system.
Become superuser.
If you are not in the global zone on the headless system, switch user to root in the same terminal window:
headless $ su - root Password: Type the root password |
You can now administer the headless system by using the command line.
To administer the system by using the administrative GUIs, enable the headless system to display its processes on the desktop. For details, see Use the rlogin Command to Log In to a Headless System in Trusted Extensions.
In this example, the administrator sets up a labeled headless system from a labeled desktop system. As in the Solaris OS, the administrator enables X server access to the desktop system and sets the DISPLAY variable on the headless system.
TXdesk1 $ xhost + TXnohead4 TXdesk1 $ whoami config1 TXdesk1 $ uname -n ; echo $DISPLAY TXdesk1 :1.0 |
TXdesk1 $ ssh -l install1 TXnohead4 Password: Ins1PwD1 TXnohead4 $ |
In the global zone, the administrator sets the DISPLAY variable.
TXnohead4 # su - Password: abcd1EFG TXnohead4 # setenv DISPLAY TXdesk1:1.0 TXnohead4 # export DISPLAY=TXdesk1:1.0 |
Then, the administrator starts the Solaris Management Console.
TXnohead4 # /usr/sbin/smc & |
Finally, the administrator selects the This Computer (TXnohead:Scope=Files, Policy=TSOL) toolbox.
Follow this procedure only if you do not have a desktop system with which to configure the headless system. This procedure is not secure.
You must be superuser in single-user mode on the headless system. For a modicum of security, two people should be present while the system is being configured.
Allocate the serial port.
For details, see the serial login procedure in Managing Devices in Trusted Extensions (Task Map) in Solaris Trusted Extensions Administrator’s Procedures.
Administer the system as superuser.