Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

How to Configure an LDAP User to Administer Remote Compliance

Before You Begin

You must have the rights to assign the Compliance Assessor rights profile. The root role or an administrator with the Compliance Assessor rights profile can assign the profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Assign the Compliance Assessor rights profile to the administrator who is creating and sending the assessments.

    Because this user should be running with only the Compliance Assessor rights profile, this command replaces the user's rights profiles with the Compliance Assessor profile.

    # usermod -K profiles="Compliance Assessor" -S ldap username
  2. Configure Secure Shell to authenticate username non-interactively.
    1. As username, create an RSA key pair for Secure Shell authentication.
      username@host1 $ ssh-keygen -t rsa -P ""
      Generating public/private rsa key pair.
      Enter file in which to save the key (/home/username/.ssh/id_rsa):
      Your identification has been saved in $HOME/.ssh/id_rsa
      Your public key has been saved in $HOME/.ssh/id_rsa.pub
      The key fingerprint is:
      SHA256:BLNj0v9...izsQ username@host1
      The key's randomart image is:
      +---[RSA 2048]----+
      |      o       .=B|
      ...

      The –P "" option indicates no passphrase for the private key. RAD authentication cannot be interactive, so do not use a passphrase.

  3. On all hosts where the user will run remote commands, add the user's key to the ssh-agent daemon.
    username@host $ eval `ssh-agent`
    Agent pid nnnn
    username@host $ ssh-add
    Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa)
    username@host $ ssh-add -l
    2048 SHA256:MZck..... /home/username/.ssh/id_rsa (RSA)
  4. Log in to the remote system by using the ssh command.

    The first time you log in to a system, type yes when prompted to establish the authenticity of the host.

    The authenticity of host 'hostname (192.0.2.38)' can't be established.
    AB98765 key fingerprint is SHA256:tAXFy......................
    Are you sure you want to continue connecting (yes/no)? yes

    After each remote system is known, you should not be prompted for a password.

  5. Log out and log in again to verify that you are not prompted for a password.

    If you continue to be prompted, see the following Troubleshooting section.


    Tip  - Add the IP address, the hostname, and the FQDN to the /etc/ssh/ssh_known_hosts entry for each remote system.
    192.0.2.38,myx86,myx86.example.org ssh-rsa AAAAB3NzaC1yc2...

Troubleshooting

If the user continues to be prompted for a password, debug the client-server connection.

As root, debug the Secure Shell server. Run a command similar to the following:

SSHserver# /usr/lib/ssh/sshd -p 2222 -d

In a different terminal window and using the same port, connect as the user from the client and search for the ultimate cause of the failure.

SSHclient$ ssh -p 2222 SSHserver

Messages similar to the following can indicate the ultimate cause of the failure:

Authentication refused: bad ownership or modes for directory /home/username

In this instance, the user has a writable group directory above the directory where the private key is stored. Change the directory permissions to 755.