Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

How to Configure a Local User to Administer Remote Compliance

Before You Begin

You must have the rights to create a user, assign a password, and assign the Compliance Assessor rights profile. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. As the administrator on the local system and all remote systems, assign the Compliance Assessor rights profile to the user who is creating and sending the assessments.

    For example, create the cpltester user on the local host.

    Local # useradd -c "Assessment Admin" -u 1111 -m -s /usr/bin/pfbash \ 
    -K profiles="Compliance Assessor" -S files cpltester
    Local # passwd cpltester
    New Password:
    Re-enter new Password:
    passwd: password successfully changed for cpltester

    Repeat the useradd and passwd commands exactly on the remote systems. For more information about user account options, see the useradd(8) man page.


    Note - Local users are going to be identical except for their private keys. Each local user that is going to run or store remote assessments must generate a unique private key and send its public key to the identical user on each remote system.
  2. As the administrator, add the remote systems to each system's /etc/hosts file.

    For example, in the /etc/hosts file on 192.0.2.111 add entries for 192.0.2.122 and all other hosts.

    ## /etc/hosts on 192.0.2.111 x86
    ::1 myx86 localhost
    127.0.0.1 myx86 localhost loghost
    192.0.2.122 mysparc
    192.0.2.113 host3
    192.0.2.114 host4
    ...

    In the file on 192.0.2.122, add entries for 192.0.2.111 and all other hosts.

    ## /etc/hosts on 192.0.2.122 sparc
    ::1 mysparc localhost
    127.0.0.1 mysparc localhost loghost
    192.0.2.111 myx86
    ...
  3. As the cpltester user, configure Secure Shell to authenticate cpltester non-interactively.

    These instructions are similar to the instructions for remotely administering ZFS in How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4.

    1. On each host, create a key pair for Secure Shell authentication.
      cpltester $ ssh-keygen -t rsa -P ""
      Generating public/private rsa key pair.
      Your identification has been saved in $HOME/.ssh/id_rsa
      Your public key has been saved in $HOME/.ssh/id_rsa.pub
      The key fingerprint is:
      SHA256:BLNj0v9...izsQ cpltester@Local
      The key's randomart image is:
      +---[RSA 2048]----+
      |      o       .=B|
      ...

      The –P "" option indicates no passphrase for the private key. RAD authentication cannot be interactive, so do not use a passphrase.

    2. Copy the contents of the local $HOME/.ssh/id_rsa.pub to every remote system where you plan to run or store an assessment.

      The remote system's file name for the originating system's .ssh/id_rsa.pub file is .ssh/authorized_keys.

      1. Create your .ssh directory on every system.
        Hostn $ cd; mkdir -m 700 .ssh
      2. Append the contents of id_rsa.pub to the authorized_keys file on every system.

        Type your password when prompted. You can use the cat >> or the scp command.

        The following command uses the cat >> command:

        Local $ cd; cat .ssh/id_rsa.pub | ssh Remote-IP-address \
        'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"'

        The following command uses the scp command:

        Local $ cd; scp /export/home/cpltester/.ssh/id_rsa.pub \
        cpltester@Remote-IP-address:/export/home/cpltester/.ssh/authorized_keys
  4. Verify that the remote system does not prompt username for a password.

    As the user, ssh to each remote system. You should not be prompted for a password.


    Tip  - Add the IP address, the hostname, and the FQDN to the /etc/ssh/known_hosts entry for each remote host.

    As the user, ssh to each remote system using the IP address, the hostname, and the FQDN. All ssh connections should authenticate without a password.