Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Enable Remote Administration of a Remote Trusted Extensions System

In this procedure, you enable host-based authentication on an Oracle Solaris remote system before adding the Trusted Extensions feature to it. The remote system is the Secure Shell server.

Before You Begin

The remote system is installed with Oracle Solaris and you can access that system. You must be in the root role.

  1. On both systems, enable host-based authentication.

    For the procedure, see How to Set Up Host-Based Authentication for Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4.


    Note -  Do not use the cat command. Copy and paste the public key over a Secure Shell connection. If your Secure Shell client is not an Oracle Solaris system, follow your platform's instructions for configuring a Secure Shell client with host-based authentication.

    After completing this step, you have a user account on both systems that can assume the root role. The accounts are assigned the same UID, GID, and role assignment. You also have generated public/private key pairs and have shared public keys.

  2. On the Secure Shell server, relax ssh policy to enable root to log in remotely.
    # pfedit /etc/ssh/sshd_config
    ## Permit remote login by root
    PermitRootLogin yes

    A later step limits the root login to a particular system and user.


    Note - Because the administrator is going to assume the root role, you do not need to relax the login policy that prevents remote root login.
  3. On the Secure Shell server, restart the ssh service.
    # svcadm restart ssh
  4. On the Secure Shell server, in root's home directory, specify the host and user for host-based authentication.
    # cd
    # pfedit .shosts
    client-host username

    The .shosts file enables username on the client-host system to assume the root role on the server, when a public/private key is shared.

  5. On the Secure Shell server, relax the two PAM policies.
    1. Copy the /etc/pam.d/other to /etc/pam.d/other.orig.
      # cp /etc/pam.d/other /etc/pam.d/other.orig
    2. Modify the pam_roles entry to allow remote login by roles.
      # pfedit /etc/pam.d/other
      ...
      # Default definition for Account management
      # Used when service name is not explicitly mentioned for account management
      # ...
      #account requisite    pam_roles.so.1
      # Enable remote role assumption
      account requisite    pam_roles.so.1   allow_remote
      ...

      This policy enables username on the client-host system to assume a role on the server.

    3. Modify the pam_tsol_account entry to allow unlabeled hosts to contact the Trusted Extensions remote system.
      # pfedit /etc/pam.d/other
      # Default definition for Account management
      # Used when service name is not explicitly mentioned for account management
      # ...
      #account requisite    pam_roles.so.1
      # Enable remote role assumption
      account requisite    pam_roles.so.1   allow_remote
      #
      account required     pam_unix_account.so.1
      #account required     pam_tsol_account.so.1
      # Enable unlabeled access to TX system
      account required     pam_tsol_account.so.1  allow_unlabeled
  6. Test the configuration.
    1. Open a new terminal on the remote system.
    2. On client-host, in a window owned by username, assume the root role on the remote system.
      % ssh -l root remote-system
  7. After the configuration is proved to work, enable Trusted Extensions on the remote system and reboot.
    # svcadm enable -s labeld
    # /usr/sbin/reboot
Example 1  Assigning the CIPSO Host Type for Remote Administration

In this example, the administrator is using a Trusted Extensions system to configure a remote Trusted Extensions host. To do so, the administrator uses the tncfg command on each system to define the host type of the peer system.

remote-system # tncfg -t cipso add host=192.168.1.12 Client-host
client-host # tncfg -t cipso add host=192.168.1.22 Remote system

To enable an administrator to configure the remote Trusted Extensions host from an unlabeled system, the administrator leaves the allow_unlabeled option in the remote host's pam.d/other file.