In this procedure, you enable host-based authentication on an Oracle Solaris remote system before adding the Trusted Extensions feature to it. The remote system is the Secure Shell server.
Before You Begin
The remote system is installed with Oracle Solaris and you can access that system. You must be in the root role.
After completing this step, you have a user account on both systems that can assume the root role. The accounts are assigned the same UID, GID, and role assignment. You also have generated public/private key pairs and have shared public keys.
# pfedit /etc/ssh/sshd_config ## Permit remote login by root PermitRootLogin yes
A later step limits the root login to a particular system and user.
# svcadm restart ssh
# cd # pfedit .shosts client-host username
The .shosts file enables username on the client-host system to assume the root role on the server, when a public/private key is shared.
# cp /etc/pam.d/other /etc/pam.d/other.orig
# pfedit /etc/pam.d/other ... # Default definition for Account management # Used when service name is not explicitly mentioned for account management # ... #account requisite pam_roles.so.1 # Enable remote role assumption account requisite pam_roles.so.1 allow_remote ...
This policy enables username on the client-host system to assume a role on the server.
# pfedit /etc/pam.d/other # Default definition for Account management # Used when service name is not explicitly mentioned for account management # ... #account requisite pam_roles.so.1 # Enable remote role assumption account requisite pam_roles.so.1 allow_remote # account required pam_unix_account.so.1 #account required pam_tsol_account.so.1 # Enable unlabeled access to TX system account required pam_tsol_account.so.1 allow_unlabeled
% ssh -l root remote-system
# svcadm enable -s labeld # /usr/sbin/reboot
In this example, the administrator is using a Trusted Extensions system to configure a remote Trusted Extensions host. To do so, the administrator uses the tncfg command on each system to define the host type of the peer system.
remote-system # tncfg -t cipso add host=192.168.1.12 Client-host
client-host # tncfg -t cipso add host=192.168.1.22 Remote system
To enable an administrator to configure the remote Trusted Extensions host from an unlabeled system, the administrator leaves the allow_unlabeled option in the remote host's pam.d/other file.