The Trusted Path Domain (TPD) provides secure access to immutable zones and can be used to administer them. In this task, you restrict console access to the TPD to administrators and netgroups that you specify.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Uncomment the pam_list entry:
# cd /etc/pam.d # pfedit tpdlogin ## To restrict which users and netgroups are allowed to log in to the ## trusted path, uncomment the line below and add those users and ## netgroups to the /etc/security/tpdusers configuration file. ## account required pam_list.so.1 allow=/etc/security/tpdusers
# cd /etc/security # touch tpdusers ; chmod 644 tpdusers
# pfedit tpdusers ## permitted console logins jdoe
Netgroups are groups that are centrally defined, such as in LDAP, and have user members. Members of a listed netgroup will be able to log in to this particular system on the console.
## permitted console logins jdoe @zoneadmins
For more information, see the netgroup(5) and pam_list(7) man pages.
The named administrators can now use the STOP-A non-maskable interrupt (NMI) from a Sun keyboard on a SPARC system, or the F1-A NMI for x86 access to the console of an immutable zone.