Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: August 2019
 
 

How to Restrict Access to the Trusted Path Domain

The Trusted Path Domain (TPD) provides secure access to immutable zones and can be used to administer them. In this task, you restrict console access to the TPD to administrators and netgroups that you specify.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Modify the /etc/pam.d/tpdlogin file.

    Uncomment the pam_list entry:

    # cd /etc/pam.d
    # pfedit tpdlogin
    ## To restrict which users and netgroups are allowed to log in to the 
    ## trusted path, uncomment the line below and add those users and
    ## netgroups to the /etc/security/tpdusers configuration file.
    ##
    account required       pam_list.so.1 allow=/etc/security/tpdusers
  2. Create and protect the /etc/security/tpdusers file.
    # cd /etc/security
    # touch tpdusers ; chmod 644 tpdusers
  3. Add the login ID of immutable zone administrators to the /etc/security/tpdusers file.
    • For example, add the jdoe account.
      # pfedit tpdusers
      ## permitted console logins
      jdoe
    • For example, add netgroups.

      Netgroups are groups that are centrally defined, such as in LDAP, and have user members. Members of a listed netgroup will be able to log in to this particular system on the console.

      ## permitted console logins
      jdoe
      @zoneadmins

      For more information, see the netgroup(5) and pam_list(7) man pages.

      The named administrators can now use the STOP-A non-maskable interrupt (NMI) from a Sun keyboard on a SPARC system, or the F1-A NMI for x86 access to the console of an immutable zone.