Go to main content

Oracle® VM Server for SPARC 3.6 Administration Guide

Exit Print View

Updated: September 2019
 
 

Controlling Access to a Domain Console by Using Rights

By default, any user can access all domain consoles. To control access to a domain console, configure the vntsd daemon to perform authorization checking. This authorization checking applies to accessing a console with either the ldmconsole or telnet command. The vntsd daemon provides a Service Management Facility (SMF) property named vntsd/authorization. This property can be configured to enable authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternative IP address when vntsd/authorization is enabled, vntsd ignores the alternative IP address and continues to listen only on localhost.


Caution

Caution  - Do not configure the vntsd service to use a host other than localhost. If you specify a host other than localhost, you are no longer restricted from connecting to guest domain consoles from the control domain. If you use the telnet command to remotely connect to a guest domain, the login credentials are passed as clear text over the network.


By default, an authorization to access all guest consoles is present in the local authorization description database.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Use the usermod command to assign the required authorizations to users or roles in local files. This command permits only the user or role who has the required authorizations to access a given domain console or console group. To assign authorizations to users or roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).