Controlling Access to a Domain Console by Using Rights
By default, any user can access all domain consoles. To control access to a domain console, configure the vntsd
daemon to perform authorization checking. This authorization checking applies to accessing a console with either the ldmconsole
or telnet
command. The vntsd
daemon provides a Service Management Facility (SMF) property named vntsd/authorization
. This property can be configured to enable authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg
command to set the value of this property to true
. While this option is enabled, vntsd
listens and accepts connections only on localhost
. If the listen_addr
property specifies an alternative IP address when vntsd/authorization
is enabled, vntsd
ignores the alternative IP address and continues to listen only on localhost
.
Caution:
Do not configure thevntsd
service to use a host other than localhost
.
If you specify a host other than localhost
, you are no longer restricted from connecting to guest domain consoles from the control domain. If you use the telnet
command to remotely connect to a guest domain, the login credentials are passed as clear text over the network.
By default, an authorization to access all guest consoles is present in the local authorization description database.
solaris.vntsd.consoles:::Access All LDoms Guest Consoles::
Use the usermod
command to assign the required authorizations to users or roles in local files. This command permits only the user or role who has the required authorizations to access a given domain console or console group. To assign authorizations to users or roles in a naming service, see
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
You can control the access to all domain consoles or to a single domain console.
-
To control the access to all domain consoles, see How to Control Access to All Domain Consoles by Using Roles and How to Control Access to All Domain Consoles by Using Rights Profiles.
-
To control access to a single domain console, see How to Control Access to a Single Console by Using Roles and How to Control Access to a Single Console by Using Rights Profiles.