Headless System Configuration in Trusted Extensions (Task Map)

On headless systems, a console is connected by means of a serial line to a terminal emulator window. The line is typically secured by the tip command. Depending on what type of second system is available, you can use one of the following methods to configure a headless system. The methods are listed from most preferred to least preferred in Task 3 in the following table.

Tasks	Description	For Instructions
1. Identify the headless system as a cipso system.	If the desktop system where you are going to configure the headless system is configured with Trusted Extensions, make the headless system of host type cipso.	If you have not already made the headless system part of the trusted network, assign to the system the appropriate security template. See How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.
2. Enable remote login.	As superuser, enable remote login to the headless system.	Enable Remote Login in Trusted Extensions
3. Choose a configuration and administration method to set up the headless system. The choice is based on available hardware and software on a second system that communicates with the headless system. The choices are listed in descending order of ease and security.	Use the rlogin command to administer the remote system in a role.	To assume a role to administer the remote system, go to Use the rlogin Command to Log In to a Headless System in Trusted Extensions.
	Use the ssh command to administer the remote system as superuser.	To administer the remote system as superuser, go to Use the ssh Command to Log In to a Headless System in Trusted Extensions.
	If you have no windowing system, you can use serial login. This procedure is insecure.	To use serial login to configure and administer the headless system, go to Set Up Administration by Serial Login in Trusted Extensions.
4. Configure Trusted Extensions on the headless system.	Having logged in, continue configuration as you would on a system with a monitor.	See Chapter 4, Configuring Trusted Extensions (Tasks), and use the methods that are possible given your chosen login method.

Enable Remote Login in Trusted Extensions

Follow this procedure only if you must administer a headless system by using the rlogin or ssh command. This procedure is not secure.

Configuration errors can be debugged remotely.

Before You Begin

Consult your security policy to determine which methods of remote login are permissible at your site. The desktop system and the headless system must identify each other as using the identical security template.

1. Log in to the root account through the console device.
2. Choose to activate one or more of the following methods of remote login:
   • Enable remote login by the root user.
     1. Comment out the CONSOLE= line in the /etc/default/login file.

        #CONSOLE=/dev/console

     2. Permit root user login for the ssh service.

        Modify the /etc/ssh/sshd_config file. By default, ssh is enabled on a Solaris system.

        PermitRootLogin yes

   • Permit roles to log in by using the rlogin service.

     If root is a role, this modification is required for remote logins by the root role.

     1. In a text editor, open the pam.conf file.

        # vi /etc/pam.conf

     2. Find other account requisite toward the end of the file.
     3. Add allow_remote to the roles module.

        Use the Tab key between fields.

        other account requisite      pam_roles.so.1        allow_remote

        After your edits, this section looks similar to the following:

        other account requisite      pam_roles.so.1        allow_remote
        other account required       pam_unix_account.so.1
        other account required       pam_tsol_account.so.1

   • Allow remote login to the global zone from an unlabeled host.
     1. In a text editor, open the pam.conf file.

        # vi /etc/pam.conf

     2. Find other account requisite toward the end of the file.
     3. Add allow_unlabeled to the tsol_account module.

        Use the Tab key between fields.

        other account required       pam_tsol_account.so.1 allow_unlabeled

        After your edits, this section looks similar to the following:

        other account requisite      pam_roles.so.1        allow_remote
        other account required       pam_unix_account.so.1
        other account required       pam_tsol_account.so.1 allow_unlabeled

   • Enable specific users to log in to the global zone.

     Assign to these users an administrative label range. The username on the desktop must be the same as the username on the headless system.

     # usermod -R root -K min_label=ADMIN_LOW -K clearance=ADMIN_LOW username

3. On the headless system, define the host type of your desktop.

   The host type of the desktop system and the host type of the headless system must match. To create this temporary definition, use the tnctl command. For more information, see the tnctl(1M) man page.

   • For a labeled desktop system, define the host type as cipso.

     # tnctl -h desktop-IP-address:cipso

   • For an unlabeled desktop system, define the host type as an unlabeled system that is running at ADMIN_LOW.

     # tnctl -h desktop-IP-address:admin_low

Use the rlogin Command to Log In to a Headless System in Trusted Extensions

This procedure enables you to use the command line and Trusted Extensions GUIs to administer a headless system by assuming a role.

Before You Begin

The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris Express Installation Guide: Basic Installations.

If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.

You have completed Enable Remote Login in Trusted Extensions.

You are a user who is enabled to log in to the headless system.

1. On the desktop system, enable processes from the headless system to display.
   1. Enable the headless system to access the X server.

      desktop $ xhost + headless-host

   2. Determine the value of the desktop's DISPLAY variable.

      desktop $ echo $DISPLAY
      :n.n

2. On the Trusted Extensions desktop system, open a Trusted Path workspace.
   • If your user account has direct access to the global zone, create a Trusted Path workspace, then open a terminal window.
   • If your user account does not have direct access to the global zone, assume a role, then open a terminal window.
3. From this terminal window, remotely log in to the headless system.

   desktop # rlogin headless
   Password: Type the headless user's password

4. Assume a role.

   If you are logged in to the headless system as an unprivileged user, assume a role with administrative privileges. Use the same terminal window. For example, assume the root role.

   headless $ su - root
   Password: Type the root password

   You are now in the global zone.

5. Enable processes on the headless system to display on the desktop system.

   headless $ setenv DISPLAY desktop:n.n
   headless $ export DISPLAY=n:n

   You can now administer the headless system by using Trusted Extensions GUIs.

6. Administer the headless system.
   • Start the Solaris Management Console.

     headless $ /usr/sbin/smc &

     The Solaris Management Console displays on the desktop system. From the list of toolboxes, choose the Scope=Files, Policy=TSOL for the headless system.

   • Start the txzonemgr.

     headless $ /usr/sbin/txzonemgr

   • Access Trusted CDE actions.

     headless # /usr/dt/bin/dtappsession desktop
     Password: Type the remote password

Use the ssh Command to Log In to a Headless System in Trusted Extensions

This procedure enables you to use the command line to administer a headless system as superuser. To use Trusted Extensions GUIs, complete the steps for remote display in Use the rlogin Command to Log In to a Headless System in Trusted Extensions.

Before You Begin

The headless system must have enough memory to use the Solaris Management Console. The requirements are the same as for the Solaris OS. For details, see System Requirements and Recommendations in Solaris Express Installation Guide: Basic Installations.

If the administrator's desktop system is configured with Trusted Extensions, the headless system is identified as a CIPSO system on the desktop system. For details, see How to Assign a Security Template to a Host or a Group of Hosts in Solaris Trusted Extensions Administrator’s Procedures.

You have completed Enable Remote Login in Trusted Extensions.

You are a user who is enabled to log in to the headless system.

1. On the Trusted Extensions desktop system, open a Trusted Path workspace.
   • If your user account has direct access to the global zone, create a Trusted Path workspace, then open a terminal window.
   • If your user account does not have direct access to the global zone, assume a role, then open a terminal window.
2. From this terminal window, remotely log in to the headless system.

   desktop $ ssh -l username-on-headless headless
   Password: Type the headless user's password
   headless $

   The terminal window now displays actions on the headless system.

3. Become superuser.

   If you are not in the global zone on the headless system, switch user to root in the same terminal window:

   headless $ su - root
   Password: Type the root password

   You can now administer the headless system by using the command line.

   To administer the system by using the administrative GUIs, enable the headless system to display its processes on the desktop. For details, see Use the rlogin Command to Log In to a Headless System in Trusted Extensions.

Example 6-1 Setting Up Remote Administration of a Headless System

In this example, the administrator sets up a labeled headless system from a labeled desktop system. As in the Solaris OS, the administrator enables X server access to the desktop system and sets the DISPLAY variable on the headless system.

TXdesk1 $ xhost + TXnohead4
TXdesk1 $ whoami
config1
TXdesk1 $ uname -n ; echo $DISPLAY
TXdesk1
:1.0

TXdesk1 $ ssh -l install1 TXnohead4
Password: Ins1PwD1
TXnohead4 $

In the global zone, the administrator sets the DISPLAY variable.

TXnohead4 # su -
Password: abcd1EFG
TXnohead4 # setenv DISPLAY TXdesk1:1.0
TXnohead4 # export DISPLAY=TXdesk1:1.0

Then, the administrator starts the Solaris Management Console.

TXnohead4 # /usr/sbin/smc &

Finally, the administrator selects the This Computer (TXnohead:Scope=Files, Policy=TSOL) toolbox.

Set Up Administration by Serial Login in Trusted Extensions

Follow this procedure only if you do not have a desktop system with which to configure the headless system. This procedure is not secure.

Before You Begin

You must be superuser in single-user mode on the headless system. For a modicum of security, two people should be present while the system is being configured.

1. Allocate the serial port.

   For details, see the serial login procedure in Managing Devices in Trusted Extensions (Task Map) in Solaris Trusted Extensions Administrator’s Procedures.

2. Administer the system as superuser.