Remote, Secure Zone Console Login

I have heard from a number of customers that folks would like remote login to zone consoles. In particular, they would rather not give out logins to the global zone in order to allow zone logins. (Really: I don't spend all of my time on the zones console...).

Fortunately, we can handle this in a nice way already. (Disclaimer: Please note that as stated by the script, the following techniques have not been subject to a rigorous security audit. I believe this technique to be sound, but neither I nor Sun warrant it to be so.)

To start, we'll add a user account to /etc/passwd for each zone we want to set up this way:

# cat >> /etc/passwd
z1:x:999999:999999:xanadu-z1:/tmp:/opt/extras/zoneshell
\^D

# pwconv
# passwd z1
New Password: xxxyyy
Re-enter new Password: xxxyyy
passwd: password successfully changed for z1

In this case, the zone name is xanadu-z1 and we've picked a nice large UID and group ID. You could use whatever you like (but not a UID in use for something else! and never 0); you'll want a separate UID for each zone. In this case, /opt/extras/zoneshell is set as the z1 user's shell. We picked 'z1' as the account name because UNIX systems are typically limited to 8 letter account names (LOGNAME_MAX); since xanadu-z1 is 9 characters long (and zone names may be up to 64 characters long), we need to pick a convention to shorten things.

The zoneshell script is here; the script itself is very simple: it looks up the entry in /etc/passwd and executes zlogin -C for the zone named in the GECOS field.

Finally, we need to give the z1 account the ability to run zlogin; we do that by modifying the RBAC attributes for the z1 user.

# cat >> /etc/user_attr
z1::::profiles=Zone Management
\^D

So, here's what it looks like:

$ ssh -l z1 xanadu
Password:xxxyyyy
Last login: Tue Jan 25 13:54:01 2005 from xxx
warning: using experimental, unsupported 'zoneshell'
[Connected to zone 'xanadu-z1' console]

I'd appreciate any feedback on whether this is helpful, or not!

To reiterate: this code is experimental, and has not been audited for its security characteristics. Use of this script is AT YOUR OWN RISK. Please use this as an example, from which you could derive your own implementation.

Comments:

Post a Comment:
Comments are closed for this entry.
About

Kernel Gardening.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today