[security-discuss] Re: Trusted Extensions on 'servers' (Was [Fwd: Question about SAK keys and trusted path])

Wed, 18 Apr 2007 17:12:01 +0100 

Ling-Bo Alan Tang wrote:
>>> Does it make any sense to run Trusted Extensions on server 
>> machines who
>>> may not have X system, like data server?
>> It most certainly does. Especially if the 'data server' is sharing 
>> user 
>> home directories or project data directories out over NFS.  This is 
>> because NFS is label aware when using Trusted Extensions.
>>
> 
> In this case, how to manage local non-global zones if there is no X system?
> I suppose I missed something because I think only global zone can be
> accessed via "command line login".

Most system management on a TX system is actually done from the global 
zone anyway.

If for some reason you need to actually login to a label zone from the 
global zone you can do so from the global zone using zlogin - just like 
the non TX use of zones, though the times you need to do this should be 
small from the OS viewpoint it may be necessary from the application view.

You can also login over the network at a given label from one TX host to 
another or from an unlabeled host to a TX host.  In the TX to TX case 
the label you run ssh at on the client will be the label you 
authenticate and and get a shell prompt for at the other side.  In the 
unlabeled client case the label of that client network/ip as taken from 
the tnrhdb will be used.  For example:

10.1.0.0 PUBLIC network
        Windows XP machine called windy
10.2.0.0 INTERNAL network
        Red Hat Linux machine called hatty
10.2.0.1 TX machine sunrise
10.1.0.1 TX machine sunrise
10.3.0.1 TX machine sunrise
10.3.0.0 network of TX machines including moondance

In this case the same TX machine 'sunrise' is on both the PUBLIC and 
INTERNAL network and on the network of label aware TX machines.

If I use the putty.exe SSH client on the Windows XP machine called windy 
I get logged in to the PUBLIC zone and can only do stuff at PUBLIC.

If I use ssh from the Linux machine hatty I get logged in at INTERNAL

If I use ssh from moondance to sunrise the label on sunrise will match 
the label on moondance I ran the ssh client at.


Also unlike in some previous Trusted Solaris releases I believe all 
administration tasks that are specific to TX (ie all labeling related 
things) can be done from the CLI.

-- 
Darren J Moffat

Reply via email to