Robert Bailey wrote:
> I'd be curious to see if you are able to configure ssh access into the
> TX host from a non-TX system. If this is part of your testing would
> you mind posting your success/fail?
I haven't been able to ssh between identically configured TX hosts with
the cipso protocol.
James Carlson wrote:
>Darren Reed writes:
>
>>>Honestly, if I were a third party driver writer, I would likely not
>>>use least privilege. The main problem is that the interfaces are not
>>>present on S9 and older systems, and thus represent a complication
>>>with little benefit to me or my custo
HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20060720/5b404940/attachment.html>
Yates, Spencer A. wrote:
> According to the instructions, after installing SRSS a few lines need to
> be added to the /etc/pam.conf file.
>
> The utnsclogin entries to be added are as follows:
> utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> utnsclogin auth required pam_
--
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20060720/0283f029/attachment.html>
If it already exists, then just leave it there. You will need it and
pam_authtok_get.so.1.
Here is the portion utnsclogin auth section of pam.conf for a SunRay server.
--Glenn
# added to utnsclogin by SunRay Server Software -- utnsclogin
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user
Depends on where you want enforcement to happen. I was thinking of
prohibiting simple binds to LDAP that aren't over SSL.
On Jul 20, 2006, at 11:16 AM, Gary Winiger wrote:
>> There is example code published that show how to check passwords in a
>> pre-auth plugin.
>
> Or you can front en
> There is example code published that show how to check passwords in a
> pre-auth plugin.
Or you can front end it in the PAM stack with pam_authtok_check(5).
Gary..
Thanks Robert and thanks Glenn, that solved the problem. I didn't even
know that was an option I had to consider.
-- Mike
> -Original Message-
> From: Glenn Faden [mailto:glenn.faden at sun.com]
> Sent: Thursday, July 20, 2006 9:42 AM
> To: Robert Bailey
> Cc: Lewis, Michael D (N-Jackp
There is example code published that show how to check passwords in a
pre-auth plugin.
Based on personal experience I recommend that you not use it, but
instead implement the *new* functionality and "return 0" to let the
server check the password itself. This fixed a bug in my plugin
(whi
The Trusted Extensions packages in build 42a were compressed and
contained an incorrect i.manifest file. Getting around this problem
requires the workaround described in
http://www.opensolaris.org/os/community/security/projects/tx/InstallIssues.
The packages in build 43 are not compressed and u
Well, I should give a little background first.
We have a Sparc platform that we are migrating to an Intel platform. I
have installed b42A on the Sparc with TX and saw that it all works
without any problem. I get the multi-level CDE complete with labels in
the Sparc version.
On the Intel version,
Glenn Faden wrote:
> I think that you should try Robert Bailey's suggestion. Although the
> Xorg server (the default on x86 systems) is supposed to support Trusted
> Extensions, there were some packaging problems in producing build 42a.
> So you should try using the Xsun server instead. This iss
I think that you should try Robert Bailey's suggestion. Although the
Xorg server (the default on x86 systems) is supposed to support Trusted
Extensions, there were some packaging problems in producing build 42a.
So you should try using the Xsun server instead. This issue will be
fixed in the ne
Darren Reed writes:
> >The underlying point is that LP provides a robust mechanism for
> >implementing those sorts of features. It does _not_ mean that
> >everything in the system has actually been reduced to the least
> >privilege necessary.
> >
> >That's a lengthy process, and if you want to con
ecurity-discuss at opensolaris.org
-- next part --
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20060720/9242452e/attachment.html>
Make sure you have Sun's X11 configured for use, not the opensource
version.
# kdmconfig
# select sun
That should to it.
On Jul 20, 2006, at 1:11 AM, Glenn Faden wrote:
> Are you getting the graphical login screen? The default session
> under Options should be Trusted CDE. Are you able to s
17 matches
Mail list logo
