I have heard from a number of customers that folks would like remote login to zone consoles. In particular, they would rather not give out logins to the global zone in order to allow zone logins. (Really: I don’t spend all of my time on the zones console…).
Fortunately, we can handle this in a nice way already. (Disclaimer: Please
note that as stated by the script, the following techniques have not been subject to
a rigorous security audit. I believe this technique to be sound, but neither I nor
Sun warrant it to be so.)
To start, we’ll
add a user account to /etc/passwd for each zone we want to set up this way:
# passwd z1
New Password: xxxyyy
Re-enter new Password: xxxyyy
passwd: password successfully changed for z1
In this case, the zone name is xanadu-z1 and we’ve picked a nice large UID and group ID. You could
use whatever you like (but not a UID in use for something else! and never 0); you’ll want a separate UID for each zone. In this case, /opt/extras/zoneshell
is set as the z1 user’s shell. We picked ‘z1’ as the account name because UNIX
systems are typically limited to 8 letter account names (LOGNAME_MAX); since xanadu-z1 is 9 characters long (and zone names may be up to 64 characters long), we need to pick a convention to shorten things.
Finally, we need to give the z1 account the ability to run zlogin; we do that by modifying
the RBAC attributes for the z1 user.
So, here’s what it looks like:
Last login: Tue Jan 25 13:54:01 2005 from xxx
warning: using experimental, unsupported 'zoneshell'
[Connected to zone 'xanadu-z1' console]
I’d appreciate any feedback on whether this is helpful, or not!
To reiterate: this code is experimental, and has not been audited for its security characteristics. Use of this script is AT YOUR OWN RISK. Please use this as an example, from which you could derive your own implementation.