Sunday, 12 August 2007

Solaris installer grumbles

There are a number of ways in which the Solaris Express installation program could be improved. Off the top of my head:

1) There is no appropriate option on the "Select Software" page for a server system without X. The Entire, Developer and End User groups give you far too much (do you really want StarOffice on your server?); the Core and Reduced Networking groups give you too little (you don't get SSH, but you do get, er, telnet).

2) No firewall configured or enabled

3) Passwords are hashed with DES, including the root password - this limits the maximum password length to 8

4) Root's home directory is /

My way around this is to select "Manual" when the installer asks me if I want the system to reboot automatically at the end, then exit to a shell when prompted. The new system's root partition is mounted on /a, so we can make some of the changes now:
# mkdir /a/root
# chmod 700 /a/root
Now use vi to edit /a/etc/passwd so that root's home directory is /root and shell is /usr/bin/bash (assuming you selected bash to be installed earlier in the installation).
Edit /a/etc/security/policy.conf so that CRYPT_ALGORITHMS_ALLOW is commented out, CRYPT_ALGORITHMS_DEPRECATE=unix is uncommented and CRYPT_DEFAULT=md5.

Now type init 6 to reboot. Once you have logged back in as root, reset your password using passwd - you now can use more than 8 chars.

To enable a basic firewall, add the following to the /etc/ipf/ipf.conf file (change bge0 to the name of your network interface, and 192.168.20.1 to its IP address):

## Block malformed packets
block in log quick all with short
block in log quick all with ipopts
## Anything on loop back is fine
pass in quick on lo0 all
pass out quick on lo0 all
## Default block
block in on bge0 all
block out on bge0 all
## Allow pings out
pass out quick on bge0 proto icmp all keep state
## Allow any UDP/TCP packets out
pass out quick on bge0 proto tcp/udp from any to any keep state
## SSH in
pass in log quick on bge0 proto tcp from any to 192.168.20.1/32 port = 22 keep state

Now type svcadm enable ipfilter to enable the filter.

I have a recipe for a server install which gives you all you need to run a production system without X, but as it is somewhat lengthy I think I'll leave that for another post.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)