| ba6710a3 |
[](https://travis-ci.org/cjdev/dual-control)
|
| 0564dca5 |
# Dual Control
|
| 0d8b9a17 |
Dual Control is a PAM module that requires a user to input a generated token from another user before being
granted resource access. The module also requires that the user input the reason for his or her access request
and, via `syslog`, captures all this information for future reference.
|
| 0564dca5 |
|
| 0d8b9a17 |
At **CJ Engineering**, we will be implementing Dual Control on our production boxes to ensure that a single
engineer cannot use sudo to gain application-roles access without meeting the above-stated requirements.
Dual Control is an open source project licensed under the [GNU General Public
License](https://github.com/cjdev/dual-control/blob/master/LICENSE). As it stands, Dual Control is written
only for machines running Linux. However, we graciously welcome contributions, particularly those related to
portability to other operating systems.
|
| 0564dca5 |
|
| e5d24894 |
## Status
|
| 0d8b9a17 |
This is in active development. The current version uses a permanent token and so is not meant for production
use. The final version will use a time-based OTP.
|
| e5d24894 |
## Install
|
| 0d8b9a17 |
|
| e5d24894 |
- Obtain and install the RPM
|
| 066165d3 |
- build yourself using the code in https://github.com/cjdev/dual-control-rpm, or
|
| e5d24894 |
- get it from a developer
|
| df59a93f |
- Edit the `/etc/pam.d/sudo` (this is for CentOS 7, others may be different)
|
| e5d24894 |
- replace the existing auth lines with
|
| 0d8b9a17 |
|
| e5d24894 |
```
|
| df59a93f |
#%PAM-1.0
|
| 066165d3 |
# auth include system-auth
|
| e5d24894 |
auth required pam_env.so
|
| 6c7377a2 |
auth required pam_unix.so
auth sufficient pam_dual_control.so
|
| e5d24894 |
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
|
| 066165d3 |
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
|
| e5d24894 |
```
## Add a dual control token
|
| 0d8b9a17 |
From the authorizer's account home, run `setup_user_account.sh`. This generates a secret key for TOTP
authentication and, if you have qrencode installed, generates a QR code to scan. Scan or enter this key in
your authenticator app and then verify that the token in your app matches the one on the screen (answer Y to
the prompt to get a more recent token).
|
| e5d24894 |
## Use
|
| 0d8b9a17 |
- log in with a test user that has `sudo` ability (not the vagrant account it is too powerful)
|
| e5d24894 |
- type `sudo bash`
- enter your password
- enter dual control token, authorizer's username + ':' + authorizer's token
|
| 1cbeff24 |
## Build and test
|
| 0d8b9a17 |
|
| 1cbeff24 |
- ./configure
- make
- make test
|