Browse code
Update Readme instructions
brandonbyskov authored on 25/05/2017 20:18:28Showing 1 changed files
| ... | ... |
@@ -1,38 +1,46 @@ |
| 1 | 1 |
[](https://travis-ci.org/cjdev/dual-control) |
| 2 | 2 |
|
| 3 | 3 |
# Dual Control |
| 4 |
-Dual Control is a PAM module that requires a user to input a generated token from another user before being granted resource access. The module also requires that the user input the reason for his or her access request and, via `syslog`, captures all this information for future reference. |
|
| 4 |
+Dual Control is a PAM module that requires a user to input a generated token |
|
| 5 |
+from another user before being granted resource access. The module also requires |
|
| 6 |
+that the user input the reason for his or her access request and, via `syslog`, |
|
| 7 |
+captures all this information for future reference. |
|
| 5 | 8 |
|
| 6 |
-At **CJ Engineering**, we will be implementing Dual Control on our production boxes to ensure that a single engineer cannot use sudo to gain application-role access without meeting the above-stated requirements. |
|
| 9 |
+At **CJ Engineering**, we will be implementing Dual Control on our production |
|
| 10 |
+boxes to ensure that a single engineer cannot use sudo to gain application-roles |
|
| 11 |
+access without meeting the above-stated requirements. |
|
| 7 | 12 |
|
| 8 |
-Dual Control is an open source project licensed under the [GNU General Public License](https://github.com/cjdev/dual-control/blob/master/LICENSE). As it stands, Dual Control is written only for machines running Linux. However, we graciously welcome contributions, particularly those related to portability to other operating systems. |
|
| 13 |
+Dual Control is an open source project licensed under the |
|
| 14 |
+[GNU General Public License](https://github.com/cjdev/dual-control/blob/master/LICENSE). |
|
| 15 |
+As it stands, Dual Control is written only for machines running Linux. However, |
|
| 16 |
+we graciously welcome contributions, particularly those related to portability |
|
| 17 |
+to other operating systems. |
|
| 9 | 18 |
|
| 10 | 19 |
## Status |
| 11 |
-This is in active development. The current version uses a permanent token and so is not meant for production use. The final version will |
|
| 12 |
-use a time-based OTP. |
|
| 20 |
+This is in active development. The current version uses a permanent token and |
|
| 21 |
+so is not meant for production use. The final version will use a time-based OTP. |
|
| 13 | 22 |
|
| 14 | 23 |
## Install |
| 15 | 24 |
- Obtain and install the RPM |
| 16 |
- - build yourself using the code in /cjdev/dual-control-rpm |
|
| 25 |
+ - build yourself using the code in https://github.com/cjdev/dual-control-rpm, or |
|
| 17 | 26 |
- get it from a developer |
| 18 | 27 |
- Edit the `/etc/pam.d/sudo` (this is for CentOS 7, others may be different) |
| 19 | 28 |
- replace the existing auth lines with |
| 20 | 29 |
``` |
| 21 | 30 |
#%PAM-1.0 |
| 22 |
-# auth include system-auth |
|
| 31 |
+# auth include system-auth |
|
| 23 | 32 |
auth required pam_env.so |
| 24 | 33 |
auth required pam_unix.so |
| 25 | 34 |
auth sufficient pam_dual_control.so |
| 26 | 35 |
auth requisite pam_succeed_if.so uid >= 1000 quiet_success |
| 27 | 36 |
auth required pam_deny.so |
| 28 |
-account include system-auth |
|
| 29 |
-password include system-auth |
|
| 30 |
-session optional pam_keyinit.so revoke |
|
| 31 |
-session required pam_limits.so |
|
| 37 |
+account include system-auth |
|
| 38 |
+password include system-auth |
|
| 39 |
+session optional pam_keyinit.so revoke |
|
| 40 |
+session required pam_limits.so |
|
| 32 | 41 |
``` |
| 33 | 42 |
|
| 34 | 43 |
## Add a dual control token |
| 35 |
- |
|
| 36 | 44 |
From the authorizer's account home, run `dual_control`. The resulting token can |
| 37 | 45 |
be used to authorize another user. |
| 38 | 46 |
|