From 6b94959153faaad0eb0e930b01e7e06406e10d00 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Thu, 20 Jun 2024 06:48:44 -0400 Subject: [PATCH] More README --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 6ec4fd5..747e58c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,34 @@ # InterAuth +InterAuth is a potentially bad idea that should not be used in production. + +Now that you've been warned: InterAuth is a password authentication bypass +mechansim containing three components: + +1. A [PAM](https://pubs.opengroup.org/onlinepubs/8329799/chap4.htm#tagcjh_05_02) module +2. The control tool +3. The system daemon + +When the PAM module is invoked, it connects to the system daemon. If the control +tool is not running, then the PAM module is a no-op. But if the root user is +running the interactive control tool, then the PAM module forwards the +authentication request to the daemon, which in turn forwards the request to the +control tool. The root user can then interactively choose to allow or deny the +authentication request. Based on the PAM configuration outlined below (i.e. +using `sufficient`), allowing the authentication via the control tool will +bypass all other PAM modules and permit the request. If the request is denied by +the control tool, the other PAM modules will run (e.g. fall back to requesting a +password). The PAM configuration below means InterAuth will intercept several +kinds of login, including GUI loginwindow, Authorization Services, +and terminal `login(1)`. + +The main use case for this is debugging/recovery, particularly for service +accounts whose authentication authority is controlled by a network directory +server and whose actual password may not be available. + +Because InterAuth requires root access to install and use, overall system +security should not be weakened. + ## Installation ``` -- 2.43.5