[sudo-users] sudo_logsrvd configuration
Todd C. Miller
Todd.Miller at sudo.ws
Tue Jul 27 20:32:44 MDT 2021
On Tue, 27 Jul 2021 15:59:24 -0500, Stefan Johnson wrote:
> The "log_servers" directive allows a list of log servers, but how do you
> include the certificate for each of those log servers? The
> "log_server_peer_cert" and "log_server_peer_key" directives seem to only
> accept one entry. If I only include one log server in the sudoers file
> with the appropriate cert, key, and cacert (log_server_cabundle directive)
> it works fine, but if I try to include a list of certs and keys for each
> server, it fails.
The "log_server_peer_cert" and "log_server_peer_key" directives
describe the cert and key for the sudo client, not the sudo_logsrvd
server. Sudo will use the "log_server_cabundle" directive to verify
the identity of all the servers it connects to. That file can contain
multiple certs.
> I also recognize that I might need to do a subject alternative names
> certificate for all of the log servers and use that same cert everywhere.
That is certainly one way to do it but it should also be possible
to use a discrete cert for each server.
- todd
More information about the sudo-users
mailing list