[sudo-users] sudo_logsrvd configuration

[Stefan Johnson]

I played around with the settings until I got a working non-TLS log setting
configured.
The iolog setting now looks like this:
[iolog]
iolog_dir = /var/log/sudo_replay_logs/%Y/%m/%d/%H%M/%{hostname}/
iolog_file = %{user}-%s-XXXXXX
iolog_group = redacted
iolog_mode = 0640

Nothing else was changed.  This is confirmed to work.  I went back to
trying to get the TLS to work and still no joy.
[server]
listen_address = *:30344(tls)
tcp_keepalive = true
timeout = 30
tls_cacert = /etc/ssl/sudo/cacert.pem
tls_cert = /etc/ssl/sudo/certs/redacted_cert.pem
tls_key = /etc/ssl/sudo/private/redacted_key.pem
tls_checkpeer = false
tls_verify = false

With these settings in place (and a service restart) the debug output seems
to indicate it is listening on the correct port.  A "netstat -plantu" shows
the listening port is there and owned by the sudo_logsrvd process.

Unfortunately, I get the following error lines when I try to "sudo su -"
from the test machine (which is now configured to include 30344(tls)
instead of 30343 for the port)
sudo: TLS connection to redacted.redacted.com:30344 failed: Connection
reset by peer
sudo: TLS handshake was unsuccessful: Connection reset by peer
sudo: unable to connect to log server
sudo: error initializing I/O plugin sudoers_io

The test is being run against localhost to remove any possibility of
firewall/network acl issues.

The debug logsrvd_debug log shows this interesting line:
unexpected error during TLS handshake: 1 (error:140C5042:SSL
routines:ssl_undefined_function:called a function you should not call) @
tls_handshake_cb() ./logsrvd.c:1366

And a test with "openssl s_client -connect localhost:30344" shows the
following:
no peer certificate available
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

The CA and certs were done via the man page instructions.

The version is 1.9.7p1

Hopefully this is enough information for someone to be able to assist with
what I'm doing wrong.

On Thu, Jul 22, 2021 at 7:37 AM Stefan Johnson <tigerphoenixdragon at gmail.com>
wrote:

> I have a sudoers entry that looks like this (for testing purposes)
>
> Defaults log_output, log_servers="fqdn.of.log.server:30343"
> %wheel ALL=(ALL) NOPASSWD: ALL
>
> When I do "sudo su -" I get:
> sudo: error message received from server: invalid ClientMessage
> sudo: unexpected child termination condition: 0
> sudo: unable to set controlling tty: Input/output error
>
> With the debug rule in place, there is this line:
> unable to expand iolog dir
> /%Y/%m/%d/%H%M/%{hostname}/%s_u_%{user}_g_%{group}_ru_%{runas_user}_rg_%{runas_group}_c_%{command}_XXXXXX
> @ create_iolog_path() ./iolog_writer.c:592
>
> Do we need to pre-populate the directory structure?  I thought sudo would
> create this for us as needed.
>
>
> Thanks!
>
> Stefan
>
> On Mon, Jul 19, 2021 at 3:39 PM Todd C. Miller <Todd.Miller at sudo.ws>
> wrote:
>
>> Starting out with non-TLS first makes sense.  Your sudo_logsrvd
>> config looks reasonable, do you have matching configuration in the
>> sudoers file?
>>
>> For example:
>>
>> Defaults log_output, log_servers=server_hostname
>>
>> If you don't log either input or output in sudoers there won't be
>> anything for sudo_logsrvd to log.
>>
>> You can also enable debugging for sudo_logsrvd in /etc/sudo.conf.
>> A line like this will do it:
>>
>> Debug sudo_logsrvd /var/log/logsrvd_debug all at debug
>>
>>  - todd
>>
>