[sudo-users] sudo_logsrvd configuration

Stefan Johnson tigerphoenixdragon at gmail.com
Tue Jul 27 14:59:24 MDT 2021

On Tue, Jul 27, 2021 at 10:52 AM Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Fri, 23 Jul 2021 18:25:41 -0500, Stefan Johnson wrote:
> >  The OS is the latest RedHat 8 on x86_64.  I pulled the RPMs from the
> > sudo.ws site
> > and used those to replace the RedHat provided sudo.  I don't remember
> what
> > version
> > of OpenSSL is on the system, but a quick check of the RedHat rpm site
> seems
> > to
> > indicate the vendor provided version is 1.1.1g (with any vendor
> > modifications / back
> > ports that may have been included for security fixes.)
> Sudo 1.9.7p2 is out today which includes a fix for this.
> You can download the updated RPMs from
> https://www.sudo.ws/download.html#binary or
> https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_7p2
>  - todd

I installed the latest package today, and it worked fine.  Thank you for
all the help!

One more question...

The "log_servers" directive allows a list of log servers, but how do you
include the certificate for each of those log servers?  The
"log_server_peer_cert" and "log_server_peer_key" directives seem to only
accept one entry.  If I only include one log server in the sudoers file
with the appropriate cert, key, and cacert (log_server_cabundle directive)
it works fine, but if I try to include a list of certs and keys for each
server, it fails.

I'll keep playing with the options tomorrow to see if I can figure it out,
but was hoping someone on here might see what I'm doing wrong.

I also recognize that I might need to do a subject alternative names
certificate for all of the log servers and use that same cert everywhere.

Again, thanks for all the help!

More information about the sudo-users mailing list