[sudo-users] sudo_logsrvd configuration

Todd C. Miller Todd.Miller at sudo.ws
Tue Jul 27 20:32:44 MDT 2021

On Tue, 27 Jul 2021 15:59:24 -0500, Stefan Johnson wrote:

> The "log_servers" directive allows a list of log servers, but how do you
> include the certificate for each of those log servers?  The
> "log_server_peer_cert" and "log_server_peer_key" directives seem to only
> accept one entry.  If I only include one log server in the sudoers file
> with the appropriate cert, key, and cacert (log_server_cabundle directive)
> it works fine, but if I try to include a list of certs and keys for each
> server, it fails.

The "log_server_peer_cert" and "log_server_peer_key" directives
describe the cert and key for the sudo client, not the sudo_logsrvd
server.  Sudo will use the "log_server_cabundle" directive to verify
the identity of all the servers it connects to.  That file can contain
multiple certs.

> I also recognize that I might need to do a subject alternative names
> certificate for all of the log servers and use that same cert everywhere.

That is certainly one way to do it but it should also be possible
to use a discrete cert for each server.

 - todd

More information about the sudo-users mailing list